Debian: DSA-2669-1: linux security update

    Date15 May 2013
    CategoryDebian
    54
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ----------------------------------------------------------------------
    Debian Security Advisory DSA-2669-1                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Dann Frazier
    May 15, 2013                        http://www.debian.org/security/faq
    - ----------------------------------------------------------------------
    
    Package        : linux
    Vulnerability  : privilege escalation/denial of service/information leak
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979
                     CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222
                     CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227
                     CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234
                     CVE-2013-3235 CVE-2013-3301
    
    Several vulnerabilities have been discovered in the Linux kernel that may lead
    to a denial of service, information leak or privilege escalation. The Common
    Vulnerabilities and Exposures project identifies the following problems:
    
    CVE-2013-0160
    
        vladz reported a timing leak with the /dev/ptmx character device. A local
        user could use this to determine sensitive information such as password
        length.
    
    CVE-2013-1796
    
        Andrew Honig of Google reported an issue in the KVM subsystem. A user in
        a guest operating system could corrupt kernel memory, resulting in a
        denial of service.
    
    CVE-2013-1929
    
        Oded Horovitz and Brad Spengler reported an issue in the device driver for
        Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach
        untrusted devices can create an overflow condition, resulting in a denial
        of service or elevated privileges.
    
    CVE-2013-1979
    
        Andy Lutomirski reported an issue in the socket level control message
        processing subsystem. Local users maybe able to gain eleveated privileges.
    
    CVE-2013-2015
    
        Theodore Ts'o provided a fix for an issue in the ext4 filesystem. Local
        users with the ability to mount a specially crafted filesystem can cause
        a denial of service (infinite loop).
    
    CVE-2013-2094
    
        Tommie Rantala discovered an issue in the perf subsystem. An out-of-bounds
        access vulnerability allows local users to gain elevated privileges.
    
    CVE-2013-3076
    
        Mathias Krauss discovered an issue in the userspace interface for hash
        algorithms. Local users can gain access to sensitive kernel memory.
        
    CVE-2013-3222
    
        Mathias Krauss discovered an issue in the Asynchronous Transfer Mode (ATM)
        protocol support. Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3223
    
        Mathias Krauss discovered an issue in the Amateur Radio AX.25 protocol
        support. Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3224
    
        Mathias Krauss discovered an issue in the Bluetooth subsystem. Local users
        can gain access to sensitive kernel memory.
    
    CVE-2013-3225
    
        Mathias Krauss discovered an issue in the Bluetooth RFCOMM protocol
        support. Local users can gain access to sensitive kernel memory.
        
    CVE-2013-3227
    
        Mathias Krauss discovered an issue in the Communication CPU to Application
        CPU Interface (CAIF). Local users can gain access to sensitive kernel
        memory.
    
    CVE-2013-3228
    
        Mathias Krauss discovered an issue in the IrDA (infrared) subsystem
        support. Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3229
    
        Mathias Krauss discovered an issue in the IUCV support on s390 systems.
        Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3231
    
        Mathias Krauss discovered an issue in the ANSI/IEEE 802.2 LLC type 2
        protocol support. Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3234
    
        Mathias Krauss discovered an issue in the Amateur Radio X.25 PLP (Rose)
        protocol support. Local users can gain access to sensitive kernel memory.
    
    CVE-2013-3235
    
        Mathias Krauss discovered an issue in the Transparent Inter Process
        Communication (TIPC) protocol support. Local users can gain access to
        sensitive kernel memory.
    
    CVE-2013-3301
    
        Namhyung Kim reported an issue in the tracing subsystem. A privileged
        local user could cause a denial of service (system crash). This
        vulnerabililty is not applicable to Debian systems by default.
    
    For the stable distribution (wheezy), this problem has been fixed in version
    3.2.41-2+deb7u1.
    
    Note: Updates are currently available for the amd64, i386, ia64, s390, s390x
    and sparc architectures. Updates for the remaining architectures will be
    released as they become available.
    
    The following matrix lists additional source packages that were rebuilt for
    compatibility with or to take advantage of this update:
    
                                                 Debian 7.0 (wheezy)
         user-mode-linux                         3.2-2um-1+deb7u1
    
    We recommend that you upgrade your linux and user-mode-linux packages.
    
    Note: Debian carefully tracks all known security issues across every
    linux kernel package in all releases under active security support.
    However, given the high frequency at which low-severity security
    issues are discovered in the kernel and the resource requirements of
    doing an update, updates for lower priority issues will normally not
    be released for all kernels at the same time. Rather, they will be
    released in a staggered or "leap-frog" fashion.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"40","type":"x","order":"1","pct":48.78,"resources":[]},{"id":"88","title":"Should be more technical","votes":"13","type":"x","order":"2","pct":15.85,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"29","type":"x","order":"3","pct":35.37,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.