[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 833-1] linux security update



Package        : linux
Version        : 3.2.84-2
CVE ID         : CVE-2014-9888 CVE-2014-9895 CVE-2016-6786 CVE-2016-6787 
                 CVE-2016-8405 CVE-2017-5549 CVE-2017-6001 CVE-2017-6074

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

CVE-2014-9888

    Russell King found that on ARM systems, memory allocated for DMA
    buffers was mapped with executable permission.  This made it
    easier to exploit other vulnerabilities in the kernel.

CVE-2014-9895

    Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media
    devices resulted in an information leak.

CVE-2016-6786 / CVE-2016-6787

    It was discovered that the performance events subsystem does not
    properly manage locks during certain migrations, allowing a local
    attacker to escalate privileges.  This can be mitigated by
    disabling unprivileged use of performance events:
    sysctl kernel.perf_event_paranoid=3

CVE-2016-8405

    Peter Pi of Trend Micro discovered that the frame buffer video
    subsystem does not properly check bounds while copying color maps to
    userspace, causing a heap buffer out-of-bounds read, leading to
    information disclosure.

CVE-2017-5549

    It was discovered that the KLSI KL5KUSB105 serial USB device
    driver could log the contents of uninitialised kernel memory,
    resulting in an information leak.

CVE-2017-6001

    Di Shen discovered a race condition between concurrent calls to
    the performance events subsystem, allowing a local attacker to
    escalate privileges. This flaw exists because of an incomplete fix
    of CVE-2016-6786.  This can be mitigated by disabling unprivileged
    use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2017-6074

    Andrey Konovalov discovered a use-after-free vulnerability in the
    DCCP networking code, which could result in denial of service or
    local privilege escalation.  On systems that do not already have
    the dccp module loaded, this can be mitigated by disabling it:
    echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.84-2.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.39-1+deb8u1 or earlier.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: