| Description: | Summary:
The remote host is missing an update for the Debian 'linux' package(s) announced via the DLA-3508-1 advisory.
Vulnerability Insight:
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
CVE-2023-1380
Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi driver. On systems using this driver, a local user could exploit this to read sensitive information or to cause a denial of service (crash).
CVE-2023-2002
Ruiahn Li reported an incorrect permissions check in the Bluetooth subsystem. A local user could exploit this to reconfigure local Bluetooth interfaces, resulting in information leaks, spoofing, or denial of service (loss of connection).
CVE-2023-2007
Lucas Leong (@_wmliang_) and Reno Robert of Trend Micro Zero Day Initiative discovered a time-of-check-to-time-of-use flaw in the dpt_i2o SCSI controller driver. A local user with access to a SCSI device using this driver could exploit this for privilege escalation.
This flaw has been mitigated by removing support for the I2OUSRCMD operation.
CVE-2023-2269
Zheng Zhang reported that improper handling of locking in the device mapper implementation may result in denial of service.
CVE-2023-3090
It was discovered that missing initialization in ipvlan networking may lead to an out-of-bounds write vulnerability, resulting in denial of service or potentially the execution of arbitrary code.
CVE-2023-3111
The TOTE Robot tool found a flaw in the Btrfs filesystem driver that can lead to a use-after-free. It's unclear whether an unprivileged user can exploit this.
CVE-2023-3141
A flaw was discovered in the r592 memstick driver that could lead to a use-after-free after the driver is removed or unbound from a device. The security impact of this is unclear.
CVE-2023-3268
It was discovered that an out-of-bounds memory access in relayfs could result in denial of service or an information leak.
CVE-2023-3338
Ornaghi Davide discovered a flaw in the DECnet protocol implementation which could lead to a null pointer dereference or use-after-free. A local user can exploit this to cause a denial of service (crash or memory corruption) and probably for privilege escalation.
This flaw has been mitigated by removing the DECnet protocol implementation.
CVE-2023-20593
Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD Zen 2 CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.
For details please refer to [link moved to references] and [link moved to references].
This issue can also be mitigated by a microcode update through the amd64-microcode package or a system firmware (BIOS/UEFI) update. However, the initial microcode release by AMD only provides updates for second generation EPYC CPUs. Various Ryzen CPUs are also affected, but no updates are available yet.
CVE-2023-31084
It was ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'linux' package(s) on Debian 10.
Solution:
Please install the updated package(s).
CVSS Score:
6.8
CVSS Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:C
|
