Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2271 linux security update 7 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: Debian Operating System: Debian GNU/Linux 9 Linux variants Impact/Access: Increased Privileges -- Existing Account Create Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-13405 CVE-2018-5390 Original Bulletin: http://www.debian.org/security/2018/dsa-4266 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running linux check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4266-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-5390 CVE-2018-13405 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-5390 Juha-Matti Tilli discovered that a remote attacker can trigger the worst case code paths for TCP stream reassembly with low rates of specially crafted packets leading to remote denial of service. CVE-2018-13405 Jann Horn discovered that the inode_init_owner function in fs/inode.c in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u1. This update includes fixes for several regressions in the latest point release. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltolY5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T1cBAAhxrsiYuYMiQj9x+shNxxp6gWEXpDoOCwU0cXzZ2lii2uSPzP5TsIQey3 3nBjPCZthg8Q0fL2m0thbfS+i1HTT9tlJT7EjBGDjA0jm2o/lQCmH5rp8DDPtbwZ 2iZ9HyfosEFnbCd6VHtWIM3NoGZFUjvBWkb29/op800BqkHk69WchT1ZWSE8G85S NAwG7tf/mfWIc0nYgieFo9i2X2bk0mNUOjC8xnVnK2TZY5jzK7f9fmQzdPAglZaI t1UoQS4PMl6UTi7AJephorP6+6KJPg3n0rCgJYYXtnRO4PilSLveg7dNniKpCaDo jJKVIcug8Hqo1zc6Uk0tgdZBPILZULyMGr7XUJ97cyA6i+9xhDpGPmqH6pbWQ+YZ JplAY4PHZ2PUi+6is4LE7kYQfPk8+KvvshUB8Qr2Xa61GUDcgpdcaTmNmFYH3EAF St27o/Nbs8WsKNzkOMxtyva88YJr7RDHr+nX/I1fKlI8zC8k3gHYYtJ11QhCDWKT 1O42ppxxaBUMo5ns0ZCjNBaMFPTaKrDYocAzhVot94I2++8InhFWbAzRq7B44fKe E4Q6jDXY3x5MexSyZG3sGc6EwUtr/Gr8trB4TZkvNrQtZ9WBh28TOsldecGsncqw I62eV7vx701dQDjtcDy/yZlGDjFTULQkyX8GPL9hIBeRjCFRhrA= =h8it - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW2jZt2aOgq3Tt24GAQjBCw/9EN7/YzyzEh6def7MvAvVH57nu2N8Q/pW PfKCaxPAWZtN0nFueFRx+ubza52FyWzpzc6+5Qs725RYOahP50MkCzvlNGQOOgZW re1M62vKhr0MBkkqOqVlQP05liDBmZfhU0YqoSosd+qXQuCpwLjNmhcJy638jkpa ASWXM1Ka97v4VvkL3hYyW2BiiaPYjzO9t9OZjOBvdbKw6DsSupB9pIVoPHE/n0k+ 9bFgwu1UM3krynR9iPLFQxampHhbdXCREmk+O10tDlqaXKSv0g30CGnYaE5pq0zq dh905QBSnjD3jiejpuwviI+pdExgE/IrEKeGCaC0RL7345DkuOo9OKMEx7yDEuXV gsTyNac/Sit9IUxRbv4ADmp48ugQTueb77dC5n9+mLVIbJySSMWxMOd+9oRhsi1O mN3LSYdWEr/ADmCP8EhRFnQcizCt1ZxsEjzuyzwnK1Ui1ip81sMV4eYMZy24zTzI JP2DuZBTcrmdid7bxPYBFVwsNkygnWW3fWXjksFpNVcgUwrJ7M77A3hYjt6/DZ3o gR6+SA4bdvuyaTdm/xRh6FJJUBdZ5Ji93bmIXK7O8yFdc3LhTb/V2IogcCSaBfVt 1sdref75y0IeFkKsLLKtKJTZql23cOy/I2FVpoLc2/r+1Y5Z4zQ16Pc5pgjm16T8 4NT4ArV6SPA= =OwyD -----END PGP SIGNATURE-----