The security update fixes five vulnerabilities

Sep 25, 2019 20:11 GMT  ·  By

The Debian Project released a new Linux kernel security update for all supported versions of the Debian GNU/Linux operating system to address several security vulnerabilities.

Five security vulnerabilities have been fixed in this new Linux kernel security update for Debian GNU/Linux 10 "Buster" and Debian GNU/Linux 9 "Stretch" operating system series, including a backporting error (CVE-2019-15902) reported by Brad Spengler, which reintroduced a Spectre V1 vulnerability in Linux kernel's ptrace subsystem, in the ptrace_get_debugreg() function.

Also fixed is a race condition (CVE-2019-14821) discovered by Matt Delco in KVM's coalesced MMIO facility, which could allow a local attacker with access to /dev/kvm to escalate his/her privileges or cause memory corruption or system crash, as well as a missing bounds check (CVE-2019-15117) discovered by Hui Peng and Mathias Payer in usb-audio driver's descriptor parsing code, which could let an attacker that can add USB devices to cause a system crash.

Another missing bounds check issue (CVE-2019-14835) was discovered by Peter Pi of Tencent Blade Team in Linux kernel's vhost_net network backend driver for KVM hosts, which could allow an attacker in control of a virtual machine to cause memory corruption or system crash, as well as to escalate his/her privileges on the host system.

Last but not least, the new Debian kernel security patch addresses an unbounded recursion issue (CVE-2019-15118) discovered by Hui Peng and Mathias Payer in usb-audio driver's descriptor parsing code, which could allow an attacker that can add USB devices to escalate his/her privileges or cause a denial of service (memory corruption or crash).

Users are urged to update their system immediately

The Debian Project noted that fact that the unbounded recursion issue discovered by Hui Peng and Mathias Payer is mitigated on the Debian GNU/Linux 10 "Buster" operating system series on 64-bit (amd64) and AArch64 (ARM64) architectures by a guard page on the kernel stack, which means that an attacker can onlyo cause a system crash in the worst case scenario.

All these security vulnerabilities can be fixed if you update the kernel packages on your Debian GNU/Linux 10 "Buster" systems to version 4.19.67-2+deb10u1, as well as on Debian GNU/Linux 9 "Stretch" systems to version 4.9.189-3+deb9u1. The Debian Project recommends all users to update their installations as soon as possible and reboot their machines to successfully apply the changes.