Lucene search

GoogleOSV:DLA-0015-1

HistoryJul 12, 2014 - 12:00 a.m.

linux-2.6 - security update

2014-07-1200:00:00

Google

osv.dev

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

JSON

This update fixes several remote and local denial of service attacks and other
issues:

CVE-2013-4387:

ipv6: udp packets following an UFO enqueued packet need
also be handled by UFO to prevent remote attackers to cause a denial of
service
(memory corruption and system crash) or possibly have unspecified other impact
via network traffic that triggers a large response packet.

CVE-2013-4470:

inet: fix possible memory corruption with UDP_CORK and UFO to
prevent local users to cause a denial of service (memory corruption and system
crash) or possibly gain privileges via a crafted application.

CVE-2014-0203:

fix autofs/afs/etc. magic mountpoint breakage, preventing
denial
of service attacks by local users.

CVE-2014-2678:

rds: prevent dereference of a NULL device in rds_iw_laddr_check
to prevent local denial of service attacks (system crash or possibly have
unspecified other impact).

CVE-2014-3122
: Incorrect locking of memory can result in local denial of
service.
CVE-2014-3144
/ CVE-2014-3145: A local user can cause a denial of service
(system crash) via crafted BPF instructions.
CVE-2014-3917:

auditsc: audit_krule mask accesses need bounds checking to
prevent a local denial of service attack (OOPS) or possibly leaking sensitive
single-bit
values from kernel memory.

CVE-2014-4652:

ALSA: control: Protect user controls against concurrent access,
resulting in a race condition, possibly allowing local users access to
sensitive
information from kernel memory.

CVE-2014-4656:

ALSA: control: Make sure that id->index does not overflow, to
prevent a denial of service of the sound system by local users.

CVE-2014-4667:

sctp: Fix sk_ack_backlog wrap-around problem, preventing denial
of service (socket outage) via a crafted SCTP packet by remote attackers.

CVE-2014-4699:

Andy Lutomirski discovered that the ptrace syscall was not
verifying the RIP register to be valid in the ptrace API on x86_64 processors.
An unprivileged user could use this flaw to crash the kernel (resulting in
denial of service) or for privilege escalation.

For Debian 6 Squeeze, these issues have been fixed in linux-2.6 version 2.6.32-48squeeze8

CPENameOperatorVersion
linux-2.6eq2.6.32-48
linux-2.6eq2.6.32-30
linux-2.6eq2.6.32-39
linux-2.6eq2.6.32-32
linux-2.6eq2.6.32-41squeeze2
linux-2.6eq2.6.32-41
linux-2.6eq2.6.32-43
linux-2.6eq2.6.32-44
linux-2.6eq2.6.32-36
linux-2.6eq2.6.32-48squeeze4

Name	Operator	Version
linux-2.6	eq	2.6.32-48
linux-2.6	eq	2.6.32-30
linux-2.6	eq	2.6.32-39
linux-2.6	eq	2.6.32-32
linux-2.6	eq	2.6.32-41squeeze2
linux-2.6	eq	2.6.32-41
linux-2.6	eq	2.6.32-43
linux-2.6	eq	2.6.32-44
linux-2.6	eq	2.6.32-36
linux-2.6	eq	2.6.32-48squeeze4