14 DAY TRIAL // The Debian Project released new major Linux kernel patches for the Debian GNU/Linux 8 "Jessie" and Debian GNU/Linux 9 "Stretch" operating system series to address a total of 27 security vulnerabilities, including an 8-year-old privilege escalation flaw.
First and foremost, the security update again patches Debian GNU/Linux's kernel against both variants of the Spectre vulnerability (CVE-2017-5715 and CVE-2017-5753). These could allow an attacker that has control over an unprivileged process to read memory from arbitrary addresses, including kernel memory.
While Spectre Variant 2 was mitigated for the x86 architecture (amd64 and i386) via the retpoline compiler feature, Spectre Variant 1 was mitigated by first identifying the vulnerable code sections and then replacing the array access with the speculation-safe array_index_nospec() function.
Another important bug (CVE-2018-8781) patched with these new kernel updates for Debian GNU/Linux is a recently unearthed privilege escalation flaw that was introduced in the Linux kernel no less than eight years ago. It affected udl (DisplayLink) driver's mmap operation, allowing a local attacker with access to a udl framebuffer device to gain root access by overwriting kernel memory.
All Debian Jessie and Debian Stretch users should update now
Among other security vulnerabilities addressed in these new kernel updates, we can mention use-after-free flaws in Linux kernel's USBTV007 audio-video grabber and Hisilicon HNS ethernet drivers, a NULL pointer dereference flaw in the netfilter subsystem, as well as a double-free flaw in the blkcg_init_queue() function in block/blk-cgroup.c.
A race condition was also affecting Linux kernel's ALSA (Advanced Linux Sound Architecture) sequencer core between ioctl and write operations, a memory leak in the SAS (Serial-Attached SCSI) subsystem, a race condition in the x86 MCE (Machine Check Exception) driver, and a NULL pointer dereference flaw in the xfs_bmapi_write() function.
Also affected are Linux kernel's F2FS and OCFS2 file system implementations, the Hisilicon Network Subsystem (HNS) driver implementation, CIFS client implementation, the 32-bit compatibility layer, crng_ready() function, SCTP protocol, hugetlbfs filesystem's mmap operation, hwsim_new_radio_nl() function, ncpfs client implementation, and the ptrace subsystem.
All Debian Jessie and Debian Stretch users are urged to update their kernels as soon as possible after reading this. While Debian GNU/Linux 8 "Jessie" users will have to upgrade their kernels to version 3.16.56-1, Debian GNU/Linux 9 "Stretch" users must update their kernels to version 4.9.88-1. Please reboot your systems after applying the new kernel versions.