Guys, Has this been fixed in the pve-kernel 2.6 ?! This has just been patched in debian last night (CET).
Let me know, Iosif On Fri, Apr 25, 2014 at 2:12 AM, dann frazier <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ---------------------------------------------------------------------- > Debian Security Advisory DSA-2906-1 [email protected] > http://www.debian.org/security/ Dann Frazier > April 24, 2014 http://www.debian.org/security/faq > - ---------------------------------------------------------------------- > > Package : linux-2.6 > Vulnerability : privilege escalation/denial of service/information leak > Problem type : local/remote > Debian-specific: no > CVE Id(s) : CVE-2013-0343 CVE-2013-2147 CVE-2013-2889 CVE-2013-2893 > CVE-2013-4162 CVE-2013-4299 CVE-2013-4345 CVE-2013-4512 > CVE-2013-4587 CVE-2013-6367 CVE-2013-6380 CVE-2013-6381 > CVE-2013-6382 CVE-2013-6383 CVE-2013-7263 CVE-2013-7264 > CVE-2013-7265 CVE-2013-7339 CVE-2014-0101 CVE-2014-1444 > CVE-2014-1445 CVE-2014-1446 CVE-2014-1874 CVE-2014-2039 > CVE-2014-2523 CVE-2103-2929 > > Several vulnerabilities have been discovered in the Linux kernel that may > lead > to a denial of service, information leak or privilege escalation. The > Common > Vulnerabilities and Exposures project identifies the following problems: > > CVE-2013-0343 > > George Kargiotakis reported an issue in the temporary address handling > of the IPv6 privacy extensions. Users on the same LAN can cause a > denial > of service or obtain access to sensitive information by sending router > advertisement messages that cause temporary address generation to be > disabled. > > CVE-2013-2147 > > Dan Carpenter reported issues in the cpqarray driver for Compaq > Smart2 Controllers and the cciss driver for HP Smart Array controllers > allowing users to gain access to sensitive kernel memory. > > CVE-2013-2889 > > Kees Cook discovered missing input sanitization in the HID driver for > Zeroplus game pads that could lead to a local denial of service. > > CVE-2013-2893 > > Kees Cook discovered that missing input sanitization in the HID driver > for various Logitech force feedback devices could lead to a local > denial > of service. > > CVE-2013-2929 > > Vasily Kulikov discovered that a flaw in the get_dumpable() function of > the ptrace subsytsem could lead to information disclosure. Only systems > with the fs.suid_dumpable sysctl set to a non-default value of '2' are > vulnerable. > > CVE-2013-4162 > > Hannes Frederic Sowa discovered that incorrect handling of IPv6 sockets > using the UDP_CORK option could result in denial of service. > > CVE-2013-4299 > > Fujitsu reported an issue in the device-mapper subsystem. Local users > could gain access to sensitive kernel memory. > > CVE-2013-4345 > > Stephan Mueller found in bug in the ANSI pseudo random number generator > which could lead to the use of less entropy than expected. > > CVE-2013-4512 > > Nico Golde and Fabian Yamaguchi reported an issue in the user mode > linux port. A buffer overflow condition exists in the write method > for the /proc/exitcode file. Local users with sufficient privileges > allowing them to write to this file could gain further elevated > privileges. > > CVE-2013-4587 > > Andrew Honig of Google reported an issue in the KVM virtualization > subsystem. A local user could gain elevated privileges by passing > a large vcpu_id parameter. > > CVE-2013-6367 > > Andrew Honig of Google reported an issue in the KVM virtualization > subsystem. A divide-by-zero condition could allow a guest user to > cause a denial of service on the host (crash). > > CVE-2013-6380 > > Mahesh Rajashekhara reported an issue in the aacraid driver for storage > products from various vendors. Local users with CAP_SYS_ADMIN > privileges > could gain further elevated privileges. > > CVE-2013-6381 > > Nico Golde and Fabian Yamaguchi reported an issue in the Gigabit > Ethernet > device support for s390 systems. Local users could cause a denial of > service