| Description: | Summary:
The remote host is missing an update for the Debian 'linux' package(s) announced via the DLA-2843-1 advisory.
Vulnerability Insight:
CVE-2021-3653 CVE-2021-3655 CVE-2021-3679 CVE-2021-3732 CVE-2021-3753 CVE-2021-3760 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322 CVE-2021-22543 CVE-2021-37159 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490 CVE-2021-41864 CVE-2021-42008 CVE-2021-42739 CVE-2021-43389
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leaks.
CVE-2020-3702
A flaw was found in the driver for Atheros IEEE 802.11n family of chipsets (ath9k) allowing information disclosure.
CVE-2020-16119
Hadar Manor reported a use-after-free in the DCCP protocol implementation in the Linux kernel. A local attacker can take advantage of this flaw to cause a denial of service or potentially to execute arbitrary code.
CVE-2021-0920
A race condition was discovered in the local sockets (AF_UNIX) subsystem, which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash), or possibly for privilege escalation.
CVE-2021-3612
Murray McAllister reported a flaw in the joystick input subsystem. A local user permitted to access a joystick device could exploit this to read and write out-of-bounds in the kernel, which could be used for privilege escalation.
CVE-2021-3653
Maxim Levitsky discovered a vulnerability in the KVM hypervisor implementation for AMD processors in the Linux kernel: Missing validation of the `int_ctl` VMCB field could allow a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The L2 guest can take advantage of this flaw to write to a limited but still relatively large subset of the host physical memory.
CVE-2021-3655
Ilja Van Sprundel and Marcelo Ricardo Leitner found multiple flaws in the SCTP implementation, where missing validation could lead to an out-of-bounds read. On a system using SCTP, a networked attacker could exploit these to cause a denial of service (crash).
CVE-2021-3679
A flaw in the Linux kernel tracing module functionality could allow a privileged local user (with CAP_SYS_ADMIN capability) to cause a denial of service (resource starvation).
CVE-2021-3732
Alois Wohlschlager reported a flaw in the implementation of the overlayfs subsystem, allowing a local attacker with privileges to mount a filesystem to reveal files hidden in the original mount.
CVE-2021-3753
Minh Yuan reported a race condition in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read in vt.
CVE-2021-3760
Lin Horse reported a flaw in the NCI (NFC Controller Interface) driver, which could lead to a use-after-free.
However, this driver is not included in the binary packages provided by Debian.
CVE-2021-20317
It was discovered that the timer queue structure could become corrupt, leading to waiting tasks never being woken up. A local user ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
7.2
CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C
|
