Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0137
linux security update
20 January 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
Publisher: Debian
Operating System: Debian GNU/Linux 8
Linux variants
Android
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0728 CVE-2016-0723 CVE-2015-8767
CVE-2015-7566 CVE-2013-4312
Original Bulletin:
http://www.debian.org/security/2016/dsa-3448
Comment: This advisory references vulnerabilities in the Linux kernel that
also affect distributions other than Debian. It is recommended that
administrators running Linux check for an updated version of the
kernel for their system.
AusCERT has received reports of publicly available proof of concept
code.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3448-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 19, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723
CVE-2016-0728
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial-of-service.
CVE-2013-4312
Tetsuo Handa discovered that it is possible for a process to open
far more files than the process' limit leading to denial-of-service
conditions.
CVE-2015-7566
Ralf Spenneberg of OpenSource Security reported that the visor
driver crashes when a specially crafted USB device without bulk-out
endpoint is detected.
CVE-2015-8767
An SCTP denial-of-service was discovered which can be triggered by a
local attacker during a heartbeat timeout event after the 4-way
handshake.
CVE-2016-0723
A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
A local attacker could use this flaw for denial-of-service.
CVE-2016-0728
The Perception Point research team discovered a use-after-free
vulnerability in the keyring facility, possibly leading to local
privilege escalation.
For the stable distribution (jessie), these problems have been fixed in
version 3.16.7-ckt20-1+deb8u3.
We recommend that you upgrade your linux packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+
zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi
Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV
FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr
yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL
Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1
Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N
XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64
IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea
SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly
Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV
qaetOmH+fJB1/jo9jPLH
=fylF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVp7v5n6ZAP0PgtI9AQLZABAAsphid4Wo4kO2AB/zNL1SARmmZC/OvgCA
Lvp0HCO1gILpmai6QiVaBEx+pVogpF+eFC3ljkYP+B3B1jKOm250AfcRVjnhebEf
wDhMJJhRHKi7OEo4PTEHUp9PBz3suW4QkvkOaB98t8Myzw4qDewtZ2uQniuSk6T8
9WW+TZ9/lqcSXOk9BAyyEVCcqxOQHRyuqMVe+ni5rqtWBpfVQ7cBXfNx5YZ0yGjM
J/m+4UYFG2gFF1xsKsmMX7NVQYbw1hfY25YTsDPfYuc0EzcKYwV3XmdIYKwcP7GY
yQ0+XjNIBNT0z4wOiCPofGBfX3fdLJ34AwxDdYTOewmR4bdq9lRSmnfSPRonAB4E
cmYnZInycZA8IakdkNZVvE0g3nL0n3yb7e96HHLSPU7HZE+zYRT7MaPdOuQ1y8B3
bBOh6dX3G9oBd9f3CZCFTyh4H1ZX6L9zTYacLipAkH9l/TwK6GrVv3musctwRizZ
ZNLha/VeRUDrjSGHOwxp7+vmGTmhUY1zq3V46aHtQK1rmWJk+x6XZQynaUhssvbp
KeEY4ZowTrX5VvaPyvAvML9HlSTomEQAZXvRcE2bbpO8uXrR4ZCfDAam0cUTWQ7d
ugvac+9Cy3dT2F58zW6yQoqoAa8zsl5TqWXilGOVfF2zL6cFVIULkNOTA6YW+P8+
74Zj6+PppYU=
=rVKj
-----END PGP SIGNATURE-----