| Description: | Summary:
The remote host is missing an update for the Debian 'linux-2.6' package(s) announced via the DLA-310-1 advisory.
Vulnerability Insight:
This update fixes the CVEs described below.
CVE-2015-0272
It was discovered that NetworkManager would set IPv6 MTUs based on the values received in IPv6 RAs (Router Advertisements), without sufficiently validating these values. A remote attacker could exploit this attack to disable IPv6 connectivity. This has been mitigated by adding validation in the kernel.
CVE-2015-5156
Jason Wang discovered that when a virtio_net device is connected to a bridge in the same VM, a series of TCP packets forwarded through the bridge may cause a heap buffer overflow. A remote attacker could use this to cause a denial of service (crash) or possibly for privilege escalation.
CVE-2015-5364
It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums.
CVE-2015-5366
It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum.
CVE-2015-5697
A flaw was discovered in the md driver in the Linux kernel leading to an information leak.
CVE-2015-5707
An integer overflow in the SCSI generic driver in the Linux kernel was discovered. A local user with write permission on a SCSI generic device could potentially exploit this flaw for privilege escalation.
CVE-2015-6937
It was found that the Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport exists when creating a connection. Depending on how a local RDS application initialised its sockets, a remote attacker might be able to cause a denial of service (crash) by sending a crafted packet.
For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze14.
For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u4 or earlier.
For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt11-1+deb8u4 or earlier.
Affected Software/OS:
'linux-2.6' package(s) on Debian 6.
Solution:
Please install the updated package(s).
CVSS Score:
7.8
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
|
