Lucene search

K
osvGoogleOSV:DLA-360-1
HistoryDec 08, 2015 - 12:00 a.m.

linux-2.6 - security update

2015-12-0800:00:00
Google
osv.dev
13

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

5.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:P/I:P/A:C

This update fixes the CVEs described below.

  • CVE-2013-7446
    Dmitry Vyukov discovered that a particular sequence of valid
    operations on local (AF_UNIX) sockets can result in a
    use-after-free. This may be used to cause a denial of service
    (crash) or possibly for privilege escalation.
  • CVE-2015-7799
    郭永刚 discovered that a user granted access to /dev/ppp can cause
    a denial of service (crash) by passing invalid parameters to the
    PPPIOCSMAXCID ioctl. This also applies to ISDN PPP device nodes.
  • CVE-2015-7833
    Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a
    flaw in the processing of certain USB device descriptors in the
    usbvision driver. An attacker with physical access to the system can
    use this flaw to crash the system.
  • CVE-2015-7990
    It was discovered that the fix for CVE-2015-6937 was incomplete. A
    race condition when sending a message on unbound socket can still
    cause a NULL pointer dereference. A remote attacker might be able to
    cause a denial of service (crash) by sending a crafted packet.
  • CVE-2015-8324
    Valintinr reported that an attempt to mount a corrupted ext4
    filesystem may result in a kernel panic. A user permitted to
    mount filesystems could use this flaw to crash the system.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 2.6.32-48squeeze17. We recommend that you upgrade your
linux-2.6 packages.

For the oldstable (wheezy) and stable (jessie) distributions,
CVE-2015-7833, CVE-2015-7990 and CVE-2015-8324 have been fixed and the
other issues will be fixed soon.

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

5.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:P/I:P/A:C

Related for OSV:DLA-360-1