Debian GNU/Linux 10 “Buster” Users Get New Linux Kernel Security Update, 4 Flaws Patched

Debian GNU/Linux 10.10


The Debian Project released today a new Linux kernel security update for its Debian GNU/Linux 10 “Buster” operating system series to address several security issues.

The new Linux kernel security update comes about three months after the previous kernel update and it’s here to address a total of four security vulnerabilities discovered by various security researchers in the upstream Linux 4.19 kernel series used by the Debian GNU/Linux 10 “Buster” operating system.

The four security flaws patched in this kernel update are CVE-2020-36311, a vulnerability discovered in the KVM subsystem for AMD CPUs that could allow an attacker to cause a denial of service (soft lockup) by triggering the destruction of a large Secure Encrypted Virtualization (SEV) virtual machine.

The second vulnerability patched is CVE-2021-3609, a race condition reported by Norbert Slusarek in Linux kernel’s CAN BCM networking protocol, which could allow a local attacker to escalate their privileges.

The third security issue addressed by the new Debian Buster kernel update is CVE-2021-33909, a 7-years-old privilege escalation flaw discovered by Qualys Research Labs in Linux kernel’s file system layer, which could allow an unprivileged user to create, mount, and then delete a large directory structure of over 1GB in size.

Lastly, the new Debian Buster kernel update fixes CVE-2021-34693, an information leak discovered by Norbert Slusarek in Linux kernel’s CAN BCM networking protocol, which could allow a local attacker to obtain sensitive information from the kernel stack memory.

The Debian Project urges all users of the Debian GNU/Linux 10 “Buster” operating system series to update their kernel packages to version 4.19.194-3 as soon as possible, which will fix all the security issues above. Please note that, after installing the new kernel version, you need to reboot your computer.

In related news, the Debian Project also released today a security update for the systemd package to address CVE-2021-33910, a memory corruption vulnerability discovered by Qualys Research Labs where an attacker-controlled allocation using the alloca() function could crash systemd and the entire operating system.

Make sure that you also update the systemd package to version 241-7~deb10u8. To update your Debian GNU/Linux installations, run the sudo apt update && sudo apt full-upgrade command in a terminal emulator or use your favorite graphical package manager.

Image credits: Debian Project

Last updated 2 months ago