Commit ca6e7cc3 authored by Joey Hess's avatar Joey Hess

Put together an advisory for the linux-2.6 packages. This is not a normal

DTSA since the fix reached testing on its own steam; it seemed worth making
an announcement since users need to take special actions to install the new
linux-2.6 packages and upgrade.


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@2006 e39458fd-73e7-0310-bf30-c45bca0a0e42
parent 43deb421
......@@ -4493,6 +4493,7 @@ CAN-2005-1764 [Unspecified DoS vulnerability on amd64]
CAN-2005-1763 (Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures ...)
- kernel-source-2.6.8 2.6.8-17
- kernel-source-2.6.8 2.6.8-16sarge1
TODO: check if it's fixed in linux-2.6
CAN-2005-1762 (The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 ...)
- linux-2.6 2.6.12-1 (medium)
- kernel-source-2.6.8 2.6.8-17
......@@ -7961,11 +7962,13 @@ CAN-2005-0757 (The xattr file system code, as backported in Red Hat Enterprise L
- kernel-source-2.4.27 2.4.27-11
- kernel-source-2.6.8 2.6.8-17
- kernel-source-2.6.8 2.6.8-16sarge1
TODO: check if it's fixed in linux-2.6
CAN-2005-0756 (ptrace 2.6.8.1 does not properly verify addresses on the amd64 ...)
- kernel-source-2.4.27 2.4.27-11 (medium)
- kernel-source-2.6.8 2.6.8-17 (medium)
- kernel-source-2.6.8 2.6.8-16sarge1 (medium)
- kernel-source-2.6.11 2.6.11-7 (medium)
TODO: check if it's fixed in linux-2.6
CAN-2005-0755 (Heap-based buffer overflow in RealPlayer 10 and earlier, Helix Player ...)
- helix-player 1.0.4-1
CAN-2005-0754 (Kommander in KDE 3.2 through KDE 3.4.0 executes data files without ...)
......@@ -9380,6 +9383,7 @@ CAN-2005-0449 (The netfilter/iptables module in Linux before 2.6.8.1 allows remo
NOTE: According to Herbert Xu, 2.4 is not vulnerable : http://oss.sgi.com/archives/netdev/2005-01/msg01107.html
NOTE: Seems to be stuck with the ABI bump / debian-installer problem
- kernel-source-2.6.8 (unfixed; bug #295949; high)
TODO: verify if it's fixed in linux-2.6
CAN-2005-0448 (Race condition in the rmtree function in File::Path.pm in Perl before ...)
{DSA-696-1}
- perl 5.8.4-7
source: linux-2.6
date: September 15, 2005
author: Joey Hess
vuln-type: several holes
problem-scope: remote
debian-specifc: no
cve: CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2617 CAN-2005-1913 CAN-2005-1761 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2004-2302 CAN-2005-1765 CAN-2005-1762 CAN-2005-1761 CAN-2005-2555
testing-fix: 2.6.12-6
sid-fix: 2.6.12-6
upgrade: apt-get install linux-image-2.6-386; reboot
Several security related problems have been found in version 2.6 of the
linux kernel. The Common Vulnerabilities and Exposures project identifies
the following problems:
CAN-2004-2302
Race condition in the sysfs_read_file and sysfs_write_file functions in
Linux kernel before 2.6.10 allows local users to read kernel memory and
cause a denial of service (crash) via large offsets in sysfs files.
CAN-2005-1761
Vulnerability in the Linux kernel allows local users to cause a
denial of service (kernel crash) via ptrace.
CAN-2005-1762
The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
platform allows local users to cause a denial of service (kernel crash) via
a "non-canonical" address.
CAN-2005-1765
syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when
running in 32-bit compatibility mode, allows local users to cause a denial
of service (kernel hang) via crafted arguments.
CAN-2005-1913
When a non group-leader thread called exec() to execute a different program
while an itimer was pending, the timer expiry would signal the old group
leader task, which did not exist any more. This caused a kernel panic.
CAN-2005-2098
The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
2.6.12.5 contains an error path that does not properly release the session
management semaphore, which allows local users or remote attackers to cause
a denial of service (semaphore hang) via a new session keyring (1) with an
