Re: [SECURITY] [DSA 3448-1] linux security update
Hi, On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote: > Most appreciated. So, just to confirm; my take away on this is: > > * 1. "Wheezy" Linux kernels are NOT AFFECTED. > > * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE. > > If I have understood correctly? yes! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA 3448-1] linux security update
Please stop sending me these emails. On Jan 19, 2016 7:40 AM, "Salvatore Bonaccorso"wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > - - > Debian Security Advisory DSA-3448-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > January 19, 2016 https://www.debian.org/security/faq > - - > > Package: linux > CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 > CVE-2016-0728 > > Several vulnerabilities have been discovered in the Linux kernel that > may lead to a privilege escalation or denial-of-service. > > CVE-2013-4312 > > Tetsuo Handa discovered that it is possible for a process to open > far more files than the process' limit leading to denial-of-service > conditions. > > CVE-2015-7566 > > Ralf Spenneberg of OpenSource Security reported that the visor > driver crashes when a specially crafted USB device without bulk-out > endpoint is detected. > > CVE-2015-8767 > > An SCTP denial-of-service was discovered which can be triggered by a > local attacker during a heartbeat timeout event after the 4-way > handshake. > > CVE-2016-0723 > > A use-after-free vulnerability was discovered in the TIOCGETD ioctl. > A local attacker could use this flaw for denial-of-service. > > CVE-2016-0728 > > The Perception Point research team discovered a use-after-free > vulnerability in the keyring facility, possibly leading to local > privilege escalation. > > For the stable distribution (jessie), these problems have been fixed in > version 3.16.7-ckt20-1+deb8u3. > > We recommend that you upgrade your linux packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+ > zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi > Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV > FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr > yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL > Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1 > Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N > XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64 > IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea > SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly > Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV > qaetOmH+fJB1/jo9jPLH > =fylF > -END PGP SIGNATURE- > >
Re: [SECURITY] [DSA 3448-1] linux security update
Hi, if you unsubscribe from mailing list, You can follow instructions on this URL: https://www.debian.org/MailingLists/#subunsub Or use this form : https://www.debian.org/MailingLists/unsubscribe 2016-01-19 20:46 GMT+02:00 James Barrett: > Please stop sending me these emails. > On Jan 19, 2016 7:40 AM, "Salvatore Bonaccorso" wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> - >> - >> Debian Security Advisory DSA-3448-1 secur...@debian.org >> https://www.debian.org/security/ Salvatore Bonaccorso >> January 19, 2016 https://www.debian.org/security/faq >> - >> - >> >> Package: linux >> CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 >> CVE-2016-0728 >> >> Several vulnerabilities have been discovered in the Linux kernel that >> may lead to a privilege escalation or denial-of-service. >> >> CVE-2013-4312 >> >> Tetsuo Handa discovered that it is possible for a process to open >> far more files than the process' limit leading to denial-of-service >> conditions. >> >> CVE-2015-7566 >> >> Ralf Spenneberg of OpenSource Security reported that the visor >> driver crashes when a specially crafted USB device without bulk-out >> endpoint is detected. >> >> CVE-2015-8767 >> >> An SCTP denial-of-service was discovered which can be triggered by a >> local attacker during a heartbeat timeout event after the 4-way >> handshake. >> >> CVE-2016-0723 >> >> A use-after-free vulnerability was discovered in the TIOCGETD ioctl. >> A local attacker could use this flaw for denial-of-service. >> >> CVE-2016-0728 >> >> The Perception Point research team discovered a use-after-free >> vulnerability in the keyring facility, possibly leading to local >> privilege escalation. >> >> For the stable distribution (jessie), these problems have been fixed in >> version 3.16.7-ckt20-1+deb8u3. >> >> We recommend that you upgrade your linux packages. >> >> Further information about Debian Security Advisories, how to apply >> these updates to your system and frequently asked questions can be >> found at: https://www.debian.org/security/ >> >> Mailing list: debian-security-annou...@lists.debian.org >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1 >> >> iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+ >> zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi >> Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV >> FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr >> yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL >> Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1 >> Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N >> XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64 >> IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea >> SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly >> Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV >> qaetOmH+fJB1/jo9jPLH >> =fylF >> -END PGP SIGNATURE- >> >> -- //selametle Hasan AKGÖZ http://www.hasanakgoz.com
