> Date: Mon, 26 Mar 2012 18:35:57 -0600 > From: dannf@debian.org > To: debian-security-announce@lists.debian.org > Subject: [SECURITY] [DSA 2443-1] linux-2.6 security update > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ---------------------------------------------------------------------- > Debian Security Advisory DSA-2443-1 security@debian.org > http://www.debian.org/security/ Dann Frazier > March 26, 2012 http://www.debian.org/security/faq > - ---------------------------------------------------------------------- > > Package : linux-2.6 > Vulnerability : privilege escalation/denial of service > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2009-4307 CVE-2011-1833 CVE-2011-4347 CVE-2012-0045 > CVE-2012-1090 CVE-2012-1097 > > Several vulnerabilities have been discovered in the Linux kernel that may lead > to a denial of service or privilege escalation. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CVE-2009-4307 > > Nageswara R Sastry reported an issue in the ext4 filesystem. Local users > with the privileges to mount a filesystem can cause a denial of service > (BUG) by providing a s_log_groups_per_flex value greater than 31. > > CVE-2011-1833 > > Vasiliy Kulikov of Openwall and Dan Rosenberg discovered an information > leak in the eCryptfs filesystem. Local users were able to mount arbitrary > directories. > > CVE-2011-4347 > > Sasha Levin reported an issue in the device assignment functionality in > KVM. Local users with permission to access /dev/kvm could assign unused pci > devices to a guest and cause a denial of service (crash). > > CVE-2012-0045 > > Stephan Barwolf reported an issue in KVM. Local users in a 32-bit guest > running on a 64-bit system can crash the guest with a syscall instruction. > > CVE-2012-1090 > > CAI Qian reported an issue in the CIFS filesystem. A reference count leak > can occur during the lookup of special files, resulting in a denial of > service (oops) on umount. > > CVE-2012-1097 > > H. Peter Anvin reported an issue in the regset infrastructure. Local users > can cause a denial of service (NULL pointer dereference) by triggering the > write methods of readonly regsets. > > For the stable distribution (squeeze), this problem has been fixed in version > 2.6.32-41squeeze2. > > The following matrix lists additional source packages that were rebuilt for > compatibility with or to take advantage of this update: > > Debian 6.0 (squeeze) > user-mode-linux 2.6.32-1um-4+41squeeze2 > > We recommend that you upgrade your linux-2.6 and user-mode-linux packages. > > Thanks to Micah Anderson for proof reading this text. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBAgAGBQJPcQrKAAoJEBv4PF5U/IZAk8gP/3h2aMieT/brr09ExUnI1JQY > 5GFYvlKrDJoL+G84NkwNldJKZ5vFm5MAsbpbFCdV9pDvpq4q0wfzjA2CwINmItLI > QVwBSqbwXgBytngERabQr20wEaXVnHZP7tPZlEkVHOejRZOcamUncptiIFgSuaH0 > ILYdriM35A6QID5evUXiBK56yBQAa8I+qJ1qH+V/ezEJY/bdrcIfWUFU8bdizcFy > G+Y4lH/5ls6XaZfDC1rLCEBhWu448gL4OilkgJ3LeffsShnXUaSheAOU3TulzZPQ > F5p0IhpXQ8LoVIl8N6JY/6p53M7qWuiIF9saoriJzDSqJaftHrJ/Ka73Ps5i+8zK > wANNIhYAM8tK8Fnr4EIU2uYmJHSuCbBnqe0VPfcJdUJQ4q9M8N9w5nkAboPOmIS1 > ULzOeznSPNoxPozNrIfi6Xr2jQaUzsjo4Ths4XtC1PuDk78Ci2C/Gfn2x7B+ye+6 > TO/2oQiJ2rnp8SWQ9hOMi5Oc3YDE+v324n7on6vX97zpexnblntSj9FdMbgOnQCg > 452VpkgtOdgpUeBIt304n2McsB+Uqsyg6Rkop1KsijW6uW3JRFhkSvYz2Ag0Qcz6 > 1P9W5Y+HLbg41REUyExrGTw7mPNtxZaRhfu1fAHLX1DqAijlwArrvtnyq6SudHNL > BrZnJUyot/f3smdFF5xD > =gjmU > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: http://lists.debian.org/20120327003557.GA15792@dannf.org > |