Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-20 Thread Holger Levsen 
Hi,

On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Most appreciated.  So, just to confirm; my take away on this is:
> 
>   * 1. "Wheezy" Linux kernels are NOT AFFECTED.
> 
>   * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.
> 
> If I have understood correctly?

yes!


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread James Barrett 
Please stop sending me these emails.
On Jan 19, 2016 7:40 AM, "Salvatore Bonaccorso"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian Security Advisory DSA-3448-1   secur...@debian.org
> https://www.debian.org/security/ Salvatore Bonaccorso
> January 19, 2016  https://www.debian.org/security/faq
> - -
>
> Package: linux
> CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723
>  CVE-2016-0728
>
> Several vulnerabilities have been discovered in the Linux kernel that
> may lead to a privilege escalation or denial-of-service.
>
> CVE-2013-4312
>
> Tetsuo Handa discovered that it is possible for a process to open
> far more files than the process' limit leading to denial-of-service
> conditions.
>
> CVE-2015-7566
>
> Ralf Spenneberg of OpenSource Security reported that the visor
> driver crashes when a specially crafted USB device without bulk-out
> endpoint is detected.
>
> CVE-2015-8767
>
> An SCTP denial-of-service was discovered which can be triggered by a
> local attacker during a heartbeat timeout event after the 4-way
> handshake.
>
> CVE-2016-0723
>
> A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
> A local attacker could use this flaw for denial-of-service.
>
> CVE-2016-0728
>
> The Perception Point research team discovered a use-after-free
> vulnerability in the keyring facility, possibly leading to local
> privilege escalation.
>
> For the stable distribution (jessie), these problems have been fixed in
> version 3.16.7-ckt20-1+deb8u3.
>
> We recommend that you upgrade your linux packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-annou...@lists.debian.org
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+
> zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi
> Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV
> FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr
> yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL
> Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1
> Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N
> XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64
> IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea
> SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly
> Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV
> qaetOmH+fJB1/jo9jPLH
> =fylF
> -END PGP SIGNATURE-
>
>

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread hasan akgöz 
Hi,
if you unsubscribe from mailing list, You can follow instructions on this
URL: https://www.debian.org/MailingLists/#subunsub
Or use this form : https://www.debian.org/MailingLists/unsubscribe

2016-01-19 20:46 GMT+02:00 James Barrett :

> Please stop sending me these emails.
> On Jan 19, 2016 7:40 AM, "Salvatore Bonaccorso"  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> -
>> -
>> Debian Security Advisory DSA-3448-1   secur...@debian.org
>> https://www.debian.org/security/ Salvatore Bonaccorso
>> January 19, 2016  https://www.debian.org/security/faq
>> -
>> -
>>
>> Package: linux
>> CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723
>>  CVE-2016-0728
>>
>> Several vulnerabilities have been discovered in the Linux kernel that
>> may lead to a privilege escalation or denial-of-service.
>>
>> CVE-2013-4312
>>
>> Tetsuo Handa discovered that it is possible for a process to open
>> far more files than the process' limit leading to denial-of-service
>> conditions.
>>
>> CVE-2015-7566
>>
>> Ralf Spenneberg of OpenSource Security reported that the visor
>> driver crashes when a specially crafted USB device without bulk-out
>> endpoint is detected.
>>
>> CVE-2015-8767
>>
>> An SCTP denial-of-service was discovered which can be triggered by a
>> local attacker during a heartbeat timeout event after the 4-way
>> handshake.
>>
>> CVE-2016-0723
>>
>> A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
>> A local attacker could use this flaw for denial-of-service.
>>
>> CVE-2016-0728
>>
>> The Perception Point research team discovered a use-after-free
>> vulnerability in the keyring facility, possibly leading to local
>> privilege escalation.
>>
>> For the stable distribution (jessie), these problems have been fixed in
>> version 3.16.7-ckt20-1+deb8u3.
>>
>> We recommend that you upgrade your linux packages.
>>
>> Further information about Debian Security Advisories, how to apply
>> these updates to your system and frequently asked questions can be
>> found at: https://www.debian.org/security/
>>
>> Mailing list: debian-security-annou...@lists.debian.org
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1
>>
>> iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+
>> zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi
>> Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV
>> FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr
>> yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL
>> Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1
>> Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N
>> XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64
>> IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea
>> SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly
>> Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV
>> qaetOmH+fJB1/jo9jPLH
>> =fylF
>> -END PGP SIGNATURE-
>>
>>


-- 
//selametle

Hasan AKGÖZ

http://www.hasanakgoz.com

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Luis E. Arevalo R. 
2016-01-19 15:46 GMT-03:00 James Barrett :

> Please stop sending me these emails.


