[kernel-sec-discuss] r985 - dsa-texts

Wed Oct 3 02:03:09 UTC 2007

Author: dannf
Date: 2007-10-03 02:03:09 +0000 (Wed, 03 Oct 2007)
New Revision: 985

Added:
   dsa-texts/2.6.18.dfsg.1-13etch4
Log:
new dsa text

Copied: dsa-texts/2.6.18.dfsg.1-13etch4 (from rev 984, dsa-texts/2.6.18.dfsg.1-13etch3)
===================================================================

--- dsa-texts/2.6.18.dfsg.1-13etch4	                        (rev 0)
+++ dsa-texts/2.6.18.dfsg.1-13etch4	2007-10-03 02:03:09 UTC (rev 985)
@@ -0,0 +1,162 @@
+--------------------------------------------------------------------------
+Debian Security Advisory DSA 1381-1                    security at debian.org
+http://www.debian.org/security/                               Dann Frazier
+October 2nd, 2007                       http://www.debian.org/security/faq
+--------------------------------------------------------------------------
+
+Package        : linux-2.6
+Vulnerability  : several
+Problem-Type   : local
+Debian-specific: no
+CVE ID         : CVE-2006-5755 CVE-2007-4133 CVE-2007-4573 CVE-2007-5093
+
+Several local vulnerabilities have been discovered in the Linux kernel
+that may lead to a denial of service or the execution of arbitrary
+code. The Common Vulnerabilities and Exposures project identifies the
+following problems:
+
+CVE-2006-5755
+
+    The NT bit maybe leaked into the next task which can local attackers
+    to cause a Denial of Service (crash) on systems which run the 'amd64'
+    flavour kernel. The stable distribution ('etch') was not believed to
+    be vulnerable to this issue at the time of release, however Bastian
+    Blank discovered that this issue still applied to the 'xen-amd64' and
+    'xen-vserver-amd64' flavours that is resolved by this DSA.
+
+CVE-2007-4133
+
+    Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs.
+    A misconversion of hugetlb_vmtruncate_list to prio_tree may allow
+    local users to trigger a BUG_ON() call in exit_mmap.
+
+CVE-2007-4573
+
+    Wojciech Purczynski discovered a vulnerability that can be exploitd
+    by a local user to obtain superuser privileges on x86_64 systems.
+    This resulted from improper clearing of the high bits of registers
+    during ia32 system call emulation. This vulnerability is relevant
+    to the Debian amd64 port as well as users of the i386 port who run
+    the amd64 linux-image flavour.
+
+    DSA-1378 resolved this problem for the 'amd64' flavour kernels, but
+    Tim Wickberg and Ralf HemmenstÃdt reported an outstanding issue with
+    the 'xen-amd64' and 'xen-vserver-amd64' issues that is resolved by
+    this DSA.
+
+CVE-2007-5093
+
+    Alex Smith discovered an issue with the pwc driver for certain webcam
+    devices. If the device is removed while a userspace application has it
+    open, the driver will wait for userspace to close the device, resulting
+    in a blocked USB subsystem. This issue is of low security impact as
+    it requires the attacker to either have physical access to the system
+    or to convince a user with local access to remove the device on their
+    behalf.
+    
+These problems have been fixed in the stable distribution in version 
+2.6.18.dfsg.1-13etch4.
+
+At the time of this DSA, only the build for the amd64 architecture is
+available. Due to the severity of the amd64-specific issues, we are
+releasing an incomplete update. This advisory will be updated once
+other architecture builds become available.
+
+We recommend that you upgrade your kernel package immediately and reboot
+the machine. If you have built a custom kernel from the kernel source
+package, you will need to rebuild to take advantage of these fixes.
+
+Upgrade Instructions
+--------------------
+
+wget url
+        will fetch the file for you
+dpkg -i file.deb
+        will install the referenced file.
+
+If you are using the apt-get package manager, use the line for
+sources.list as given below:
+
+apt-get update
+        will update the internal database
+apt-get upgrade
+        will install corrected packages
+
+You may use an automated update by adding the resources from the
+footer to the proper configuration.
+
+
+Debian GNU/Linux 4.0 alias etch
+--------------------------------
+
+  Source archives:
+
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.dsc
+      Size/MD5 checksum:     5672 37f70bdc04b866a5dbcaa8f849be618a
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch4.diff.gz
+      Size/MD5 checksum:  5321790 7bc41f428b95ef6fe99361ca8854e6da
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz
+      Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060
+
+  Architecture independent components:
+
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.18_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum:  3586640 3bd5240a2610896cc497c62eb88b155c
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.18_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum:  1083674 f8c4bf0032e87733d2ee3f2f1f739f9d
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.18_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum:  1499612 10c0c285c4183493633f2b29f6036d14
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.18_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum: 41419632 8ced68949f94c78c5fc992deebdf1c85
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support-2.6.18-5_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum:  3739000 f73b86b37f56ab817c341c43bd4cf8fe
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2.6.18_2.6.18.dfsg.1-13etch4_all.deb
+      Size/MD5 checksum:    51982 4593b4bbf1f423b1d6e426602243defd
+
+  AMD64 architecture:
+
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  3165218 4f4764c3aef1f9e11201852b94467850
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-all_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:    51516 a90387023090038a122da75482b981fd
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-all-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:    51542 cb132c34f0684e6a7b1facc9432ecca2
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:   269088 d3d721166785a2acfc475b8a87eb7de0
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-vserver_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  3188578 58346ab81a8dae1bbff87412b9d071a8
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:   269454 ef04a599ceb19d37a544cd6f95000138
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  3331732 8b0e214847656f1fb6b2d35396db36a7
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:   269772 1d3f9740c35d4510c6612bb645b1ef79
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-vserver_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  3354462 30fce94ecaa6650c7eb3307e76ad47d9
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:   270790 4cd241518cb91e87bbcc62c09117accc
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum: 16800532 5cd7846a71c94945df71cf67b3d9f254
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum: 16840344 d264466281d7596876f18427dc7dad37
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  1648548 ff22e2a8c3f269295231b2b24289a892
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:  1679922 f7061df614029b187d6883902b2053b7
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum: 15239984 c8de0964da37ad0d13a7c0b1a8dbe927
+    http://security.debian.org/pool/updates/main/l/linux-2.6/linux-modules-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum: 15257046 7fbf51b2580cdf39314d5cae996f8059
+    http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.18-5-xen-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:    51500 d813a622add08eb6ca03f118af21e6c0
+    http://security.debian.org/pool/updates/main/l/linux-2.6/xen-linux-system-2.6.18-5-xen-vserver-amd64_2.6.18.dfsg.1-13etch4_amd64.deb
+      Size/MD5 checksum:    51514 9f3b1193357e2b448f653e3dd8cac1ac
+
+  These files will probably be moved into the stable distribution on
+  its next update.
+
+---------------------------------------------------------------------------------
+For apt-get: deb http://security.debian.org/ etch/updates main
+For dpkg-ftp: ftp://security.debian.org/debian-security dists/etch/updates/main
+Mailing list: debian-security-announce at lists.debian.org
+Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>


