From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------------------------
Debian Security Advisory DSA-2003-1
[email protected] http://www.debian.org/security/ Dann Frazier
February 22, 2010
http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2009-3080 CVE-2009-3726 CVE-2009-4005 CVE-2009-4020
CVE-2009-4021 CVE-2009-4536 CVE-2010-0007 CVE-2010-0410
CVE-2010-0415 CVE-2010-0622
NOTE: This kernel update marks the final planned kernel security
update for the 2.6.18 kernel in the Debian release 'etch'.
Although security support for 'etch' officially ended on
Feburary 15th, 2010, this update was already in preparation
before that date. A final update that includes fixes for these
issues in the 2.6.24 kernel is also in preparation and will be
released shortly.
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-3080
Dave Jones reported an issue in the gdth SCSI driver. A missing
check for negative offsets in an ioctl call could be exploited by
local users to create a denial of service or potentially gain
elevated privileges.
CVE-2009-3726
Trond Myklebust reported an issue where a malicious NFS server
could cause a denial of service condition on its clients by
returning incorrect attributes during an open call.
CVE-2009-4005
Roel Kluin discovered an issue in the hfc_usb driver, an ISDN
driver for Colognechip HFC-S USB chip. A potential read overflow
exists which may allow remote users to cause a denial of service
condition (oops).
CVE-2009-4020
Amerigo Wang discovered an issue in the HFS filesystem that would
allow a denial of service by a local user who has sufficient
privileges to mount a specially crafted filesystem.
CVE-2009-4021
Anana V. Avati discovered an issue in the fuse subsystem. If the
system is sufficiently low on memory, a local user can cause the
kernel to dereference an invalid pointer resulting in a denial of
service (oops) and potentially an escalation of privileges.
CVE-2009-4536
Fabian Yamaguchi reported an issue in the e1000 driver for Intel
gigabit network adapters which allow remote users to bypass packet
filters using specially crafted ethernet frames.
CVE-2010-0007
Florian Westphal reported a lack of capability checking in the
ebtables netfilter subsystem. If the ebtables module is loaded,
local users can add and modify ebtables rules.
CVE-2010-0410
Sebastian Krahmer discovered an issue in the netlink connector
subsystem that permits local users to allocate large amounts of
system memory resulting in a denial of service (out of memory).
CVE-2010-0415
Ramon de Carvalho Valle discovered an issue in the sys_move_pages
interface, limited to amd64, ia64 and powerpc64 flavors in Debian.
Local users can exploit this issue to cause a denial of service
(system crash) or gain access to sensitive kernel memory.
CVE-2010-0622
Jermome Marchand reported an issue in the futex subsystem that
allows a local user to force an invalid futex state which results
in a denial of service (oops).
This update also fixes a regression introduced by a previous security
update that caused problems booting on certain s390 systems.
For the oldstable distribution (etch), this problem has been fixed in
version 2.6.18.dfsg.1-26etch2.
We recommend that you upgrade your linux-2.6, fai-kernels, and
user-mode-linux packages.
The following matrix lists additional source packages that were rebuilt for compatability with or to take advantage of this update:
Debian 4.0 (etch)
fai-kernels 1.17+etch.26etch2
user-mode-linux 2.6.18-1um-2etch.26etch2
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz
Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-26etch2.diff.gz
Size/MD5 checksum: 5524814 7d130709d4e511e7e4656da2451f1f87
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-26etch2.dsc
Size/MD5 checksum: 5673 571c1ffbdbfe1681087e1298fdfca95d
Architecture independent packages:
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.18_2.6.18.dfsg.1-26etch2_all.deb
Size/MD5 checksum: 3593424 693c92052b3593129ff2eaab0b4e1e30
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2.6.18_2.6.18.dfsg.1-26etch2_all.deb
Size/MD5 checksum: 59218 c88b14065b28f990826bee042ad7d815
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.18-6_2.6.18.dfsg.1-26etch2_all.deb
Size/MD5 checksum: 3721138 b3c6b7e7cd57832097fbb8623dea8e74
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.18_2.6.18.dfsg.1-26etch2_all.deb
Size/MD5 checksum: 1867420 4bba6a0ecce93a9ed767e1eac85c9b22
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)