These emails are not sent to your inbox, but to the mailing list
debian-security@lists.debian.org.

More information: https://lists.debian.org/debian-security/

-- 
Luis Eduardo Arevalo ReyesUser #354770
http://linuxcounter.net
Fono +56 9 54012831
http://www.luchox.cl

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread James Barrett 
So you are saying there is no one there smart enough to know how their
software works to remove me? all my other mails get sent back with errors,
so obviously you are wrong.

someone take my email off the list or I will report it as harassment.


On Tue, Jan 19, 2016 at 3:06 PM, Povl Ole Haarlev Olsen <
debian-secur...@stderr.dk> wrote:

> On Tue, 19 Jan 2016, James Barrett wrote:
>
>> It has been requested that the following address:
>>
>>xuc...@gmail.com
>>
>> should be deleted from the debian-security mailing list.
>>
>> Sorry, but this address has NOT been found on the list.
>>
>
> That makes sense. You're trying to unsubscribe from the "debian-security"
> mailing list, not the "debian-security-ANNOUNCE" mailing list. Different
> mailing lists. You need to send your unsubscribe request to the correct
> address.
>
> Please check carefully the spelling of this address.
>> You may send an unsubscribe request with another address.
>> If the address is on the list you will receive a confirmation
>> message. A reply to this message will remove the address.
>>
>> It follows a copy of your unsubscribe request
>>
>> >From xuc...@gmail.com  Tue Jan 19 19:02:00 2016
>> >Return-Path: 
>> >X-Original-To: lists-debian-security-requ...@bendel.debian.org
>> >Delivered-To: lists-debian-security-requ...@bendel.debian.org
>> >Received: from localhost (localhost [127.0.0.1])
>> >   by bendel.debian.org (Postfix) with ESMTP id E955B1B0
>> >   for ; Tue, 19
>> Jan
>> 2016 19:02:00 + (UTC)
>> >X-Virus-Scanned: at lists.debian.org with policy bank request
>> >X-Spam-Flag: NO
>> >X-Spam-Score: 2.202
>> >X-Spam-Level: **
>> >X-Spam-Status: No, score=2.202 tagged_above=-1 required=5.3
>> >   tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
>> >   DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=2,
>> >   LDO_WHITELIST=-5, ONEWORD=2, ONEWORDALL=4, ONEWORDBODY=2,
>> >   RCVD_IN_DNSWL_LOW=-0.7, TVD_SPACE_RATIO=0.001]
>> >   autolearn=no autolearn_force=no
>> >Received: from bendel.debian.org ([127.0.0.1])
>> >   by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port
>> 2525)
>> >   with ESMTP id aVfmIcUDtuvc