Re: [SECURITY] [DSA 3448-1] linux security update
2016-01-19 15:46 GMT-03:00 James Barrett: > Please stop sending me these emails. These emails are not sent to your inbox, but to the mailing list debian-security@lists.debian.org. More information: https://lists.debian.org/debian-security/ -- Luis Eduardo Arevalo ReyesUser #354770 http://linuxcounter.net Fono +56 9 54012831 http://www.luchox.cl
Re: [SECURITY] [DSA 3448-1] linux security update
So you are saying there is no one there smart enough to know how their software works to remove me? all my other mails get sent back with errors, so obviously you are wrong. someone take my email off the list or I will report it as harassment. On Tue, Jan 19, 2016 at 3:06 PM, Povl Ole Haarlev Olsen < debian-secur...@stderr.dk> wrote: > On Tue, 19 Jan 2016, James Barrett wrote: > >> It has been requested that the following address: >> >>xuc...@gmail.com >> >> should be deleted from the debian-security mailing list. >> >> Sorry, but this address has NOT been found on the list. >> > > That makes sense. You're trying to unsubscribe from the "debian-security" > mailing list, not the "debian-security-ANNOUNCE" mailing list. Different > mailing lists. You need to send your unsubscribe request to the correct > address. > > Please check carefully the spelling of this address. >> You may send an unsubscribe request with another address. >> If the address is on the list you will receive a confirmation >> message. A reply to this message will remove the address. >> >> It follows a copy of your unsubscribe request >> >> >From xuc...@gmail.com Tue Jan 19 19:02:00 2016 >> >Return-Path:>> >X-Original-To: lists-debian-security-requ...@bendel.debian.org >> >Delivered-To: lists-debian-security-requ...@bendel.debian.org >> >Received: from localhost (localhost [127.0.0.1]) >> > by bendel.debian.org (Postfix) with ESMTP id E955B1B0 >> > for ; Tue, 19 >> Jan >> 2016 19:02:00 + (UTC) >> >X-Virus-Scanned: at lists.debian.org with policy bank request >> >X-Spam-Flag: NO >> >X-Spam-Score: 2.202 >> >X-Spam-Level: ** >> >X-Spam-Status: No, score=2.202 tagged_above=-1 required=5.3 >> > tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, >> > DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=2, >> > LDO_WHITELIST=-5, ONEWORD=2, ONEWORDALL=4, ONEWORDBODY=2, >> > RCVD_IN_DNSWL_LOW=-0.7, TVD_SPACE_RATIO=0.001] >> > autolearn=no autolearn_force=no >> >Received: from bendel.debian.org ([127.0.0.1]) >> > by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port >> 2525) >> > with ESMTP id aVfmIcUDtuvc >> > for ; >> > Tue, 19 Jan 2016 19:01:56 + (UTC) >> >X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 >> CL_IP_EQ_HELO_IP=-2 (check from: .gmail. - helo: .mail-ig0-x234.google. - >> helo-domain: .google.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -7 >> >Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com >> [IPv6:2607:f8b0:4001:c05::234]) >> > (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 >> bits)) >> > (Client CN "smtp.gmail.com", Issuer "Google Internet Authority >> G2" >> (not verified)) >> > by bendel.debian.org (Postfix) with ESMTPS id 4FEC0160 >> > for ; Tue, 19 Jan 2016 >> 19:01:55 + (UTC) >> >Received: by mail-ig0-x234.google.com with SMTP id mw1so74135302igb.1 >> >for ; Tue, 19 Jan 2016 >> 11:01:55 -0800 (PST) >> >DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> >d=gmail.com; s=20120113; >> >h=mime-version:date:message-id:subject:from:to:content-type; >> >bh=Vxkp8yZr4P8V6TzTleHZpzCcV9/B/xWQu0t2h/PE0lw=; >> > >> b=gcV/A4o9xD7DskikOnOySfUQctBVPu6x44FwD5+/oeHllLoUf9cQGcVpUn6eJW5f+L >> > >> V+8/RSE5mGBLR6UaKnucOb4NYWY+97qYbRLy00j/DVjnA9mn3tOTWAkVPBDTp8xKLvis >> > >> cX/Bq985R+J07C2rLfSe4GMSatf0WbVgE458zmFcD6yR/OMqLqV+PlNS8DzC9xdjG25a >> > >> DgA0liape8MY+O5CTXdNMLVVc3opxv71NRtvctfeGSLggDVwwi8x7+PDrKc+pOVZX6e2 >> > >> BgGcCVNDd+NlefN/NZHR+qRDTd07JR3nghgbyhspTr5krGonLA47FoTYFfj0u0QFEORY >> > syXQ== >> >X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> >d=1e100.net; s=20130820; >> >h=x-gm-message-state:mime-version:date:message-id:subject:from:to >> > :content-type; >> >bh=Vxkp8yZr4P8V6TzTleHZpzCcV9/B/xWQu0t2h/PE0lw=; >> > >> b=dTsV7jV3xCPbABdx3CumvamvoRObLLl4fUHvSaQA/5dW+yt889YhpHSskHNUnjD4q4 >> > >> 1OS88R5NPHe35J7asmaAFq8ACEmmtoQ+tb4seYHeCcS0NxYvQMPib/Bvacm3oxndyeFW >> > >> nnfyQJXYUOaghxBm583ziOaF2NWDkkv4iNVpE/uLRrBqH1CVBdE7z+h1GxsAAr4IrHr5 >> > >> 2ud5Qtfz+ZsFBNolDOs8Di1MyQGLWa1Iv2EZJgJ7MFFhDewWRr9ombcai+VSUycC0aEa >> > >> mu1GxshJfIRbQYEGrn+ieAJN87surexWb5jdm1JJCRKYyko8VXiEZuy/9rsvJXyeNJ17 >> > 5CgQ== >> >> >X-Gm-Message-State:AG10YOS+CFl0ml8uf1yZaRKNYw9kOr9eDdKZWwpaqAp4BlGi2lPT/qB7f3KL1Q9wkwIDrTrc1TM >> k9Oh55D482A== >> >MIME-Version: 1.0 >> >X-Received: by 10.50.136.136 with SMTP id >> qa8mr7111321igb.39.1453230112707; >> > Tue, 19 Jan 2016 11:01:52 -0800 (PST) >> >Received: by 10.36.204.65 with HTTP; Tue, 19 Jan 2016 11:01:52 -0800 >> (PST) >> >Received: by 10.36.204.65 with HTTP; Tue, 19 Jan 2016 11:01:52 -0800 >> (PST) >> >Date: Tue, 19 Jan 2016
