Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                         linux-4.9 security update
                              16 August 2018


        AusCERT Security Bulletin Summary

Product:           kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-13405 CVE-2018-5391 CVE-2018-5390

Reference:         ESB-2018.2355

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : linux-4.9
Version        : 4.9.110-3+deb9u2~deb8u1
CVE ID         : CVE-2018-5390 CVE-2018-5391 CVE-2018-13405
Debian Bug     : 893393 903122 903767 903776 903838 903914

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial of service.

CVE-2018-5390 (SegmentSmack)

    Juha-Matti Tilli discovered that a remote attacker can trigger the
    worst case code paths for TCP stream reassembly with low rates of
    specially crafted packets, leading to remote denial of service.

CVE-2018-5391 (FragmentSmack)

    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker can take advantage of this flaw to trigger time and
    calculation expensive fragment reassembly algorithms by sending
    specially crafted packets, leading to remote denial of service.

    This is mitigated by reducing the default limits on memory usage
    for incomplete fragmented packets.  The same mitigation can be
    achieved without the need to reboot, by setting the sysctls:

    net.ipv4.ipfrag_high_thresh =3D 262144
    net.ipv6.ip6frag_high_thresh =3D 262144
    net.ipv4.ipfrag_low_thresh =3D 196608
    net.ipv6.ip6frag_low_thresh =3D 196608

    The default values may still be increased by local configuration
    if necessary.


    Jann Horn discovered that the inode_init_owner function in
    fs/inode.c in the Linux kernel allows local users to create files
    with an unintended group ownership allowing attackers to escalate
    privileges by making a plain file executable and SGID.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.110-3+deb9u2~deb8u1. This update includes fixes for several
regressions in the latest point release.

The earlier version 4.9.110-3+deb9u1~deb8u1 included all the above
fixes except for CVE-2018-5391, which may be mitigated as explained

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967