empty name string, (2) with a long name string, (3) with the key quota
reached, or (4) ENOMEM.
CAN-2005-2099
The Linux kernel before 2.6.12.5 does not properly destroy a keyring that
is not instantiated properly, which allows local users or remote attackers
to cause a denial of service (kernel oops) via a keyring with a payload
that is not empty, which causes the creation to fail, leading to a null
dereference in the keyring destructor.
CAN-2005-2456
Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c
in Linux kernel 2.6 allows local users to cause a denial of service (oops
or deadlock) and possibly execute arbitrary code via a p->dir value that is
larger than XFRM_POLICY_OUT, which is used as an index in the
sock->sk_policy array.
CAN-2005-2457
The driver for compressed ISO file systems (zisofs) in the Linux kernel
before 2.6.12.5 allows local users and remote attackers to cause a denial
of service (kernel crash) via a crafted compressed ISO file system.
CAN-2005-2458
inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows
remote attackers to cause a denial of service (kernel crash) via a
compressed file with "improper tables".
CAN-2005-2459
The huft_build function in inflate.c in the zlib routines in the Linux
kernel before 2.6.12.5 returns the wrong value, which allows remote
attackers to cause a denial of service (kernel crash) via a certain
compressed file that leads to a null pointer dereference, a different
vulnerbility than CAN-2005-2458.
CAN-2005-2548
vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a denial
of service (kernel oops from null dereference) via certain UDP packets that
lead to a function call with the wrong argument, as demonstrated using
snmpwalk on snmpd.
CAN-2005-2555
Linux kernel 2.6.x does not properly restrict socket policy access to users
with the CAP_NET_ADMIN capability, which could allow local users to conduct
unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
ipv6/ipv6_sockglue.c.
CAN-2005-2617
The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12
and later, on the amd64 architecture, does not check the return value of
the insert_vm_struct function, which allows local users to trigger a memory
leak via a 32-bit application with crafted ELF headers.
In addition this update fixes some security issues that have not been
assigned CVE ids:
- Fix DST leak in icmp_push_reply(). Possible remote DoS?
- NPTL signal delivery deadlock fix; possible local DoS.
- fix a memory leak in devices seq_file implementation; local DoS.
- Fix SKB leak in ip6_input_finish(); local DoS.
source: kernel-source-2.6.8
date: September 10, 2005
author: Micah Anderson
vuln-type: various
problem-scope: remote
debian-specifc: no
cve: CAN-2005-1763, CAN-2005-1762, CAN-2005-0756, CAN-2005-1265, CAN-2005-0757,
CAN-2005-1765, CAN-2005-1761, CAN-2005-2456, CAN-2005-2548, CAN-2004-2302,
CAN-2005-1767, CAN-2005-2458, CAN-2005-2459
vendor-advisory:
testing-fix: linux-2.6
sid-fix: linux-2.6
upgrade: apt-get install xxx
xxx multiline description here
TODO:
upgrade instructions
descriptions
what about security fixes that don't have CANs?
......@@ -42,3 +42,6 @@
[September 13th, 2005] DTSA-15-1 php4 - several vulnerabilities
{CAN-2005-1751 CAN-2005-1921 CAN-2005-2498 }
- php4 4:4.3.10-16etch1
[September 15, 2005] DTSA-16-1 linux-2.6 - various
{CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2617 CAN-2005-1913 CAN-2005-1761 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2004-2302 CAN-2005-1765 CAN-2005-1762 CAN-2005-1761 CAN-2005-2555 }
- linux-2.6 2.6.12-6
This diff is collapsed.
......@@ -67,6 +67,8 @@
<dd>several</dd>
<dt>[September 13th, 2005] <a href='DTSA/DTSA-15-1.html'>DTSA-15-1 php4</a></dt>
<dd>several vulnerabilities</dd>
<dt>[September 15, 2005] <a href='DTSA/DTSA-16-1.html'>DTSA-16-1 linux-2.6</a></dt>
<dd>various</dd>
</dl>
<!-- footer -->
<hr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment