Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2806.2 linux security update 11 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-7990 CVE-2015-7872 CVE-2015-7833 CVE-2015-6937 CVE-2015-5307 Reference: ESB-2015.2460 Original Bulletin: http://www.debian.org/security/2015/dsa-3396 Comment: This advisory references vulnerabilities in the Linux kernel that also affect distributions other than Debian. It is recommended that administrators running Linux check for an updated version of the kernel for their system. Revision History: November 11 2015: Added "Linux" tag to affected operating systems list November 11 2015: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3396-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 10, 2015 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2015-5307 CVE-2015-7833 CVE-2015-7872 CVE-2015-7990 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service. CVE-2015-5307 Ben Serebrin from Google discovered a guest to host denial of service flaw affecting the KVM hypervisor. A malicious guest can trigger an infinite stream of "alignment check" (#AC) exceptions causing the processor microcode to enter an infinite loop where the core never receives another interrupt. This leads to a panic of the host kernel. CVE-2015-7833 Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a flaw in the processing of certain USB device descriptors in the usbvision driver. An attacker with physical access to the system can use this flaw to crash the system. CVE-2015-7872 Dmitry Vyukov discovered a vulnerability in the keyrings garbage collector allowing a local user to trigger a kernel panic. CVE-2015-7990 It was discovered that the fix for CVE-2015-6937 was incomplete. A race condition when sending a message on unbound socket can still cause a NULL pointer dereference. A remote attacker might be able to cause a denial of service (crash) by sending a crafted packet. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u6. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt11-1+deb8u6. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWQaXfAAoJEAVMuPMTQ89ExbwP/jOoRqC06ghZHt0L85pdDG/T 3mkgcNeO8kDqwm4hqOpIq4oZJY+LwnSWoLYSJp2OodIEEw3qdhNcDmQZqrOdn+lU lDQtVVjd13io5vHE+R8/a03ChhUlVhQv40hQE0rALjYvdKYvn+JszZFwnAPe1pjc qnRafMEy8N2/lMWPDuxmdavzg7J8nXmxWKS1jW5a6PxrHyrLe1nAEc68iG51P6bF HQ8kbyWZFkD/hZ4al3dQCTLfmrFuRxf/Bv/L6EgLUCQT7IsBreASaqAE7tbpRm4I AI3nx9Yu6F4HnMdHDQZCUTgMJEYBDcJREMmqgwnUWIsKbdiyGBwWDGU9qsa0yQWP RcFxbH64C0HdB8gVKNj0qfTgF0P50ChIdpohs/IN5WCJ7SADfr61Rv6gHID1j38e YhyKV4qf/WPtYtr9524pkrhC07Znnk802m8wJgMacBVM2PTs/mxz75hZU/k3yRUN oyVL5nWUJSJBMnD+PoHaFnlit8FcJj6WS6iQUJ18Y/UOt4QWqZZgv3TjdIJmAUeg fJJjnlCMZHquUaUQ7W03LuFXKgrMnCwuWq53rCbzp5+/CkhRIuY5OylrSfh3JQi6 yckyHk/LF1XD4jgVPvpXv5OhFfsr5tZvN+V3UKmeigzUQr91XgO1ccu/AZ3igs5q MSXijRFylMzZsEHh+FUY =aHKu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVkLsn36ZAP0PgtI9AQJwTw/+InZcCgA+80IL2NO5nXgLMtqkaiXwyEAi Sgmzq6CVcfrwIS/YLZwGvppf8crpmjAUanIinzmn1JTFR9wymwQ4/0R+BFRSked1 wxa0yzeI2BTLTciR6egtd+dysUUqYPPehy/MEF4LAj0orp+ZLyIEaG0mve/agUea eeQMWTmW+P5p38X1GSj6vysbM47Dpc+QZPj6AqK3guls29edMKxsxks+aXmGeMCT J1TkJDTpPRaKV2ZaRqddN+FMM5iFpmkhEXqAWGoYx72G6WXbsvQ0/dky5i0EA/ac qVN54ODVizWLjIo2KyNRPQ2BR4Iyk1mp8uxbMurka6eO2S2ksBHzTfcBHYqxWOcU m3nMoB5I02j62MY8dpCvxbQcm3XdsJAe8TNgtDc6KLxXYjV15a08Q3j+rN3G6T3V sNJQoQ9mWyFjJ2Iw/dtE1b7y6uIp0I+dA8JCO3UgUKM6PBMzOGqH/VNnJfYNdnI8 3KC1DMMY9+0K0aoSUlacK6Wbnku7XYBUDWtXGvRazEDlvAZ+sVtzrsdruDwINR9w u6kyNMM5bLgaF35tJrrXTagiFH5n+986C5XWsSmMhYN4pbkcvNl933Ydzr3VbhcV 1FiQ976sRo+YBs5YgEnU2zaqainn12OY+sZdsc8H/MjW0lulDLKQnC5ANKcXuP4O IG0DZ8Ql+qk= =IkLy -----END PGP SIGNATURE-----