The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5050 advisory.

    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation,     denial of service or information leaks. CVE-2021-4155 Kirill Tkhai discovered a data leak in the way the     XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for a size increase of files with unaligned size. A     local attacker can take advantage of this flaw to leak data on the XFS filesystem. CVE-2021-28711,     CVE-2021-28712, CVE-2021-28713 (XSA-391) Juergen Gross reported that malicious PV backends can cause a     denial of service to guests being serviced by those backends via high frequency events, even if those     backends are running in a less privileged environment. CVE-2021-28714, CVE-2021-28715 (XSA-392) Juergen     Gross discovered that Xen guests can force the Linux netback driver to hog large amounts of kernel memory,     resulting in denial of service. CVE-2021-39685 Szymon Heidrich discovered a buffer overflow vulnerability     in the USB gadget subsystem, resulting in information disclosure, denial of service or privilege     escalation. CVE-2021-45095 It was discovered that the Phone Network protocol (PhoNet) driver has a     reference count leak in the pep_sock_accept() function. CVE-2021-45469 Wenqing Liu reported an out-of-     bounds memory access in the f2fs implementation if an inode has an invalid last xattr entry. An attacker     able to mount a specially crafted image can take advantage of this flaw for denial of service.
    CVE-2021-45480 A memory leak flaw was discovered in the __rds_conn_create() function in the RDS (Reliable     Datagram Sockets) protocol subsystem. CVE-2022-0185 William Liu, Jamie Hill-Daniel, Isaac Badipe, Alec     Petridis, Hrvoje Misetic and Philip Papurt discovered a heap-based buffer overflow flaw in the     legacy_parse_param function in the Filesystem Context functionality, allowing an local user (with     CAP_SYS_ADMIN capability in the current namespace) to escalate privileges. CVE-2022-23222 tr3e discovered     that the BPF verifier does not properly restrict several *_OR_NULL pointer types allowing these types to     do pointer arithmetic. A local user with the ability to call bpf(), can take advantage of this flaw to     excalate privileges. Unprivileged calls to bpf() are disabled by default in Debian, mitigating this flaw.
    For the stable distribution (bullseye), these problems have been fixed in version 5.10.92-1. This version     includes changes which were aimed to land in the next Debian bullseye point release. We recommend that you     upgrade your linux packages. For the detailed security status of linux please refer to its security     tracker page at: https://security-tracker.debian.org/tracker/linux

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DSA-5050-1 : linux - security update

high Nessus Plugin ID 156950

Version 1.8

Version 1.7

Version 1.6

Version 1.5

Version 1.8 Jan 24, 2025, 9:25 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202501242125
Version 1.7 Aug 21, 2024, 9:41 PM CISA reference Plugin Feed: 202408212141
Version 1.6 Mar 27, 2024, 7:16 PM Detection (Debian kernel vulns will now be evaluated against the running kernel version instead of the highest installed version) Plugin Feed: 202403271916
Version 1.5 Jan 16, 2023, 2:08 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit framework core" set to "True") Plugin Feed: 202301161408