Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0283 linux-2.6 security update 27 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux-2.6 Publisher: Debian Operating System: Debian GNU/Linux 6 Linux variants Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-0871 CVE-2013-0231 Original Bulletin: http://www.debian.org/security/2013/dsa-2632 Comment: This advisory references vulnerabilities in the Linux kernel that also affect distributions other than Debian. It is recommended that administrators running Linux check for an updated version of the kernel for their system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ---------------------------------------------------------------------- Debian Security Advisory DSA-2632-1 security@debian.org http://www.debian.org/security/ Dann Frazier February 25, 2013 http://www.debian.org/security/faq - - ---------------------------------------------------------------------- Package : linux-2.6 Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2013-0231 CVE-2013-0871 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-0231 Jan Beulich provided a fix for an issue in the Xen PCI backend drivers. Users of guests on a system using passed-through PCI devices can create a denial of service of the host system due to the use of non-ratelimited kernel log messages. CVE-2013-0871 Suleiman Souhlal and Salman Qazi of Google, with help from Aaron Durbin and Michael Davidson of Google, discovered an issue in the ptrace subsystem. Due to a race condition with PTRACE_SETREGS, local users can cause kernel stack corruption and execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 2.6.32-48squeeze1. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 6.0 (squeeze) user-mode-linux 2.6.32-1um-4+48squeeze1 We recommend that you upgrade your linux-2.6 and user-mode-linux packages. Thanks to Micah Anderson for proof reading this text. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJRLBVjAAoJEBv4PF5U/IZAu4kP/jZv5pYzgQxM89D3a2GKaaSk qZV9IHYItKaX2rWURo0vjilp0WZVASCgPX9YB3J+oTxZeMboeRVVllLIwW2L+V0B zGeQeCZM6YJmc32sGRX+8JNjdeLioDK0vTSzwhUVVJHgO7mYCuWxn8nv2edyyYYL M0qjAuwZQMuGuDeF8vH5Ef2wNibZeMavqq33OQWr7Yi32hNJdgSzojwQ4lSv81U1 YR+lMJFLnPL9BMUY4kNrGJ4eYxr5rpI4FKEItp0zPsOaskU7zIiV0oWOthUM7sk3 ljagXj/3w/a6dUqH3anAYEB7gU1wwQmHwtbQTnBGnFVgTY+P26FVWq3XEy80Fb0u K2f5OHi6ChGFXRZmprhjRq/LxlkFLWO/YUtEFpudu2qTesSq9FXRQzfRWD1FLTxS +t6RbyAEKpCdakVGjIM7zzEo6XzVC5iZBWa15c8rthuJmJtC9zvwEQTx4pVnxwNo aCqih+BbmJCZWPjDV4Csw61oRh9bDHZrvGqyw1aPrZmefeJ0VvGiwRE9Hf607Aby 2fenrRULteAvZfASZx7IuFaoXT90MKRJMb+Ha2pUyG5dt6t1xU2IQf/NZ+ib/8nl R1LxICNeHbSkcesbtWVfs11zE88FYikK/h2ZbCtF6jalUSQvIpLFDmYpKRlChUQA 4WsJP7RDW9NNCcsAwuxG =7Aaz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUS1ueu4yVqjM2NGpAQIUtBAAhQMuyOUPSliv68GRp4LZlTmQRg71JVf3 kPrTwvHDqfEkW0wQJjOg2bYJbPvG1aWIh5902eKrNhkuZ9wpWJNGCJfiaEy2WaCk xmXdAjt4p6VwQr4FDfn2WDKPS+3/B47Ix7+iv9oRwP4CCA+BvCB9jjuLxHy+J+qQ UKQVJLdCbzP2vvkplskCxcjoX+ViJeuUKCfTGQ0t+/MaM17nDVZeesZW4Q/XNejA DEdMRwY9GAjxkCoMTd8+vA35nE+rluFbCi95Ayr++mGLhxRS88+56WRfCkcHHTuR 6KJMBVEB6uEGlyMZKASW8yFjlzSOyO1SruEifwXLlrXG5LUEKU+IDLBPWsUS2yBY L2NOb3GwEqXeLzX4hZZ9whtS5uU/v0u4v6cg7GYU4/kHNBJiM5VFHq0lx/nvx0Uf fwiiucg6JAX4o0FiFqvTWKE5RaAhQFCR5muix9G8ddndayzFZOEpvQjIvmc/Y/gb D1smoanp1RBwTcYtfF+IXTQs1EXbGhAMhbLdbl6iOyuSDoyFqS71Wv2oQQDRojIR fgNwTcTh8PQAU+d1SWRHKx5bLikEhknDnm90mp0qkgNCdZ+Lc6yNWICxqCLmZ03J R8mIWhZLbYTK7AcyrYLhdGwuszRvo9mi3tUMjvLbD5/EJLwClYPdCW6Dc6eD5/c3 U2UzcupoSBg= =XyeM -----END PGP SIGNATURE-----