Debian: DSA-2469-1: linux-2.6 security update

    Date10 May 2012
    CategoryDebian
    32
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ----------------------------------------------------------------------
    Debian Security Advisory DSA-2469-1                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Dann Frazier
    May 10, 2012                        http://www.debian.org/security/faq
    - ----------------------------------------------------------------------
    
    Package        : linux-2.6
    Vulnerability  : privilege escalation/denial of service
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2011-4086 CVE-2012-0879 CVE-2012-1601 CVE-2012-2123
                     CVE-2012-2133
    
    Several vulnerabilities have been discovered in the Linux kernel that may lead
    to a denial of service or privilege escalation. The Common Vulnerabilities and
    Exposures project identifies the following problems:
    
    CVE-2011-4086
    
        Eric Sandeen reported an issue in the journaling layer for EXT4 filesystems
        (jbd2). Local users can cause buffers to be accessed after they have been
        torn down, resulting in a denial of service (DoS) due to a system crash.
    
    CVE-2012-0879
    
        Louis Rilling reported two reference counting issues in the CLONE_IO
        feature of the kernel. Local users can prevent io context structures
        from being freed, resulting in a denial of service.
    
    CVE-2012-1601
    
        Michael Ellerman reported an issue in the KVM subsystem. Local users could
        cause a denial of service (NULL pointer dereference) by creating VCPUs
        before a call to KVM_CREATE_IRQCHIP.
    
    CVE-2012-2123
    
        Steve Grubb reported in an issue in fcaps, a filesystem-based capabilities
        system. Personality flags set using this mechanism, such as the disabling
        of address space randomization, may persist across suid calls.
    
    CVE-2012-2133
    
        Shachar Raindel discovered a use-after-free bug in the hugepages
        quota implementation. Local users with permission to use hugepages
        via the hugetlbfs implementation may be able to cause a denial of
        service (system crash).
    
    For the stable distribution (squeeze), this problem has been fixed in version
    2.6.32-44. Updates are currently only available for the amd64, i386 and sparc
    ports.
    
    NOTE: Updated linux-2.6 packages will also be made available in the release
    of Debian 6.0.5, scheduled to take place the weekend of 2012.05.12. This
    pending update will be version 2.6.32-45, and provides an additional fix for
    build failures on some architectures. Users for whom this update is not
    critical, and who may wish to avoid multiple reboots, should consider waiting
    for the 6.0.5 release before updating, or installing the 2.6.32-45 version
    ahead of time from proposed-updates.
    
    The following matrix lists additional source packages that were rebuilt for
    compatibility with or to take advantage of this update:
    
                                                 Debian 6.0 (squeeze)
         user-mode-linux                         2.6.32-1um-4+44
    
    We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"24","type":"x","order":"1","pct":54.55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.36,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.09,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.