Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0137 linux security update 20 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Debian Operating System: Debian GNU/Linux 8 Linux variants Android Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-0728 CVE-2016-0723 CVE-2015-8767 CVE-2015-7566 CVE-2013-4312 Original Bulletin: http://www.debian.org/security/2016/dsa-3448 Comment: This advisory references vulnerabilities in the Linux kernel that also affect distributions other than Debian. It is recommended that administrators running Linux check for an updated version of the kernel for their system. AusCERT has received reports of publicly available proof of concept code. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3448-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 19, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 CVE-2016-0728 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial-of-service. CVE-2013-4312 Tetsuo Handa discovered that it is possible for a process to open far more files than the process' limit leading to denial-of-service conditions. CVE-2015-7566 Ralf Spenneberg of OpenSource Security reported that the visor driver crashes when a specially crafted USB device without bulk-out endpoint is detected. CVE-2015-8767 An SCTP denial-of-service was discovered which can be triggered by a local attacker during a heartbeat timeout event after the 4-way handshake. CVE-2016-0723 A use-after-free vulnerability was discovered in the TIOCGETD ioctl. A local attacker could use this flaw for denial-of-service. CVE-2016-0728 The Perception Point research team discovered a use-after-free vulnerability in the keyring facility, possibly leading to local privilege escalation. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt20-1+deb8u3. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+ zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1 Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64 IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV qaetOmH+fJB1/jo9jPLH =fylF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVp7v5n6ZAP0PgtI9AQLZABAAsphid4Wo4kO2AB/zNL1SARmmZC/OvgCA Lvp0HCO1gILpmai6QiVaBEx+pVogpF+eFC3ljkYP+B3B1jKOm250AfcRVjnhebEf wDhMJJhRHKi7OEo4PTEHUp9PBz3suW4QkvkOaB98t8Myzw4qDewtZ2uQniuSk6T8 9WW+TZ9/lqcSXOk9BAyyEVCcqxOQHRyuqMVe+ni5rqtWBpfVQ7cBXfNx5YZ0yGjM J/m+4UYFG2gFF1xsKsmMX7NVQYbw1hfY25YTsDPfYuc0EzcKYwV3XmdIYKwcP7GY yQ0+XjNIBNT0z4wOiCPofGBfX3fdLJ34AwxDdYTOewmR4bdq9lRSmnfSPRonAB4E cmYnZInycZA8IakdkNZVvE0g3nL0n3yb7e96HHLSPU7HZE+zYRT7MaPdOuQ1y8B3 bBOh6dX3G9oBd9f3CZCFTyh4H1ZX6L9zTYacLipAkH9l/TwK6GrVv3musctwRizZ ZNLha/VeRUDrjSGHOwxp7+vmGTmhUY1zq3V46aHtQK1rmWJk+x6XZQynaUhssvbp KeEY4ZowTrX5VvaPyvAvML9HlSTomEQAZXvRcE2bbpO8uXrR4ZCfDAam0cUTWQ7d ugvac+9Cy3dT2F58zW6yQoqoAa8zsl5TqWXilGOVfF2zL6cFVIULkNOTA6YW+P8+ 74Zj6+PppYU= =rVKj -----END PGP SIGNATURE-----