Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-103-1 linux-2.6

Debian Security Advisory

DLA-103-1 linux-2.6 -- LTS security update

Date Reported:

09 Dec 2014

Affected Packages:

linux-2.6

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-6657, CVE-2013-0228, CVE-2013-7266, CVE-2014-4157, CVE-2014-4508, CVE-2014-4653, CVE-2014-4654, CVE-2014-4655, CVE-2014-4943, CVE-2014-5077, CVE-2014-5471, CVE-2014-5472.

More information:

This security upload has been prepared in cooperation of the Debian Kernel, Security and LTS Teams and features the upstream stable release 2.6.32.64 (see https://lkml.org/lkml/2014/11/23/181 for more information for that). It fixes the CVEs described below.

Note: if you are using the openvz flavors, please consider three things: a.) we haven't got any feedback on them (while we have for all other flavors) b.) so do your test before deploying them and c.) once you have done so, please give feedback to debian-lts@lists.debian.org.

If you are not using openvz flavors, please still consider b+c :-)

• CVE-2012-6657

  Fix the sock_setsockopt function to prevent local users from being able to cause a denial of service (system crash) attack.

• CVE-2013-0228

  Fix a XEN priviledge escalation, which allowed guest OS users to gain guest OS priviledges.

• CVE-2013-7266

  Fix the mISDN_sock_recvmsg function to prevent local users from obtaining sensitive information from kernel memory.

• CVE-2014-4157

  MIPS platform: prevent local users from bypassing intended PR_SET_SECCOMP restrictions.

• CVE-2014-4508

  Prevent local users from causing a denial of service (OOPS and system crash) when syscall auditing is enabled .

• CVE-2014-4653

  CVE-2014-4654 CVE-2014-4655

  Fix the ALSA control implementation to prevent local users from causing a denial of service attack and from obtaining sensitive information from kernel memory.

• CVE-2014-4943

  Fix PPPoL2TP feature to prevent local users to from gaining privileges.

• CVE-2014-5077

  Prevent remote attackers from causing a denial of service attack involving SCTP.

• CVE-2014-5471

  CVE-2014-5472

  Fix the parse_rock_ridge_inode_internal function to prevent local users from causing a denial of service attack via a crafted iso9660 images.

• CVE-2014-9090

  Fix the do_double_fault function to prevent local users from causing a denial of service (panic) attack.

For Debian 6 Squeeze, these issues have been fixed in linux-2.6 version 2.6.32-48squeeze9