Available for Debian Buster and Stretch systems

Aug 21, 2019 11:38 GMT  ·  By

The Debian Project released a new Linux kernel security update for its stable, supported distributions to address several vulnerabilities that may put users' computers at risk.

Available for the Debian GNU/Linux 10 "Buster" and Debian GNU/Linux 9 "Stretch" operating system series, the new Linux kernel security update addresses a total of 14 vulnerabilities discovered by various security researchers. The Debian Project urges all users to update their installations as soon as possible.

Among the security flaws patched, we can mention a race condition in the libsas subsystem that supports Serial Attached SCSI (SAS) devices, a potential double-free in the block subsystem, as well as two issues that could make it easier for attackers to exploit other vulnerabilities.

Furthermore, the security patch addresses issues discovered in Linux kernel's vfio implementation, vhost drivers, the IPv4 multicast routing implementation, PowerPC (ppc64el) systems without Transactional Memory (TM), and various of the drivers needed for UART-attached Bluetooth adapters, all of which may cause a denial of service.

Also fixed is a 4-years-old old vulnerability that was't completely addressed, which could lead to a denial-of-service (unexpected NMI) on the host when running a Xen guest. However, the researcher noted the fact that the fix for this issue is not compatible with versions of QEMU before 2.5.

Users must update their systems immediately

The new Linux kernel security patch also fixes a possible use-after-free discovered in the TCP sockets implementation, which could let a local user to escalate his/her privileges or cause a memory corruption or system crash, and a bug in the gtco driver for USB input tablets that allows a physically present user with a malicious USB device to escalate his/her privileges or cause a denial of service.

While floppy disk are extinct by now, two issues affect Linux kernel's floppy disk driver, a potential division-by-zero flaw and a missing bounds check bug, both of which allowing a local attacker with access to a floppy disk to cause a denial of service or obtain sensitive information from kernel memory beyond the I/O buffer.

It was also discovered that the generation of IP packet IDs used a weak hash function, which could enable tracking of individual computers as they communicate with various remote servers from different networks. To fix this issue, the "siphash" hash function is now used instead of "jhash."

Last but not least, the new Debian Linux kernel patch mitigates a subtype of the well-known Spectre variant 1 security vulnerability affecting most x86 processors, which apparently could have skipped a conditional SWAPGS instruction when accessing the kernel from user mode. While i386 kernels aren't affected, the issue was fixed by using memory barriers to limit speculative execution.

"It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes," reads the security advisory.

All these security vulnerabilities are now patched in the latest stable Debian GNU/Linux 10 "Buster" operating system series, as well as in the old-stable Debian GNU/Linux 9 "Stretch" operating system series. Users of Debian GNU/Linux 10 "Buster" should install kernel version 4.19.37-5+deb10u2, while Debian GNU/Linux 9 "Stretch" users must install kernel version 4.9.168-1+deb9u5.