linux-2.6 - security update


This update fixes the CVEs described below. * [CVE-2015-8812](https://security-tracker.debian.org/tracker/CVE-2015-8812) A flaw was found in the iw\_cxgb3 Infiniband driver. Whenever it could not send a packet because the network was congested, it would free the packet buffer but later attempt to send the packet again. This use-after-free could result in a denial of service (crash or hang), data loss or privilege escalation. * [CVE-2016-0774](https://security-tracker.debian.org/tracker/CVE-2016-0774) It was found that the fix for [CVE-2015-1805](https://security-tracker.debian.org/tracker/CVE-2015-1805) in kernel versions older than Linux 3.16 did not correctly handle the case of a partially failed atomic read. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user space. * [CVE-2016-2384](https://security-tracker.debian.org/tracker/CVE-2016-2384) Andrey Konovalov found that a USB MIDI device with an invalid USB descriptor could trigger a double-free. This may be used by a physically present user for privilege escalation. Additionally, it fixes some old security issues with no CVE ID: Several kernel APIs permitted reading or writing 2 GiB of data or more in a single chunk, which could lead to an integer overflow when applied to certain filesystems, socket or device types. The full security impact has not been evaluated. Finally, it fixes a regression in 2.6.32-48squeeze17 that would cause Samba to hang in some situations. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze20. This is \*really\* the final update to the linux-2.6 package for squeeze. For the oldstable distribution (wheezy), the kernel was not affected by the integer overflow issues and the remaining problems will be fixed in version 3.2.73-2+deb7u3. For the stable distribution (jessie), the kernel was not affected by the integer overflow issues or [CVE-2016-0774](https://security-tracker.debian.org/tracker/CVE-2016-0774), and the remaining problems will be fixed in version 3.16.7-ckt20-1+deb8u4.

Affected Software

CPE Name Name Version
linux-2.6 2.6.32-48squeeze16
linux-2.6 2.6.32-48
linux-2.6 2.6.32-30
linux-2.6 2.6.32-48squeeze10
linux-2.6 2.6.32-39
linux-2.6 2.6.32-32
linux-2.6 2.6.32-41squeeze2
linux-2.6 2.6.32-41
linux-2.6 2.6.32-43
linux-2.6 2.6.32-48squeeze13
linux-2.6 2.6.32-44
linux-2.6 2.6.32-36
linux-2.6 2.6.32-48squeeze14
linux-2.6 2.6.32-48squeeze4
linux-2.6 2.6.32-38
linux-2.6 2.6.32-47
linux-2.6 2.6.32-48squeeze17
linux-2.6 2.6.32-40
linux-2.6 2.6.32-48squeeze5
linux-2.6 2.6.32-48squeeze19
linux-2.6 2.6.32-48squeeze11
linux-2.6 2.6.32-46
linux-2.6 2.6.32-48squeeze18
linux-2.6 2.6.32-48squeeze9
linux-2.6 2.6.32-34
linux-2.6 2.6.32-35squeeze1
linux-2.6 2.6.32-45
linux-2.6 2.6.32-35
linux-2.6 2.6.32-48squeeze1
linux-2.6 2.6.32-46squeeze1
linux-2.6 2.6.32-39squeeze1
linux-2.6 2.6.32-48squeeze3
linux-2.6 2.6.32-35~bpo50+1
linux-2.6 2.6.32-48squeeze6
linux-2.6 2.6.32-34squeeze1
linux-2.6 2.6.32-35squeeze2
linux-2.6 2.6.32-31~bpo50+1
linux-2.6 2.6.32-31
linux-2.6 2.6.32-37
linux-2.6 2.6.32-33
linux-2.6 2.6.32-48squeeze7
linux-2.6 2.6.32-48squeeze8
linux-2.6 2.6.32-48squeeze12
linux-2.6 2.6.32-30+m68k.5
linux-2.6 2.6.32-42