| Description: | Summary:
The remote host is missing an update for the Debian 'linux' package(s) announced via the DLA-2420-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.
CVE-2019-9445
A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information.
CVE-2019-19073, CVE-2019-19074 Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear.
CVE-2019-19448
Team bobfuzzer reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2020-12351
Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.
CVE-2020-12352
Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information.
CVE-2020-12655
Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service.
CVE-2020-12771
Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear.
CVE-2020-12888
It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).
CVE-2020-14305
Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.
CVE-2020-14314
A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).
CVE-2020-14331
A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
8.3
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:C
|
