A pair of new kernel vulnerabilities are threatening the security of systems running current versions of several Linux distributions. One of the flaws gives a remote attacker the ability to crash vulnerable systems and the other leads to root privileges for a local attacker.
The most serious of the new vulnerabilities is a remote denial-of-service bug in the Linux kernel related to the way that the system handles large packets. During the IPv4 defragmentation process, the Linux kernel fails to handle oversized packets correctly, which causes the system to crash. A remote attacker could exploit this vulnerability to crash systems running the vulnerable versions of Linux.
There is also another Linux kernel bug that gives a local user the ability to gain root privileges on an affected system. The problem is in the Ext4 file system, which in some instances doesn’t check permissions correctly, and could allow a local user to overwrite files on the system and gain root access to the machine.
Ubuntu has released a new package, fixing these flaws, and Red Hat also has released updates to its affected Fedora versions.