Debian project today released a pair of security updates to plug at least ten security holes in its core called Linux kernel. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. This update has been rated as having important security impact.
For the stable distribution (etch), these problems have been fixed in version 2.6.24-6~etchnhalf.7. This is not just Debian specific bug. Other distros will also provide updates.
Problem Description
CVE-2008-3528
Eugene Teo reported a local DoS issue in the ext2 and ext3
filesystems. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to output error messages in an
infinite loop.
CVE-2008-4554
Milos Szeredi reported that the usage of splice() on files opened
with O_APPEND allows users to write to the file at arbitrary
offsets, enabling a bypass of possible assumed semantics of the
O_APPEND flag.
CVE-2008-4576
Vlad Yasevich reported an issue in the SCTP subsystem that may
allow remote users to cause a local DoS by triggering a kernel
oops.
CVE-2008-4618
Wei Yongjun reported an issue in the SCTP subsystem that may allow
remote users to cause a local DoS by triggering a kernel panic.
CVE-2008-4933
Eric Sesterhenn reported a local DoS issue in the hfsplus
filesystem. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to overrun a buffer, resulting
in a system oops or memory corruption.
CVE-2008-4934
Eric Sesterhenn reported a local DoS issue in the hfsplus
filesystem. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that results in a kernel oops due to an unchecked
return value.
CVE-2008-5025
Eric Sesterhenn reported a local DoS issue in the hfs filesystem.
Local users who have been granted the privileges necessary to
mount a filesystem would be able to craft a filesystem with a
corrupted catalog name length, resulting in a system oops or
memory corruption.
CVE-2008-5029
Andrea Bittau reported a DoS issue in the unix socket subsystem
that allows a local user to cause memory corruption, resulting in
a kernel panic.
CVE-2008-5134
Johannes Berg reported a remote DoS issue in the libertas wireless
driver, which can be triggered by a specially crafted beacon/probe
response.
CVE-2008-5182
Al Viro reported race conditions in the inotify subsystem that may
allow local users to acquire elevated privileges.
CVE-2008-5300
Dann Frazier reported a DoS condition that allows local users to
cause the out of memory handler to kill off privileged processes
or trigger soft lockups due to a starvation issue in the unix
socket subsystem.
How do I fix this problem?
Simply upgrade your kernel by typing the following commands:
# apt-get update
# apt-get upgrade
Reboot the system:
# reboot
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Dec/6/2008
{ 0 comments… add one now }