LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: 2389-1: linux-2.6: privilege escalation/denial Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
- ----------------------------------------------------------------------
Debian Security Advisory DSA-2389-1                security@debian.org
http://www.debian.org/security/                           Dann Frazier
January 15, 2012                    http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2011-2183 CVE-2011-2213 CVE-2011-2898 CVE-2011-3353
                 CVE-2011-4077 CVE-2011-4110 CVE-2011-4127 CVE-2011-4611
                 CVE-2011-4622 CVE-2011-4914

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2011-2183

    Andrea Righi reported an issue in KSM, a memory-saving de-duplication
    feature. By exploiting a race with exiting tasks, local users can cause
    a kernel oops, resulting in a denial of service.
                 
CVE-2011-2213

    Dan Rosenberg discovered an issue in the INET socket monitoring interface.
    Local users could cause a denial of service by injecting code and causing
    the kernel to execute an infinite loop.

CVE-2011-2898

    Eric Dumazet reported an information leak in the raw packet socket
    implementation.

CVE-2011-3353

    Han-Wen Nienhuys reported a local denial of service issue issue in the FUSE
    (Filesystem in Userspace) support in the linux kernel. Local users could
    cause a buffer overflow, leading to a kernel oops and resulting in a denial
    of service.

CVE-2011-4077

    Carlos Maiolino reported an issue in the XFS filesystem. A local user
    with the ability to mount a filesystem could corrupt memory resulting
    in a denial of service or possibly gain elevated privileges.

CVE-2011-4110

    David Howells reported an issue in the kernel's access key retention
    system which allow local users to cause a kernel oops leading to a denial
    of service.

CVE-2011-4127

    Paolo Bonzini of Red Hat reported an issue in the ioctl passthrough
    support for SCSI devices. Users with permission to access restricted
    portions of a device (e.g. a partition or a logical volume) can obtain
    access to the entire device by way of the SG_IO ioctl. This could be
    exploited by a local user or privileged VM guest to achieve a privilege
    escalation.

CVE-2011-4611

    Maynard Johnson reported an issue with the perf support on POWER7 systems
    that allows local users to cause a denial of service.

CVE-2011-4622

    Jan Kiszka reported an issue in the KVM PIT timer support. Local users
    with the permission to use KVM can cause a denial of service by starting
    a PIT timer without first setting up the irqchip.

CVE-2011-4914

    Ben Hutchings reported various bounds checking issues within the ROSE
    protocol support in the kernel. Remote users could possibly use this
    to gain access to sensitive memory or cause a denial of service.

For the stable distribution (squeeze), this problem has been fixed in version
2.6.32-39squeeze1. Updates for issues impacting the oldstable distribution
(lenny) will be available soon.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                             Debian 6.0 (squeeze)
     user-mode-linux                         2.6.32-1um-4+39squeeze1

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
'Snowden effect' has changed cloud data security assumption, survey claims
Galaxy S5 fingerprint scanner hacked with glue mould
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.