Lucene search

K
debianDebianDEBIAN:DLA-412-1:99076
HistoryFeb 06, 2016 - 3:28 p.m.

[SECURITY] [DLA 412-1] linux-2.6 security update

2016-02-0615:28:33
lists.debian.org
34

7.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

4.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.1%

Package        : linux-2.6
Version        : 2.6.32-48squeeze19
CVE ID         : CVE-2015-7566 CVE-2015-8767 CVE-2015-8785 CVE-2016-0723 
                 CVE-2016-2069

This update fixes the CVEs described below.

CVE-2015-7566

Ralf Spenneberg of OpenSource Security reported that the visor
    driver crashes when a specially crafted USB device without bulk-out
    endpoint is detected.

CVE-2015-8767

An SCTP denial-of-service was discovered which can be triggered by a
    local attacker during a heartbeat timeout event after the 4-way
    handshake.

CVE-2015-8785

It was discovered that local users permitted to write to a file on
    a FUSE filesystem could cause a denial of service (unkillable loop
    in the kernel).

CVE-2016-0723

A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
    A local attacker could use this flaw for denial-of-service.

CVE-2016-2069

Andy Lutomirski discovered a race condition in flushing of the TLB
    when switching tasks.  On an SMP system this could possibly lead to
    a crash, information leak or privilege escalation.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 2.6.32-48squeeze19.  Additionally, this version
includes upstream stable update 2.6.32.70.  This is the final update
to the linux-2.6 package for squeeze.

For the oldstable distribution (wheezy), these problems will be fixed
soon.

For the stable distribution (jessie), CVE-2015-7566, CVE-2015-8767 and
CVE-2016-0723 were fixed in linux version 3.16.7-ckt20-1+deb8u3 and
the remaining problems will be fixed soon.


Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

7.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

4.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.1%