From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------------------------
Debian Security Advisory DSA-2053-1
[email protected] http://www.debian.org/security/ dann frazier
May 25, 2010
http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-4537 CVE-2010-0727 CVE-2010-1083 CVE-2010-1084
CVE-2010-1086 CVE-2010-1087 CVE-2010-1088 CVE-2010-1162
CVE-2010-1173 CVE-2010-1187 CVE-2010-1437 CVE-2010-1446
CVE-2010-1451
Debian Bug(s) : 573071
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2009-4537
Fabian Yamaguchi reported a missing check for Ethernet frames larger
than the MTU in the r8169 driver. This may allow users on the local
network to crash a system, resulting in a denial of service.
CVE-2010-0727
Sachin Prabhu reported an issue in the GFS2 filesystem. Local users
can trigger a BUG() altering the permissions on a locked file,
resulting in a denial of service.
CVE-2010-1083
Linus Torvalds reported an issue in the USB subsystem, which may allow
local users to obtain portions of sensitive kernel memory.
CVE-2010-1084
Neil Brown reported an issue in the Bluetooth subsystem that may
permit remote attackers to overwrite memory through the creation
of large numbers of sockets, resulting in a denial of service.
CVE-2010-1086
Ang Way Chuang reported an issue in the DVB subsystem for Digital
TV adapters. By creating a specially-encoded MPEG2-TS frame, a remote
attacker could cause the receiver to enter an endless loop, resulting
in a denial of service.
CVE-2010-1087
Trond Myklebust reported an issue in the NFS filesystem. A local
user may cause an oops by sending a fatal signal during a file
truncation operation, resulting in a denial of service.
CVE-2010-1088
Al Viro reported an issue where automount symlinks may not
be followed when LOOKUP_FOLLOW is not set. This has an unknown
security impact.
CVE-2010-1162
Catalin Marinas reported an issue in the tty subsystem that allows
local attackers to cause a kernel memory leak, possibly resulting
in a denial of service.
CVE-2010-1173
Chris Guo from Nokia China and Jukka Taimisto and Olli Jarva from
Codenomicon Ltd reported an issue in the SCTP subsystem that allows
a remote attacker to cause a denial of service using a malformed init
package.
CVE-2010-1187
Neil Hormon reported an issue in the TIPC subsystem. Local users can
cause a denial of service by way of a NULL pointer dereference by
sending datagrams through AF_TIPC before entering network mode.
CVE-2010-1437
Toshiyuki Okajima reported a race condition in the keyring subsystem.
Local users can cause memory corruption via keyctl commands that
access a keyring in the process of being deleted, resulting in a
denial of service.
CVE-2010-1446
Wufei reported an issue with kgdb on the PowerPC architecture,
allowing local users to write to kernel memory. Note: this issue
does not affect binary kernels provided by Debian. The fix is
provided for the benefit of users who build their own kernels
from Debian source.
CVE-2010-1451
Brad Spengler reported an issue on the SPARC architecture that allows
local users to execute non-executable pages.
This update also includes fixes a regression introduced by a previous
update. See the referenced Debian bug page for details.
For the stable distribution (lenny), these problems have been fixed in
version 2.6.26-22lenny1.
We recommend that you upgrade your linux-2.6 and user-mode-linux
packages.
The following matrix lists additional source packages that were
rebuilt for compatibility with or to take advantage of this update:
Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+22lenny1
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26.orig.tar.gz
Size/MD5 checksum: 61818969 85e039c2588d5bf3cb781d1c9218bbcb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-22lenny1.dsc
Size/MD5 checksum: 5778 713b8a3f2bc10816264a81c0a9eb7860
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.26-22lenny1.diff.gz
Size/MD5 checksum: 7894925 86ecf2ca8808aea84b0af06317616a6c
Architecture independent packages:
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.26-2_2.6.26-22lenny1_all.deb
Size/MD5 checksum: 126228 be9c5c392a1ab0cf0a297063abf983f6
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.26_2.6.26-22lenny1_all.deb
Size/MD5 checksum: 1764832 b0d63ac0b12a0679867b8b53bf4c3a54
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.26_2.6.26-22lenny1_all.deb
Size/MD5 checksum: 2871892 c5c0e0d8ea193812566f9481e6ca8440
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)