Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Apologies, hit the wrong reply to! Please ignore and thanks for all the good work. On Tue, May 14, 2013 at 09:15:48PM +0100, Jon Marshall wrote: > Saw this earlier, apparently there is a serious issue that affects all of the > kernels up to 3.8 > > Will do a security thing tomorrow, if I get a chance, but it has been a while > since we've had a look at it, my fault. > > Will update once I've reviewed. > > On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > - -- > > Debian Security Advisory DSA-2668-1secur...@debian.org > > http://www.debian.org/security/ Dann Frazier > > May 14, 2013http://www.debian.org/security/faq > > - -- > > > > Package: linux-2.6 > > Vulnerability : privilege escalation/denial of service/information leak > > Problem type : local/remote > > Debian-specific: no > > CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 > > CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 > > CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 > > CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 > > CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 > > CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 > > CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 > > CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 > > CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 > > > > Several vulnerabilities have been discovered in the Linux kernel that may > > lead > > to a denial of service, information leak or privilege escalation. The Common > > Vulnerabilities and Exposures project identifies the following problems: > > > > CVE-2012-2121 > > > > Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU > > mapping of memory slots used in KVM device assignment. Local users with > > the ability to assign devices could cause a denial of service due to a > > memory page leak. > > > > CVE-2012-3552 > > > > Hafid Lin reported an issue in the IP networking subsystem. A remote > > user > > can cause a denial of service (system crash) on servers running > > applications that set options on sockets which are actively being > > processed. > > > > CVE-2012-4461 > > > > Jon Howell reported a denial of service issue in the KVM subsystem. > > On systems that do not support the XSAVE feature, local users with > > access to the /dev/kvm interface can cause a system crash. > > > > CVE-2012-4508 > > > > Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 > > filesystem. Local users could gain access to sensitive kernel memory. > > > > CVE-2012-6537 > > > > Mathias Krause discovered information leak issues in the Transformation > > user configuration interface. Local users with the CAP_NET_ADMIN > > capability > > can gain access to sensitive kernel memory. > > > > CVE-2012-6539 > > > > Mathias Krause discovered an issue in the networking subsystem. Local > > users on 64-bit systems can gain access to sensitive kernel memory. > > > > CVE-2012-6540 > > > > Mathias Krause discovered an issue in the Linux virtual server > > subsystem. > > Local users can gain access to sensitive kernel memory. Note: this issue > > does not affect Debian provided kernels, but may affect custom kernels > > built from Debian's linux-source-2.6.32 package. > > > > CVE-2012-6542 > > > > Mathias Krause discovered an issue in the LLC protocol support code. > > Local users can gain access to sensitive kernel memory. > > > > CVE-2012-6544 > > > > Mathias Krause discovered issues in the Bluetooth subsystem. > > Local users can gain access to sensitive kernel memory. > > > > CVE-2012-6545 > > > > Mathias Krause discovered issues in the Bluetooth RFCOMM protocol > > support. Local users can gain access to sensitive kernel memory. > > > > CVE-2012-6546 > > > > Mathias Krause discovered issues in the ATM networking support. Local > > users can gain access to sensitive kernel memory. > > > > CVE-2012-6548 > > > > Mathias Krause discovered an issue in the UDF file system support. > > Local users can obtain access to sensitive kernel memory. > > > > CVE-2012-6549 > > > > Mathias Krause discovered an issue in the isofs file system support. > > Local users can obtain access to sensitive kernel memory. > > > > CVE-2013-0349 > > > > Anderson Lizardo discovered an issue in the Bluetooth Human Interface > > Device Protocol (HIDP) stack. Local users can obtain access to sensitive > >
Re: [SECURITY] [DSA 2668-1] linux-2.6 security update
Saw this earlier, apparently there is a serious issue that affects all of the kernels up to 3.8 Will do a security thing tomorrow, if I get a chance, but it has been a while since we've had a look at it, my fault. Will update once I've reviewed. On Tue, May 14, 2013 at 01:14:29PM -0600, dann frazier wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA-2668-1secur...@debian.org > http://www.debian.org/security/ Dann Frazier > May 14, 2013http://www.debian.org/security/faq > - -- > > Package: linux-2.6 > Vulnerability : privilege escalation/denial of service/information leak > Problem type : local/remote > Debian-specific: no > CVE Id(s) : CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 > CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 > CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 > CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 > CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 > CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 > CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 > CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 > CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 > > Several vulnerabilities have been discovered in the Linux kernel that may lead > to a denial of service, information leak or privilege escalation. The Common > Vulnerabilities and Exposures project identifies the following problems: > > CVE-2012-2121 > > Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU > mapping of memory slots used in KVM device assignment. Local users with > the ability to assign devices could cause a denial of service due to a > memory page leak. > > CVE-2012-3552 > > Hafid Lin reported an issue in the IP networking subsystem. A remote user > can cause a denial of service (system crash) on servers running > applications that set options on sockets which are actively being > processed. > > CVE-2012-4461 > > Jon Howell reported a denial of service issue in the KVM subsystem. > On systems that do not support the XSAVE feature, local users with > access to the /dev/kvm interface can cause a system crash. > > CVE-2012-4508 > > Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 > filesystem. Local users could gain access to sensitive kernel memory. > > CVE-2012-6537 > > Mathias Krause discovered information leak issues in the Transformation > user configuration interface. Local users with the CAP_NET_ADMIN > capability > can gain access to sensitive kernel memory. > > CVE-2012-6539 > > Mathias Krause discovered an issue in the networking subsystem. Local > users on 64-bit systems can gain access to sensitive kernel memory. > > CVE-2012-6540 > > Mathias Krause discovered an issue in the Linux virtual server subsystem. > Local users can gain access to sensitive kernel memory. Note: this issue > does not affect Debian provided kernels, but may affect custom kernels > built from Debian's linux-source-2.6.32 package. > > CVE-2012-6542 > > Mathias Krause discovered an issue in the LLC protocol support code. > Local users can gain access to sensitive kernel memory. > > CVE-2012-6544 > > Mathias Krause discovered issues in the Bluetooth subsystem. > Local users can gain access to sensitive kernel memory. > > CVE-2012-6545 > > Mathias Krause discovered issues in the Bluetooth RFCOMM protocol > support. Local users can gain access to sensitive kernel memory. > > CVE-2012-6546 > > Mathias Krause discovered issues in the ATM networking support. Local > users can gain access to sensitive kernel memory. > > CVE-2012-6548 > > Mathias Krause discovered an issue in the UDF file system support. > Local users can obtain access to sensitive kernel memory. > > CVE-2012-6549 > > Mathias Krause discovered an issue in the isofs file system support. > Local users can obtain access to sensitive kernel memory. > > CVE-2013-0349 > > Anderson Lizardo discovered an issue in the Bluetooth Human Interface > Device Protocol (HIDP) stack. Local users can obtain access to sensitive > kernel memory. > > CVE-2013-0914 > > Emese Revfy discovered an issue in the signal implementation. Local > users maybe able to bypass the address space layout randomization (ASLR) > facility due to a leaking of information to child processes. > > CVE-2013-1767 > > Greg Thelen reported an issue in the tmpfs virtual memory filesystem. > Local users with sufficient p