[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2310-1)

[Tim Abbott]

Synopsis: DSA-2310-1 can now be patched using Ksplice
CVEs: CVE-2009-4067 CVE-2011-0712 CVE-2011-1020 CVE-2011-1768 
CVE-2011-2213 CVE-2011-2484 CVE-2011-2491 CVE-2011-2492 CVE-2011-2495 
CVE-2011-2496 CVE-2011-2497 CVE-2011-2525 CVE-2011-2928 CVE-2011-3188 
CVE-2011-3191

Systems running Debian 5.0 Lenny can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2310-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 5.0 Lenny
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2213: Denial of service in inet_diag_bc_audit.

A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)


* CVE-2011-2492: Information leak in bluetooth implementation.

Structure padding in two structures in the Bluetooth implementation was
not initialized properly before being copied to user-space, possibly
allowing local, unprivileged users to leak kernel stack memory to
user-space. (CVE-2011-2492, Low)


* CVE-2011-0712: Buffer overflows in caiaq driver.

An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.


* CVE-2011-2484: Denial of service in taskstats subsystem.

The add_del_listener function in kernel/taskstats.c in the Linux kernel
did not prevent multiple registrations of exit handlers, which allowed
local users to cause a denial of service (memory and CPU consumption),
and bypass the OOM Killer, via a crafted application.


* CVE-2011-2491: Denial of service in NFS Lock Manager.

A flaw in the Linux kernel's client-side NFS Lock Manager (NLM)
implementation could allow a local, unprivileged user to cause a denial of
service. (CVE-2011-2491, Important)


* CVE-2011-2496: Local denial of service in mremap().

Robert Swiecki discovered that mremap() could be abused for local denial of
service by triggering a BUG_ON assert.


* CVE-2011-2497: Remote heap corruption in Bluetooth L2CAP.

A remote user can trigger an integer underflow via a malformed L2CAP
configuration request, leading to denial of service via heap
corruption.


* CVE-2011-2525: Denial of Service in packet scheduler API

A flaw allowed the tc_fill_qdisc() function in the Linux kernel's
packet scheduler API implementation to be called on built-in qdisc
structures.  A local, unprivileged user could use this flaw to trigger
a NULL pointer dereference, resulting in a denial of service.
(CVE-2011-2525, Moderate)


* CVE-2009-4067: Buffer overflow in Auerswald usb driver.

A buffer overflow flaw was found in the Linux kernel's Auerswald
PBX/System Telephone usb driver implementation.


* CVE-2011-1020: Missing access restrictions in /proc subsystem.

The proc filesystem implementation did not restrict access to the
/proc directory tree of a process after this process performs an exec
of a setuid program, which allowed local users to obtain sensitive
information or potentially cause other integrity issues.


* CVE-2011-2928: Local denial of service in Be filesystem.

The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel 
before
3.1-rc3 does not validate the length attribute of long symlinks, which 
allows
local users to cause a denial of service (incorrect pointer dereference and
OOPS) by accessing a long symlink on a malformed Be filesystem.


* CVE-2011-3191: Memory corruption in CIFS.

A malicious CIFS server could overflow a signed integer value, causing a
memcpy() to scribble over a large amount of memory.


* CVE-2011-2495: Information leak in /proc/PID/io.

/proc/[PID]/io is world-readable by default. Previously, these files
could be read without any further restrictions.  A local, unprivileged
user could read these files, belonging to other, possibly privileged
processes to gather confidential information, such as the length of a
password used in a process. (CVE-2011-2495, Low)


* CVE-2011-3188: Weak TCP sequence number generation.

Dan Kaminsky reported a weakness of the sequence number generation in
the TCP protocol implementation. This can be used by remote attackers
to inject packets into an active session.


* Improved fix for CVE-2011-1768.

Debian's original fix for CVE-2011-1768 had a bug which could cause
the system to crash when loading the ip6_tunnel module.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.