[continued from previous message]

device range can cause a denial of service or possibly gain elevated
privileges.

CVE-2011-1182

Julien Tinnes reported an issue in the rt_sigqueueinfo interface. Local
users can generate signals with falsified source pid and uid information.

CVE-2011-1477

Dan Rosenberg reported issues in the Open Sound System driver for cards that
include a Yamaha FM synthesizer chip. Local users can cause memory
corruption resulting in a denial of service. This issue does not affect
official Debian Linux image packages as they no longer provide support for
OSS. However, custom kernels built from Debians linux-source-2.6.32 may
have enabled this configuration and would therefore be vulnerable.

CVE-2011-1493

Dan Rosenburg reported two issues in the Linux implementation of the
Amateur Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of
service by providing specially crafted facilities fields.

CVE-2011-1577

Timo Warns reported an issue in the Linux support for GPT partition tables.
Local users with physical access could cause a denial of service (Oops)
by adding a storage device with a malicious partition table header.

CVE-2011-1593

Robert Swiecki reported a signednes issue in the next_pidmap() function,
which can be exploited my local users to cause a denial of service.

CVE-2011-1598

Dave Jones reported an issue in the Broadcast Manager Controller Area
Network (CAN/BCM) protocol that may allow local users to cause a NULL
pointer dereference, resulting in a denial of service.

CVE-2011-1745

Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
Local users can obtain elevated privileges or cause a denial of service due
to missing bounds checking in the AGPIOC_BIND ioctl. On default Debian
installations, this is exploitable only by users in the video group.

CVE-2011-1746

Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
Local users can obtain elevated privileges or cause a denial of service
due to missing bounds checking in the agp_allocate_memory and
agp_create_user_memory. On default Debian installations, this is
exploitable only by users in the video group.

CVE-2011-1748

Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw
socket implementation which permits ocal users to cause a NULL pointer
dereference, resulting in a denial of service.

CVE-2011-1759

Dan Rosenberg reported an issue in the support for executing "old ABI"
binaries on ARM processors. Local users can obtain elevated privileges due
to insufficient bounds checking in the semtimedop system call.

CVE-2011-1767

Alexecy Dobriyan reported an issue in the GRE over IP implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.

CVE-2011-1768

Alexecy Dobriyan reported an issue in the IP tunnels implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.

CVE-2011-1776

Timo Warns reported an issue in the Linux implementation for GUID
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted corrupted
invalid partition table.

CVE-2011-2022

Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
Local users can obtain elevated privileges or cause a denial of service due
to missing bounds checking in the AGPIOC_UNBIND ioctl. On default Debian
installations, this is exploitable only by users in the video group.

CVE-2011-2182

Ben Hutchings reported an issue with the fix for CVE-2011-1017 (see above)
that made it insufficient to resolve the issue.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.26-26lenny3. Updates for arm and hppa are not yet available,
but will be released as soon as possible.

The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update:

Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+26lenny3

We recommend that you upgrade your linux-2.6 and user-mode-linux packages. These updates will not become active until after your system is rebooted.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJN/Uv8AAoJEBv4PF5U/IZAp7QQAJmbSplvSgno69C0IFRzRgGI FS3B6uq5zNcvucQ4O2u5Zj/rPRef/M2Lxj4Vx/9FQ+4SlV/Ryazu3iknLL2iyc8a 3zZBbo6S/OvhK0Prfd88ItCxXviYJchY91qp7Pm5TOkE1rM43XLhDAi1T1W507tY 2rgqUfWkmN0Xq4Ykh3uySsIH6VkLqC5Ay7n5jXapdf3wJkyl1pg/iu0ndTnHaRTC ByQehIMbj4OOivOcy06lS89Aro+KkgPRaA0lp5enegxUZTs5S5AIo7h6v9U078xr bcUcfrOsiTpVuTRND1L7kQQhPjmIv+UlzFjYuGPbHQxfZRVnVIlB4Ny3jIyN1aBx DMqxGR+novsYIuXAZWlsF17UYQXW5CFe+7aeS06bdaWWemJGkV0Mkfb72fwa3uLz sXlLp6fju2N5RQW7WVfjx89X7SAjKmYwQnCMbo0mwdRfujBNgbkm2xCrDy+QIE23 5BnAY18kXpqaRbXPJB0sy8V99Wnl1ZSRRzX0kOZVecrhKAoCUGPJS2X+bDEtIzhB OWzxcC7P94hega5JYzteSZcyBkGRUj4604NCzD38OdPqqWvR3oWtwDRAKIR7gZ/L PRoDZucqfYV+BhXy/ib55qTo/va5gjmnlUFMP2G/TVQk9XQ/q8TxxefmnQc+Qy3A P/Hlaop/HijmZLuNpJB4
=dXCB
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)