| Description: | Summary:
The remote host is missing an update for the Debian 'linux-5.10' package(s) announced via the DLA-3173-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2021-4037
Christian Brauner reported that the inode_init_owner function for the XFS filesystem in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID.
CVE-2022-0171
Mingwei Zhang reported that a cache incoherence issue in the SEV API in the KVM subsystem may result in denial of service.
CVE-2022-1184
A flaw was discovered in the ext4 filesystem driver which can lead to a use-after-free. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-1679
The syzbot tool found a race condition in the ath9k_htc driver which can lead to a use-after-free. This might be exploitable to cause a denial service (crash or memory corruption) or possibly for privilege escalation.
CVE-2022-2153
kangel reported a flaw in the KVM implementation for x86 processors which could lead to a null pointer dereference. A local user permitted to access /dev/kvm could exploit this to cause a denial of service (crash).
CVE-2022-2602
A race between handling an io_uring request and the Unix socket garbage collector was discovered. An attacker can take advantage of this flaw for local privilege escalation.
CVE-2022-2663
David Leadbeater reported flaws in the nf_conntrack_irc connection-tracking protocol module. When this module is enabled on a firewall, an external user on the same IRC network as an internal user could exploit its lax parsing to open arbitrary TCP ports in the firewall, to reveal their public IP address, or to block their IRC connection at the firewall.
CVE-2022-2905
Hsin-Wei Hung reported a flaw in the eBPF verifier which can lead to an out-of-bounds read. If unprivileged use of eBPF is enabled, this could leak sensitive information. This was already disabled by default, which would fully mitigate the vulnerability.
CVE-2022-3028
Abhishek Shah reported a race condition in the AF_KEY subsystem, which could lead to an out-of-bounds write or read. A local user could exploit this to cause a denial of service (crash or memory corruption), to obtain sensitive information, or possibly for privilege escalation.
CVE-2022-3061
A flaw was discovered in the i740 driver which may result in denial of service.
This driver is not enabled in Debian's official kernel configurations.
CVE-2022-3176
A use-after-free flaw was discovered in the io_uring subsystem which may result in local privilege escalation to root.
CVE-2022-3303
A race condition in the snd_pcm_oss_sync function in the sound subsystem in the Linux kernel due to improper locking may result in denial of service.
CVE-2022-3586 ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux-5.10' package(s) on Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
7.2
CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C
|
