| Description: | Summary:
The remote host is missing an update for the Debian 'linux-4.19' package(s) announced via the DLA-2385-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.
CVE-2019-3874
Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use).
CVE-2019-19448, CVE-2019-19813, CVE-2019-19816 Team bobfuzzer reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2020-10781
Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion).
CVE-2020-12888
It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).
CVE-2020-14314
A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).
CVE-2020-14331
A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2020-14356
A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2020-14385
A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown).
CVE-2020-14386
Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2020-14390
Minh Yuan discovered a bug in the framebuffer console driver's scrollback ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux-4.19' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
9.3
CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