Re: [SECURITY] [DSA 3448-1] linux security update
Hi again, Are the "Wheezy" Linux kernels affected as well, or are they currently okay as far as you know? Many thanks in advance, and kindest regards, Bjoern. On 19/01/16 20:40, Salvatore Bonaccorso wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3448-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 19, 2016 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 CVE-2016-0728 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial-of-service. CVE-2013-4312 Tetsuo Handa discovered that it is possible for a process to open far more files than the process' limit leading to denial-of-service conditions. CVE-2015-7566 Ralf Spenneberg of OpenSource Security reported that the visor driver crashes when a specially crafted USB device without bulk-out endpoint is detected. CVE-2015-8767 An SCTP denial-of-service was discovered which can be triggered by a local attacker during a heartbeat timeout event after the 4-way handshake. CVE-2016-0723 A use-after-free vulnerability was discovered in the TIOCGETD ioctl. A local attacker could use this flaw for denial-of-service. CVE-2016-0728 The Perception Point research team discovered a use-after-free vulnerability in the keyring facility, possibly leading to local privilege escalation. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt20-1+deb8u3. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+ zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1 Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64 IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV qaetOmH+fJB1/jo9jPLH =fylF -END PGP SIGNATURE-
Re: [SECURITY] [DSA 3448-1] linux security update
On Tue, 19 Jan 2016, James Barrett wrote: So you are saying there is no one there smart enough to know how their software works to remove me? all my other mails get sent back with errors, No, what I said was that sending an email to the "debian-security" mailinglist is not how you unsubscribe from the "debian-security-announce" mailinglist. An email to the "debian-security-request" address won't unsubscribe you from "debian-security-announce" either. It will try to unsubscribe you from "debian-security", but that's another mailinglist and you might not even be on that list to begin with. That's why you got an error. so obviously you are wrong. Ok, I was just trying to help you. But if I were to take a wild guess, based on the CC:-headers on your mail, you still haven't tried to send an email to debian-security-announce-requ...@lists.debian.org with the word unsubscribe as the subject. Try. It might help... -- Povl Ole
Re: [SECURITY] [DSA 3448-1] linux security update
Thanks Holger & Ben, Most appreciated. So, just to confirm; my take away on this is: * 1. "Wheezy" Linux kernels are NOT AFFECTED. * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE. If I have understood correctly? Kindest regards, Bjoern. On 20/01/16 09:49, Holger Levsen wrote: Hi Bjoern (bcc:ed), On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote: > Are the "Wheezy" Linux kernels affected as well, or are they currently > okay as far as you know? on debian-backports@l.d.o Ben wrote: > [...] It's fixed in jessie and sid, > and doesn't affect anything older. {wheezy,jessie}-backports will be > fixed soon. Thanks Ben! cheers, Holger
Re: [SECURITY] [DSA 3448-1] linux security update
Hi Bjoern (bcc:ed), On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote: > Are the "Wheezy" Linux kernels affected as well, or are they currently > okay as far as you know? on debian-backports@l.d.o Ben wrote: > [...] It's fixed in jessie and sid, > and doesn't affect anything older. {wheezy,jessie}-backports will be > fixed soon. Thanks Ben! cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DSA 3448-1] linux security update
Hi, On Wed, Jan 20, 2016 at 10:42:04AM +0800, Bjoern Nyjorden wrote: > Thanks Holger & Ben, > > Most appreciated. So, just to confirm; my take away on this is: > > * 1. "Wheezy" Linux kernels are NOT AFFECTED. > > * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE. > > If I have understood correctly? For the most important CVE, https://security-tracker.debian.org/tracker/CVE-2016-0728 this is right. The issue was introduced in upstream commit 3a50597de8635cd05133bd12c95681c82fe7b878 which is in Kernels v3.8-rc1 onways. Wheezy Kernel is not affected, Wheezy and Jessie backports are vunerable but beeing fixed. You can get the full picture for Wheezy and Jessie status by starting from https://security-tracker.debian.org/tracker/DSA-3448-1 and following the CVE references for details. The other issues which affect Wheezy as well will be fixed for Wheezy in a later DSA. (yes, the security-tracker does not track backports). Hope this helps, Regards, Salvatore