kernel-sec/dsa-texts/2.6.26-26lenny4

-------------------------------------------------------------------------
Debian Security Advisory DSA-2310-1                   security@debian.org
http://www.debian.org/security/                              dann frazier
September 22, 2011                     http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2009-4067 CVE-2011-0712 CVE-2011-1020 CVE-2011-2209
                 CVE-2011-2211 CVE-2011-2213 CVE-2011-2484 CVE-2011-2491
                 CVE-2011-2492 CVE-2011-2495 CVE-2011-2496 CVE-2011-2497
                 CVE-2011-2525 CVE-2011-2928 CVE-2011-3188 CVE-2011-3191
Debian Bug     : 633738

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a privilege escalation, denial of service or information leak.  The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2009-4067

    Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the auerswald
    module, a driver for Auerswald PBX/System Telephone USB devices.  Attackers
    with physical access to a system's USB ports could obtain elevated
    privileges using a specially crafted USB device.

CVE-2011-0712

    Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the caiaq
    module, a USB driver for Native Instruments USB audio devices. Attackers
    with physical access to a system's USB ports could obtain elevated
    privileges using a specially crafted USB device.

CVE-2011-1020

    Kees Cook discovered an issue in the /proc filesystem that allows local
    users to gain access to sensitive process information after execution of a
    setuid binary.

CVE-2011-2209

    Dan Rosenberg discovered an issue in the osf_sysinfo() system call on the
    alpha architecture. Local users could obtain access to sensitive kernel
    memory.
    
CVE-2011-2211

    Dan Rosenberg discovered an issue in the osf_wait4() system call on the
    alpha architecture permitting local users to gain elevated privileges.

CVE-2011-2213

    Dan Rosenberg discovered an issue in the INET socket monitoring interface.
    Local users could cause a denial of service by injecting code and causing
    the kernel to execute an infinite loop.

CVE-2011-2484

    Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
    a process can register is not capped, resulting in local denial of service
    through resource exhaustion (cpu time and memory).

CVE-2011-2491

    Vasily Averin discovered an issue with the NFS locking implementation.  A
    malicious NFS server can cause a client to hang indefinitely in an unlock
    call.

CVE-2011-2492

    Marek Kroemeke and Filip Palian discovered that uninitialized struct
    elements in the Bluetooth subsystem could lead to a leak of sensitive kernel
    memory through leaked stack memory.

CVE-2011-2495

    Vasiliy Kulikov of Openwall discovered that the io file of a process' proc
    directory was world-readable, resulting in local information disclosure of
    information such as password lengths.

CVE-2011-2496

    Robert Swiecki discovered that mremap() could be abused for local denial of
    service by triggering a BUG_ON assert.

CVE-2011-2497

    Dan Rosenberg discovered an integer underflow in the Bluetooth subsystem,
    which could lead to denial of service or privilege escalation.

CVE-2011-2525

    Ben Pfaff reported an issue in the network scheduling code. A local user
    could cause a denial of service (NULL pointer dereference) by sending a
    specially crafted netlink message.

CVE-2011-2928

    Timo Warns discovered that insufficient validation of Be filesystem images
    could lead to local denial of service if a malformed filesystem image is
    mounted.

CVE-2011-3188

    Dan Kaminsky reported a weakness of the sequence number generation in the
    TCP protocol implementation. This can be used by remote attackers to inject
    packets into an active session.

CVE-2011-3191

    Darren Lavender reported an issue in the Common Internet File System (CIFS).
    A malicious file server could cause memory corruption leading to a denial of
    service.

This update also includes a fix for a regression introduced with the previous
security fix for CVE-2011-1768 (Debian: #633738)

For the oldstable distribution (lenny), this problem has been fixed in version
2.6.26-26lenny4. Updates for arm and alpha are not yet available, but will be
released as soon as possible. Updates for the hppa and ia64 architectures will
be included in the upcoming 5.0.9 point release.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                             Debian 5.0 (lenny)
     user-mode-linux                         2.6.26-1um-2+26lenny4

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
These updates will not become active until after your system is rebooted.

Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or "leap-frog" fashion.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
1	-------------------------------------------------------------------------
2	Debian Security Advisory DSA-2310-1 security@debian.org
3	http://www.debian.org/security/ dann frazier
4	September 22, 2011 http://www.debian.org/security/faq
5	-------------------------------------------------------------------------
6
7	Package : linux-2.6
8	Vulnerability : privilege escalation/denial of service/information leak
9	Problem type : local/remote
10	Debian-specific: no
11	CVE Id(s) : CVE-2009-4067 CVE-2011-0712 CVE-2011-1020 CVE-2011-2209
12	CVE-2011-2211 CVE-2011-2213 CVE-2011-2484 CVE-2011-2491
13	CVE-2011-2492 CVE-2011-2495 CVE-2011-2496 CVE-2011-2497
14	CVE-2011-2525 CVE-2011-2928 CVE-2011-3188 CVE-2011-3191
15	Debian Bug : 633738
16
17	Several vulnerabilities have been discovered in the Linux kernel that may lead
18	to a privilege escalation, denial of service or information leak. The Common
19	Vulnerabilities and Exposures project identifies the following problems:
20
21	CVE-2009-4067
22
23	Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the auerswald
24	module, a driver for Auerswald PBX/System Telephone USB devices. Attackers
25	with physical access to a system's USB ports could obtain elevated
26	privileges using a specially crafted USB device.
27
28	CVE-2011-0712
29
30	Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the caiaq
31	module, a USB driver for Native Instruments USB audio devices. Attackers
32	with physical access to a system's USB ports could obtain elevated
33	privileges using a specially crafted USB device.
34
35	CVE-2011-1020
36
37	Kees Cook discovered an issue in the /proc filesystem that allows local
38	users to gain access to sensitive process information after execution of a
39	setuid binary.
40
41	CVE-2011-2209
42
43	Dan Rosenberg discovered an issue in the osf_sysinfo() system call on the
44	alpha architecture. Local users could obtain access to sensitive kernel
45	memory.
46
47	CVE-2011-2211
48
49	Dan Rosenberg discovered an issue in the osf_wait4() system call on the
50	alpha architecture permitting local users to gain elevated privileges.
51
52	CVE-2011-2213
53
54	Dan Rosenberg discovered an issue in the INET socket monitoring interface.
55	Local users could cause a denial of service by injecting code and causing
56	the kernel to execute an infinite loop.
57
58	CVE-2011-2484
59
60	Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
61	a process can register is not capped, resulting in local denial of service
62	through resource exhaustion (cpu time and memory).
63
64	CVE-2011-2491
65
66	Vasily Averin discovered an issue with the NFS locking implementation. A
67	malicious NFS server can cause a client to hang indefinitely in an unlock
68	call.
69
70	CVE-2011-2492
71
72	Marek Kroemeke and Filip Palian discovered that uninitialized struct
73	elements in the Bluetooth subsystem could lead to a leak of sensitive kernel
74	memory through leaked stack memory.
75
76	CVE-2011-2495
77
78	Vasiliy Kulikov of Openwall discovered that the io file of a process' proc
79	directory was world-readable, resulting in local information disclosure of
80	information such as password lengths.
81
82	CVE-2011-2496
83
84	Robert Swiecki discovered that mremap() could be abused for local denial of
85	service by triggering a BUG_ON assert.
86
87	CVE-2011-2497
88
89	Dan Rosenberg discovered an integer underflow in the Bluetooth subsystem,
90	which could lead to denial of service or privilege escalation.
91
92	CVE-2011-2525
93
94	Ben Pfaff reported an issue in the network scheduling code. A local user
95	could cause a denial of service (NULL pointer dereference) by sending a
96	specially crafted netlink message.
97
98	CVE-2011-2928
99
100	Timo Warns discovered that insufficient validation of Be filesystem images
101	could lead to local denial of service if a malformed filesystem image is
102	mounted.
103
104	CVE-2011-3188
105
106	Dan Kaminsky reported a weakness of the sequence number generation in the
107	TCP protocol implementation. This can be used by remote attackers to inject
108	packets into an active session.
109
110	CVE-2011-3191
111
112	Darren Lavender reported an issue in the Common Internet File System (CIFS).
113	A malicious file server could cause memory corruption leading to a denial of
114	service.
115
116	This update also includes a fix for a regression introduced with the previous
117	security fix for CVE-2011-1768 (Debian: #633738)
118
119	For the oldstable distribution (lenny), this problem has been fixed in version
120	2.6.26-26lenny4. Updates for arm and alpha are not yet available, but will be
121	released as soon as possible. Updates for the hppa and ia64 architectures will
122	be included in the upcoming 5.0.9 point release.
123
124	The following matrix lists additional source packages that were rebuilt for
125	compatibility with or to take advantage of this update:
126
127	Debian 5.0 (lenny)
128	user-mode-linux 2.6.26-1um-2+26lenny4
129
130	We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
131	These updates will not become active until after your system is rebooted.
132
133	Note: Debian carefully tracks all known security issues across every
134	linux kernel package in all releases under active security support.
135	However, given the high frequency at which low-severity security
136	issues are discovered in the kernel and the resource requirements of
137	doing an update, updates for lower priority issues will normally not
138	be released for all kernels at the same time. Rather, they will be
139	released in a staggered or "leap-frog" fashion.
140
141	Further information about Debian Security Advisories, how to apply
142	these updates to your system and frequently asked questions can be
143	found at: http://www.debian.org/security/
144
145	Mailing list: debian-security-announce@lists.debian.org