1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3372-1] linux security update

    From Ben Hutchings@1:229/2 to All on Tue Oct 13 12:00:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3372-1 [email protected] https://www.debian.org/security/ Ben Hutchings October 13, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : linux
    CVE ID : CVE-2015-2925 CVE-2015-5257 CVE-2015-5283 CVE-2015-7613

    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service, unauthorised
    information disclosure or unauthorised information modification.

    CVE-2015-2925

    Jann Horn discovered that when a subdirectory of a filesystem was
    bind-mounted into a chroot or mount namespace, a user that should
    be confined to that chroot or namespace could access the whole of
    that filesystem if they had write permission on an ancestor of
    the subdirectory. This is not a common configuration for wheezy,
    and the issue has previously been fixed for jessie.

    CVE-2015-5257

    Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB
    device could cause a denial of service (crash) by imitating a
    Whiteheat USB serial device but presenting a smaller number of
    endpoints.

    CVE-2015-5283

    Marcelo Ricardo Leitner discovered that creating multiple SCTP
    sockets at the same time could cause a denial of service (crash)
    if the sctp module had not previously been loaded. This issue
    only affects jessie.

    CVE-2015-7613

    Dmitry Vyukov discovered that System V IPC objects (message queues
    and shared memory segments) were made accessible before their
    ownership and other attributes were fully initialised. If a local
    user can race against another user or service creating a new IPC
    object, this may result in unauthorised information disclosure,
    unauthorised information modification, denial of service and/or
    privilege escalation.

    A similar issue existed with System V semaphore arrays, but was
    less severe because they were always cleared before being fully
    initialised.

    For the oldstable distribution (wheezy), these problems have been fixed
    in version 3.2.68-1+deb7u5.

    For the stable distribution (jessie), these problems have been fixed in
    version 3.16.7-ckt11-1+deb8u5.

    For the unstable distribution (sid), these problems have been fixed in
    version 4.2.3-1 or earlier versions.

    We recommend that you upgrade your linux packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJWHNTSAAoJEAVMuPMTQ89E7EsP/Rm9NNOIoIh+TY4TnKwPJmKa tuGLWWOZ/yI90MR7wl9JLWSDBT0DD4fV5LKNp2p3ClV+1nMIbEEkcSOMgWyVtsHT CKjb8XvYmEm8174E1XcaEQ+ZWiQdpFwe7VABsIhVfD2G2QqXHoIiLFjjnuyiN6qw ZU/69j1nTfimoyoMyXThsAb93rWQii7/8baQ5LRVHXhipJeudq0mbAKY0GSFAXQa b6ZmFzXx9/XTLkXGl5m/XFddbEaBo5UGTx1L5GDvjgb4iaQPih8df58aV4GLNGq9 cyjZpZKSuhj2CNPK84fqUo+LlX867NdyC2e3M8uf7S9KYCWsqbl8qByiGLIebYOl yS0rXVret4Fa+9UqvuNSbp2iIx4g3vu/awUKOs9/nlz/OCBlFpQMbypeRUJi+eu5 99gDNAwZgym/77qnQKBVy2mWuDoYWn3eqg3JluwSZyDV8G+5QhEEesOcsF5U21rA 2RcTRpP6byh6m8IZQ6hDssoG0z8fuVIhwVo8yJ6P4dLf2rMbi/RNmxY6AYEFWYwW 3mTF6hwXG7J7qIMFIXy4Fuh/ea7AqYQtGfpvcnclSPd8BGESS/ySp+jMcOVQnOM/ dis38moi1fYpPAtgz2X9w3FexSy2+fMb/15xgBW0aay0isoqK5GwE1Am3Ed5LO54 Q7gz4VJxXxGKu6+N6nbg
    =Hht/
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)