1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • Re: [SECURITY] [DSA 2668-1] linux-2.6 security update (1/3)

    From Jon Marshall@1:229/2 to Jon Marshall on Tue May 14 22:40:01 2013
    XPost: linux.debian.security
    From: [email protected]

    Apologies, hit the wrong reply to! Please ignore and thanks for all the good work.

    On Tue, May 14, 2013 at 09:15:48PM +0100, Jon Marshall wrote:
    Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8

    Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault.

    Will update once I've reviewed.

    On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ---------------------------------------------------------------------- Debian Security Advisory DSA-2668-1 [email protected] http://www.debian.org/security/ Dann Frazier
    May 14, 2013 http://www.debian.org/security/faq
    - ----------------------------------------------------------------------

    Package : linux-2.6
    Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote
    Debian-specific: no
    CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508
    CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542
    CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548
    CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767
    CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796
    CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928
    CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222
    CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228
    CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235

    Several vulnerabilities have been discovered in the Linux kernel that may lead
    to a denial of service, information leak or privilege escalation. The Common
    Vulnerabilities and Exposures project identifies the following problems:

    CVE-2012-2121

    Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU
    mapping of memory slots used in KVM device assignment. Local users with
    the ability to assign devices could cause a denial of service due to a
    memory page leak.

    CVE-2012-3552

    Hafid Lin reported an issue in the IP networking subsystem. A remote user
    can cause a denial of service (system crash) on servers running
    applications that set options on sockets which are actively being
    processed.

    CVE-2012-4461

    Jon Howell reported a denial of service issue in the KVM subsystem.
    On systems that do not support the XSAVE feature, local users with
    access to the /dev/kvm interface can cause a system crash.

    CVE-2012-4508

    Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4
    filesystem. Local users could gain access to sensitive kernel memory.

    CVE-2012-6537

    Mathias Krause discovered information leak issues in the Transformation
    user configuration interface. Local users with the CAP_NET_ADMIN capability
    can gain access to sensitive kernel memory.

    CVE-2012-6539

    Mathias Krause discovered an issue in the networking subsystem. Local
    users on 64-bit systems can gain access to sensitive kernel memory.

    CVE-2012-6540

    Mathias Krause discovered an issue in the Linux virtual server subsystem.
    Local users can gain access to sensitive kernel memory. Note: this issue
    does not affect Debian provided kernels, but may affect custom kernels
    built from Debian's linux-source-2.6.32 package.

    CVE-2012-6542

    Mathias Krause discovered an issue in the LLC protocol support code.
    Local users can gain access to sensitive kernel memory.

    CVE-2012-6544

    Mathias Krause discovered issues in the Bluetooth subsystem.
    Local users can gain access to sensitive kernel memory.

    CVE-2012-6545

    Mathias Krause discovered issues in the Bluetooth RFCOMM protocol
    support. Local users can gain access to sensitive kernel memory.

    CVE-2012-6546

    Mathias Krause discovered issues in the ATM networking support. Local
    users can gain access to sensitive kernel memory.

    CVE-2012-6548

    Mathias Krause discovered an issue in the UDF file system support.
    Local users can obtain access to sensitive kernel memory.

    CVE-2012-6549

    Mathias Krause discovered an issue in the isofs file system support.
    Local users can obtain access to sensitive kernel memory.

    CVE-2013-0349

    Anderson Lizardo discovered an issue in the Bluetooth Human Interface
    Device Protocol (HIDP) stack. Local users can obtain access to sensitive
    kernel memory.

    CVE-2013-0914


    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)