Security Update: Debian Linux Kernel Local / Remote Vulnerabilities

Debian project today released a pair of security updates to plug at least ten security holes in its core called Linux kernel. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. This update has been rated as having important security impact.

For the stable distribution (etch), these problems have been fixed in version 2.6.24-6~etchnhalf.7. This is not just Debian specific bug. Other distros will also provide updates.

ADVERTISEMENTS

Problem Description

CVE-2008-3528

    Eugene Teo reported a local DoS issue in the ext2 and ext3
    filesystems.  Local users who have been granted the privileges
    necessary to mount a filesystem would be able to craft a corrupted
    filesystem that causes the kernel to output error messages in an
    infinite loop.

CVE-2008-4554

    Milos Szeredi reported that the usage of splice() on files opened
    with O_APPEND allows users to write to the file at arbitrary
    offsets, enabling a bypass of possible assumed semantics of the
    O_APPEND flag.

CVE-2008-4576

    Vlad Yasevich reported an issue in the SCTP subsystem that may
    allow remote users to cause a local DoS by triggering a kernel
    oops.

CVE-2008-4618

    Wei Yongjun reported an issue in the SCTP subsystem that may allow
    remote users to cause a local DoS by triggering a kernel panic.

CVE-2008-4933

    Eric Sesterhenn reported a local DoS issue in the hfsplus
    filesystem.  Local users who have been granted the privileges
    necessary to mount a filesystem would be able to craft a corrupted
    filesystem that causes the kernel to overrun a buffer, resulting
    in a system oops or memory corruption.

CVE-2008-4934

    Eric Sesterhenn reported a local DoS issue in the hfsplus
    filesystem.  Local users who have been granted the privileges
    necessary to mount a filesystem would be able to craft a corrupted
    filesystem that results in a kernel oops due to an unchecked
    return value.

CVE-2008-5025

    Eric Sesterhenn reported a local DoS issue in the hfs filesystem.
    Local users who have been granted the privileges necessary to
    mount a filesystem would be able to craft a filesystem with a
    corrupted catalog name length, resulting in a system oops or
    memory corruption.

CVE-2008-5029

    Andrea Bittau reported a DoS issue in the unix socket subsystem
    that allows a local user to cause memory corruption, resulting in
    a kernel panic.

CVE-2008-5134

    Johannes Berg reported a remote DoS issue in the libertas wireless
    driver, which can be triggered by a specially crafted beacon/probe
    response.

CVE-2008-5182

    Al Viro reported race conditions in the inotify subsystem that may
    allow local users to acquire elevated privileges.

CVE-2008-5300

    Dann Frazier reported a DoS condition that allows local users to
    cause the out of memory handler to kill off privileged processes
    or trigger soft lockups due to a starvation issue in the unix
    socket subsystem.

How do I fix this problem?

Simply upgrade your kernel by typing the following commands:
# apt-get update
# apt-get upgrade

Reboot the system:
# reboot

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
Network Utilitiesdig host ip nmap
Package Managerapk apt
Processes Managementbg chroot disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.