>> >   for ;
>> >   Tue, 19 Jan 2016 19:01:56 + (UTC)
>> >X-policyd-weight:  NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5
>> CL_IP_EQ_HELO_IP=-2 (check from: .gmail. - helo: .mail-ig0-x234.google. -
>> helo-domain: .google.)  FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -7
>> >Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com
>> [IPv6:2607:f8b0:4001:c05::234])
>> >   (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
>> bits))
>> >   (Client CN "smtp.gmail.com", Issuer "Google Internet Authority
>> G2"
>> (not verified))
>> >   by bendel.debian.org (Postfix) with ESMTPS id 4FEC0160
>> >   for ; Tue, 19 Jan 2016
>> 19:01:55 + (UTC)
>> >Received: by mail-ig0-x234.google.com with SMTP id mw1so74135302igb.1
>> >for ; Tue, 19 Jan 2016
>> 11:01:55 -0800 (PST)
>> >DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>> >d=gmail.com; s=20120113;
>> >h=mime-version:date:message-id:subject:from:to:content-type;
>> >bh=Vxkp8yZr4P8V6TzTleHZpzCcV9/B/xWQu0t2h/PE0lw=;
>> >
>> b=gcV/A4o9xD7DskikOnOySfUQctBVPu6x44FwD5+/oeHllLoUf9cQGcVpUn6eJW5f+L
>> >
>>  V+8/RSE5mGBLR6UaKnucOb4NYWY+97qYbRLy00j/DVjnA9mn3tOTWAkVPBDTp8xKLvis
>> >
>>  cX/Bq985R+J07C2rLfSe4GMSatf0WbVgE458zmFcD6yR/OMqLqV+PlNS8DzC9xdjG25a
>> >
>>  DgA0liape8MY+O5CTXdNMLVVc3opxv71NRtvctfeGSLggDVwwi8x7+PDrKc+pOVZX6e2
>> >
>>  BgGcCVNDd+NlefN/NZHR+qRDTd07JR3nghgbyhspTr5krGonLA47FoTYFfj0u0QFEORY
>> > syXQ==
>> >X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>> >d=1e100.net; s=20130820;
>> >h=x-gm-message-state:mime-version:date:message-id:subject:from:to
>> > :content-type;
>> >bh=Vxkp8yZr4P8V6TzTleHZpzCcV9/B/xWQu0t2h/PE0lw=;
>> >
>> b=dTsV7jV3xCPbABdx3CumvamvoRObLLl4fUHvSaQA/5dW+yt889YhpHSskHNUnjD4q4
>> >
>>  1OS88R5NPHe35J7asmaAFq8ACEmmtoQ+tb4seYHeCcS0NxYvQMPib/Bvacm3oxndyeFW
>> >
>>  nnfyQJXYUOaghxBm583ziOaF2NWDkkv4iNVpE/uLRrBqH1CVBdE7z+h1GxsAAr4IrHr5
>> >
>>  2ud5Qtfz+ZsFBNolDOs8Di1MyQGLWa1Iv2EZJgJ7MFFhDewWRr9ombcai+VSUycC0aEa
>> >
>>  mu1GxshJfIRbQYEGrn+ieAJN87surexWb5jdm1JJCRKYyko8VXiEZuy/9rsvJXyeNJ17
>> > 5CgQ==
>>
>> >X-Gm-Message-State:AG10YOS+CFl0ml8uf1yZaRKNYw9kOr9eDdKZWwpaqAp4BlGi2lPT/qB7f3KL1Q9wkwIDrTrc1TM
>> k9Oh55D482A==
>> >MIME-Version: 1.0
>> >X-Received: by 10.50.136.136 with SMTP id
>> qa8mr7111321igb.39.1453230112707;
>> > Tue, 19 Jan 2016 11:01:52 -0800 (PST)
>> >Received: by 10.36.204.65 with HTTP; Tue, 19 Jan 2016 11:01:52 -0800
>> (PST)
>> >Received: by 10.36.204.65 with HTTP; Tue, 19 Jan 2016 11:01:52 -0800
>> (PST)
>> >Date: Tue, 19 Jan 2016

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Bjoern Nyjorden 

Hi again,

Are the "Wheezy" Linux kernels affected as well, or are they currently 
okay as far as you know?


Many thanks in advance, and kindest regards,
Bjoern.

On 19/01/16 20:40, Salvatore Bonaccorso wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3448-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 19, 2016  https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723
  CVE-2016-0728

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial-of-service.

CVE-2013-4312

 Tetsuo Handa discovered that it is possible for a process to open
 far more files than the process' limit leading to denial-of-service
 conditions.

CVE-2015-7566

 Ralf Spenneberg of OpenSource Security reported that the visor
 driver crashes when a specially crafted USB device without bulk-out
 endpoint is detected.

CVE-2015-8767

 An SCTP denial-of-service was discovered which can be triggered by a
 local attacker during a heartbeat timeout event after the 4-way
 handshake.

CVE-2016-0723

 A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
 A local attacker could use this flaw for denial-of-service.

CVE-2016-0728

 The Perception Point research team discovered a use-after-free
 vulnerability in the keyring facility, possibly leading to local
 privilege escalation.

For the stable distribution (jessie), these problems have been fixed in
version 3.16.7-ckt20-1+deb8u3.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJWni1mAAoJEAVMuPMTQ89EYvkP/Rmqrwxv1M+z4qj3OmfF81Q+
zj5Kd9nrvolH/asFac3URBHurSQby3JRgwxtqJuTrc68xBn147CQWaDM5nU9/HBi
Dt3eceDxsGBo9W8FJEpE6Yk4a3NyNiEOnT7gLFfSjFkmyGr3a6+7b1VPAEcsDeBV
FbA40UhrDnZYoeqqBFOGqedzFBioSafd+AQOYNqCjNByNq5i3SxMgS3XCECrruUr
yGfR+0RD5EibvcUddzduuGOvjmaW+mPK6OTVir2f6AwJFdSOJEegkSZRkLeBJgYL
Lfk131dlJ6gwelAaGOJA9wAqSPVIFe9h+jFh2DTQ6q5Lrg5dchkibbb2eSuoqRO1
Fa1cXW33k8YSilTzvy7pO1Snrp2YhGKK3RPo5PNAsdmOiuzSkI9PUw+khz/TtJ9N
XSKmOGd3ZT3R81UuEiXTdJVzVsRS+jLpgQ2jjOlvDb5ldQgn9tirL36/isSRcM64
IGnJlLHxhzBv+GQyziVDy37ois2dYT3in6ls2tI7rHoYhaEyOwPyCn98/IJqPxea
SIeLGxStaaCGqgDaFqCJbRuAZGFqpwZLKSd9/HycA7jTJbfrdzD74eDFc8LvGYly
Il1vpT8Ekfxh9L4o+HkzVkme7dkYt5SmLGvN1euTUdjsuo87r3OwN0OKVhXrFoAV
qaetOmH+fJB1/jo9jPLH
=fylF
-END PGP SIGNATURE-

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Povl Ole Haarlev Olsen 

On Tue, 19 Jan 2016, James Barrett wrote:

So you are saying there is no one there smart enough to know how their
software works to remove me? all my other mails get sent back with errors,


No, what I said was that sending an email to the "debian-security" 
mailinglist is not how you unsubscribe from the "debian-security-announce" 
mailinglist.


An email to the "debian-security-request" address won't unsubscribe you 
from "debian-security-announce" either. It will try to unsubscribe you 
from "debian-security", but that's another mailinglist and you might not 
even be on that list to begin with. That's why you got an error.



so obviously you are wrong.


Ok, I was just trying to help you.

But if I were to take a wild guess, based on the CC:-headers on your mail, 
you still haven't tried to send an email to


debian-security-announce-requ...@lists.debian.org

with the word

unsubscribe

as the subject.

Try. It might help...

--
Povl Ole

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Bjoern Nyjorden 

Thanks Holger & Ben,

Most appreciated.  So, just to confirm; my take away on this is:

 * 1. "Wheezy" Linux kernels are NOT AFFECTED.

 * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.

If I have understood correctly?

Kindest regards,
Bjoern.

On 20/01/16 09:49, Holger Levsen wrote:

Hi Bjoern (bcc:ed),

On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:

 > Are the "Wheezy" Linux kernels affected as well, or are they currently

 > okay as far as you know?

on debian-backports@l.d.o Ben wrote:

 > [...] It's fixed in jessie and sid,

 > and doesn't affect anything older. {wheezy,jessie}-backports will be

 > fixed soon.

Thanks Ben!

cheers,

Holger

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Holger Levsen 
Hi Bjoern (bcc:ed),

On Mittwoch, 20. Januar 2016, Bjoern Nyjorden wrote:
> Are the "Wheezy" Linux kernels affected as well, or are they currently
> okay as far as you know?

on debian-backports@l.d.o Ben wrote:

> [...]  It's fixed in jessie and sid,
> and doesn't affect anything older.  {wheezy,jessie}-backports will be
> fixed soon.

Thanks Ben!


cheers,
Holger


signature.asc
Description: This is a digitally signed message part.

Re: [SECURITY] [DSA 3448-1] linux security update

2016-01-19 Thread Salvatore Bonaccorso 
Hi,

On Wed, Jan 20, 2016 at 10:42:04AM +0800, Bjoern Nyjorden wrote:
> Thanks Holger & Ben,
> 
> Most appreciated.  So, just to confirm; my take away on this is:
> 
>  * 1. "Wheezy" Linux kernels are NOT AFFECTED.
> 
>  * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.
> 
> If I have understood correctly?

For the most important CVE,
https://security-tracker.debian.org/tracker/CVE-2016-0728 this is
right. The issue was introduced in upstream commit
3a50597de8635cd05133bd12c95681c82fe7b878 which is in Kernels v3.8-rc1
onways. Wheezy Kernel is not affected, Wheezy and Jessie backports are
vunerable but beeing fixed.

You can get the full picture for Wheezy and Jessie status by starting
from https://security-tracker.debian.org/tracker/DSA-3448-1 and
following the CVE references for details. The other issues which
affect Wheezy as well will be fixed for Wheezy in a later DSA.

(yes, the security-tracker does not track backports).

Hope this helps,

Regards,
Salvatore