or gain elevated privileges via the > SIOC_QETH_ADP_SET_SNMP_CONTROL > ioctl. > > CVE-2013-6382 > > Nico Golde and Fabian Yamaguchi reported an issue in the XFS > filesystem. > Local users with CAP_SYS_ADMIN privileges could gain further elevated > privileges. > > CVE-2013-6383 > > Dan Carpenter reported an issue in the aacraid driver for storage > devices > from various vendors. A local user could gain elevated privileges due > to > a missing privilege level check in the aac_compat_ioctl function. > > CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 > > mpb reported an information leak in the recvfrom, recvmmsg and recvmsg > system calls. A local user could obtain access to sensitive kernel > memory. > > CVE-2013-7339 > > Sasha Levin reported an issue in the RDS network protocol over > Infiniband. > A local user could cause a denial of service condition. > > CVE-2014-0101 > > Nokia Siemens Networks reported an issue in the SCTP network protocol > subsystem. Remote users could cause a denial of service (NULL pointer > dereference). > > CVE-2014-1444 > > Salva Peiro reported an issue in the FarSync WAN driver. Local users > with the CAP_NET_ADMIN capability could gain access to sensitive kernel > memory. > > CVE-2014-1445 > > Salva Peiro reported an issue in the wanXL serial card driver. Local > users could gain access to sensitive kernel memory. > > CVE-2014-1446 > > Salva Peiro reported an issue in the YAM radio modem driver. Local > users > with the CAP_NET_ADMIN capability could gain access to sensitive kernel > memory. > > CVE-2014-1874 > > Matthew Thode reported an issue in the SELinux subsystem. A local user > with CAP_MAC_ADMIN privileges could cause a denial of service by > setting > an empty security context on a file. > > CVE-2014-2039 > > Martin Schwidefsky reported an issue on s390 systems. A local user > could cause a denial of service (kernel oops) by executing an > application > with a linkage stack instruction. > > CVE-2014-2523 > > Daniel Borkmann provided a fix for an issue in the nf_conntrack_dccp > module. Remote users could cause a denial of service (system crash) > or potentially gain elevated privileges. > > For the oldstable distribution (squeeze), this problem has been fixed in > version 2.6.32-48squeeze5. > > The following matrix lists additional source packages that were rebuilt for > compatibility with or to take advantage of this update: > > Debian 6.0 (squeeze) > user-mode-linux 2.6.32-1um-4+48squeeze5 > > We recommend that you upgrade your linux-2.6 and user-mode-linux packages. > > Note: Debian carefully tracks all known security issues across every > linux kernel package in all releases under active security support. > However, given the high frequency at which low-severity security > issues are discovered in the kernel and the resource requirements of > doing an update, updates for lower priority issues will normally not > be released for all kernels at the same time. Rather, they will be > released in a staggered or "leap-frog" fashion. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJTWaeAAAoJEBv4PF5U/IZAzFkP/2+YLfDXhZaBIoR1gugvac+F > q3/PgKXURH35N2vOU3pTkmYgwZh6gOHCzLJ3/ae2qL2GDTw5ZLu2EYv+xiJLOk8a > 9k5dki6j2k38EI7ktTn7BMVfOgoZTmlfYYVjdGmRU+2YEXu1ATr4zt0wN4azvThU > 25sgo21rYcaMPvOwng922/RAFQPtDZmAODTXxfpkL6c/zzeMLOILqlAYRe9uMfu5 > 4X8G1/wglfSzx6b4yWZPvltWCgW+yi3OklrAalSsn8PnDf7yS8wWmxXsZ0pOEHHV > 7bbUCMDYtUkqqTq9/Ak/ohGo3mJkPJnzSeg8ShemSEY40NTlIbSmfUTYepTovhCF > A7A8TmYUhsAavD+DUxbQvYJjRKufzsymCg3yA0qp9JTKVRr5/IVkqpSeAx2Hpo7C > Jqkf0Or4t9BYc5juJasgicb4ttyYlleGnlJ8+ojelxXLROkH8EnIv3CDP87WGnOt > Dora/G+Al0AmRuk6TQuZofMtXK9dcBanN2+jr7HipE6dnH7vMo7xn979NdEaTkHs > Yskm+FJJXFoTGS49/V2YlIhDU2zuCnXodGYsZl+RSI54XPMkKrrfKZ6zRIJ5r3vJ > IFiqcMUlNJtEU4viwMjBkXlMvQZoN0e44ufK+/+VfQYPrj3puYoYLq1FOeF0JFaE > 8D7zI3prwl5DKG9kWEaq > =T6VL > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: https://lists.debian.org/[email protected] > >
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
