Debian DLA-360-1 : linux-2.6 security update

medium Nessus Plugin ID 87265

Synopsis

The remote Debian host is missing a security update.

Description

This update fixes the CVEs described below.

CVE-2013-7446

Dmitry Vyukov discovered that a particular sequence of valid operations on local (AF_UNIX) sockets can result in a use-after-free.
This may be used to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2015-7799

郭永刚 discovered that a user granted access to /dev/ppp can cause a denial of service (crash) by passing invalid parameters to the PPPIOCSMAXCID ioctl. This also applies to ISDN PPP device nodes.

CVE-2015-7833

Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a flaw in the processing of certain USB device descriptors in the usbvision driver. An attacker with physical access to the system can use this flaw to crash the system.

CVE-2015-7990

It was discovered that the fix for CVE-2015-6937 was incomplete. A race condition when sending a message on unbound socket can still cause a NULL pointer dereference. A remote attacker might be able to cause a denial of service (crash) by sending a crafted packet.

CVE-2015-8324

'Valintinr' reported that an attempt to mount a corrupted ext4 filesystem may result in a kernel panic. A user permitted to mount filesystems could use this flaw to crash the system.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze17. We recommend that you upgrade your linux-2.6 packages.

For the oldstable (wheezy) and stable (jessie) distributions, CVE-2015-7833, CVE-2015-7990 and CVE-2015-8324 have been fixed and the other issues will be fixed soon.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2015/12/msg00002.html

https://packages.debian.org/source/squeeze-lts/linux-2.6

Plugin Details

Severity: Medium

ID: 87265

File Name: debian_DLA-360.nasl

Version: 2.11

Type: local

Agent: unix

Published: 12/9/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:C

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-openvz-amd64, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-486, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-xen, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-686-bigmem, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-xen-686, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-amd64, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-amd64, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-686-dbg, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-686, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-amd64, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-486, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-686, p-cpe:/a:debian:debian_linux:linux-doc-2.6.32, p-cpe:/a:debian:debian_linux:linux-patch-debian-2.6.32, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686-bigmem-dbg, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all-amd64, p-cpe:/a:debian:debian_linux:xen-linux-system-2.6.32-5-xen-686, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-amd64-dbg, p-cpe:/a:debian:debian_linux:linux-source-2.6.32, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-xen-amd64, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-amd64, cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all-i386, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-openvz, p-cpe:/a:debian:debian_linux:linux-libc-dev, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686-bigmem, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-amd64, p-cpe:/a:debian:debian_linux:linux-support-2.6.32-5, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-amd64, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686-bigmem, p-cpe:/a:debian:debian_linux:firmware-linux-free, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-686-dbg, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-686, p-cpe:/a:debian:debian_linux:linux-tools-2.6.32, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-686-bigmem, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-openvz-686, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-686, p-cpe:/a:debian:debian_linux:linux-manual-2.6.32, p-cpe:/a:debian:debian_linux:linux-base, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-amd64-dbg, p-cpe:/a:debian:debian_linux:xen-linux-system-2.6.32-5-xen-amd64, p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686-bigmem-dbg, p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-vserver

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/8/2015

Reference Information

CVE: CVE-2013-7446, CVE-2015-7799, CVE-2015-7833, CVE-2015-7990, CVE-2015-8324