[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 155-1] linux-2.6 security update



Package        : linux-2.6
Version        : 2.6.32-48squeeze11
CVE ID         : CVE-2013-6885 CVE-2014-7822 CVE-2014-8133 CVE-2014-8134 
                 CVE-2014-8160 CVE-2014-9420 CVE-2014-9584 CVE-2014-9585
		 CVE-2015-1421 CVE-2015-1593

This update fixes the CVEs described below.

A further issue, CVE-2014-9419, was considered, but appears to require
extensive changes with a consequent high risk of regression.  It is
now unlikely to be fixed in squeeze-lts.

CVE-2013-6885

    It was discovered that under specific circumstances, a combination
    of write operations to write-combined memory and locked CPU
    instructions may cause a core hang on AMD 16h 00h through 0Fh
    processors. A local user can use this flaw to mount a denial of
    service (system hang) via a crafted application.

    For more information please refer to the AMD CPU erratum 793 in
    http://support.amd.com/TechDocs/51810_16h_00h-0Fh_Rev_Guide.pdf

CVE-2014-7822

    It was found that the splice() system call did not validate the
    given file offset and length. A local unprivileged user can use
    this flaw to cause filesystem corruption on ext4 filesystems, or
    possibly other effects.

CVE-2014-8133

    It was found that the espfix functionality can be bypassed by
    installing a 16-bit RW data segment into GDT instead of LDT (which
    espfix checks for) and using it for stack. A local unprivileged user
    could potentially use this flaw to leak kernel stack addresses.

CVE-2014-8134

    It was found that the espfix functionality is wrongly disabled in
    a 32-bit KVM guest. A local unprivileged user could potentially
    use this flaw to leak kernel stack addresses.

CVE-2014-8160

    It was found that a netfilter (iptables or ip6tables) rule
    accepting packets to a specific SCTP, DCCP, GRE or UDPlite
    port/endpoint could result in incorrect connection tracking state.
    If only the generic connection tracking module (nf_conntrack) was
    loaded, and not the protocol-specific connection tracking module,
    this would allow access to any port/endpoint of the specified
    protocol.

CVE-2014-9420

    It was found that the ISO-9660 filesystem implementation (isofs)
    follows arbitrarily long chains, including loops, of Continuation
    Entries (CEs). This allows local users to mount a denial of
    service via a crafted disc image.

CVE-2014-9584

    It was found that the ISO-9660 filesystem implementation (isofs)
    does not validate a length value in the Extensions Reference (ER)
    System Use Field, which allows local users to obtain sensitive
    information from kernel memory via a crafted disc image.

CVE-2014-9585

    It was discovered that address randomisation for the vDSO in
    64-bit processes is extremely biassed. A local unprivileged user
    could potentially use this flaw to bypass the ASLR protection
    mechanism.

CVE-2015-1421

    It was found that the SCTP implementation could free
    authentication state while it was still in use, resulting in heap
    corruption. This could allow remote users to cause a denial of
    service or privilege escalation.

CVE-2015-1593

    It was found that address randomisation for the initial stack in
    64-bit processes was limited to 20 rather than 22 bits of entropy.
    A local unprivileged user could potentially use this flaw to
    bypass the ASLR protection mechanism.


-- 
Ben Hutchings - Debian developer, kernel team member

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: