Debian developers alerted Linux users late last week of a new Linux kernel build, linux-2.6, that fixes 11 separate vulnerabilities that could open the kernel to a denial of service attack, information leak or privilege escalation.
Dann Frazier, an administrator with Debian announced the security updates via the company’s listserv late Friday.
The first two Common Vulnerabilities and Exposures identifiers fix information leaks in the kernel that could be exploited via a 64-bit system (CVE-2013-2141) and while it may sound archaic, a CD-ROM driver (CVE-2013-2164). According to Jonathan Salwan, a Paris-based Linux researcher, under certain conditions a local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive kernel memory.
Salwan also discovered an additional vulnerability, in the openvz kernel, that local users could exploit to gain access to sensitive kernel memory.
Kees Cook, a member of the Ubuntu security team, discovered four of the 11 vulnerabilities. Two of those can lead to an attacker crashing the system via DoS (CVE-2013-2888 and 2892) while the other two are somewhat less serious and affect the block subsystem and the b43 network driver. Those vulnerabilities should really only be of concern to those with specially configured systems.
The remaining fixes address a variety of issues, including memory leaks in the implementation of the PF_KEYv2 socket family and the Linux SCTP protocol.
Per usual Debian, which runs one of the more popular Linux distributions today, is encouraging users to upgrade to linux-2.6 and any associated user-mode-linux packages.
Those looking for more information on the vulnerabilities can head to Debian’s security update, DSA-2766-1, from Friday.
