-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1665
                           linux security update
                                5 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   Linux variants
Impact/Access:     Root Compromise          -- Existing Account
                   Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
                   Reduced Security         -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6130 CVE-2016-5829 CVE-2016-5828
                   CVE-2016-5728 CVE-2014-9904 

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3616

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running Linux kernel check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3616-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 04, 2016                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2014-9904 CVE-2016-5728 CVE-2016-5828 CVE-2016-5829
                 CVE-2016-6130
Debian Bug     : 828914

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2014-9904

    It was discovered that the snd_compress_check_input function used in
    the ALSA subsystem does not properly check for an integer overflow,
    allowing a local user to cause a denial of service.

CVE-2016-5728

    Pengfei Wang discovered a race condition in the MIC VOP driver that
    could allow a local user to obtain sensitive information from kernel
    memory or cause a denial of service.

CVE-2016-5828

    Cyril Bur and Michael Ellerman discovered a flaw in the handling of
    Transactional Memory on powerpc systems allowing a local user to
    cause a denial of service (kernel crash) or possibly have
    unspecified other impact, by starting a transaction, suspending it,
    and then calling any of the exec() class system calls.

CVE-2016-5829

    A heap-based buffer overflow vulnerability was found in the hiddev
    driver, allowing a local user to cause a denial of service or,
    potentially escalate their privileges.

CVE-2016-6130

    Pengfei Wang discovered a flaw in the S/390 character device drivers
    potentially leading to information leak with /dev/sclp.

Additionally this update fixes a regression in the ebtables facility
(#828914) that was introduced in DSA-3607-1.

For the stable distribution (jessie), these problems have been fixed in
version 3.16.7-ckt25-2+deb8u3.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXeigoAAoJEAVMuPMTQ89EhRAQAJjo3UJRM3E5qXno8Qi7NyNI
vtSFzwGJbEmZ8AVLfeEfwaN98tdieQyie4p3yZd6pPEe6bPsbczQ8dA+/vigNMqN
bF10FcuhEd+kcxo8uMeMQF8R/DQ2xewFHIMUmvfT8CaRqKOjozowGmDhfVTOxxRZ
oUUW313F70EX9GGCIa6iuU2Jy7koPvKutHZUa7CHqq9Lmi8JIV2xyyJWY9qCoMcD
iY2GlgIXCb8+D6gmtPDYtFb6j/2ibNAETyqAibd0f8ajZnxNOcJMixAfsqUYpUkg
mA1MCoFy79EGibzzLmnQUusYfczPSaZNuTQWKLfBsQvK1ZSsh8/am0k+HmAcN1Sl
qrtXVSmBmRkDq440HMdN4V9I8JOP+WeR3XJM2BETdah6LhXuTIGxad7QgB14GsH3
oaY6EaxktGi/L7TeYwZrQOZm4UQCCgtNuYlZ+8OgLXpAN3udUvZ4KxGokRvCEEZZ
S6iZTgKHxlRtVP0RXN8bLSmb4Jfcgyaj12B/1ejO/ADWy/34Cl3Ns/801UCxbICf
fZ5j/N8aCJ1oORhRNGJh2sfWmY4USomj3UU1ofkySwWrSr8A+yfnl8zK85qKCIMA
yoUJQRg/QflzBPFzFJqayPbrqpoYuBlzAiYaQbzRvUSd+KXSEvzZTO0dRQ48qUSJ
MJ4ZY6u6imeC+jgTUmpF
=wSh2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV3r99ox+lLeg9Ub1AQjSMBAAnTRBMIzFLvHFvHsmoqU4UZRDO1XfRxTU
sz3q/XdEkXH6ueOUjJbclx9HypOzaghHdD6y9TeOU9TVB+fZQig4Xo9VZu2BqS03
mIYQ0iAbaXPrNqQFuhSJGV+jDbr4Ye+MMcJZhHd7GNGkdnGQ7s5Hi5wLAp5eMnlx
itRzFATZ8tJovi24azsER1Mih7T25XV8WU27fh3ydI5OFPL4sxHxQ3rJsRwvB2EH
MqI0hLxyOn4ZKM4bNv2SgQsi4WDtuALBLEuy9ewt1f6PDOI98uWv3iTXRo+RIjAg
NbnT9gvef4RgR5j5AOupM53jVdnzv92tPhuoW4qnU7wJYgyZTTxXkwH7T3NKdHtd
fB18PKNSUwWJQ2jCpjzQJSbnsWeCcGcObAwkXNPFWNU7E5usu/DDK1wHP6+RAMUG
qxmJnuvHuO6E33o/BLUBov9qCOi64GVD/70obeksfEV+ZnP2SXU4ne29+dygk+SU
QzeMb/6LcUEFEtNqJNNds42j0Mmn9F5Iucb4szJtZ3p1L/RNeIr+oAULIjM/cEFO
tw/f419JURaLWy4GWo/Q11+CVWeFkhymQ97X3UKxu4Q4pF81GemxZ3XCzGRM0fFb
ADIh6lxVNERa6TKIiLehoL2/2JIbAuwGsK9tpnOcnEydBCf+3fUClvYt8Gw+3UQI
gdjv/1S/j1A=
=2smx
-----END PGP SIGNATURE-----