| Description: | Summary:
The remote host is missing an update for the Debian 'linux-4.9' package(s) announced via the DLA-2114-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2018-13093, CVE-2018-13094 Wen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash).
CVE-2018-20976
It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.
CVE-2018-21008
It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after free. The security impact of this is unclear.
CVE-2019-0136
It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity).
CVE-2019-2215
The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.
CVE-2019-10220
Various developers and researchers found that if a crafted file system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.
The kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.
CVE-2019-14615
It was discovered that Intel 9th and 10th generation GPUs did not clear user-visible state during a context switch, which resulted in information leaks between GPU tasks. This has been mitigated in the i915 driver.
The affected chips (gen9 and gen10) are listed at .
CVE-2019-14814, CVE-2019-14815, CVE-2019-14816 Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.
CVE-2019-14895, CVE-2019-14901 ADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.
CVE-2019-14896, CVE-2019-14897 ADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux-4.9' package(s) on Debian 8.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
