A new Debian Buster Linux security update has been released to address five vulnerabilities discovered lately by various security researchers.
According to Debian Security Advisory DSA-4667-1, the new Linux kernel security update patches a flaw (CVE-2020-2732) discovered by Paulo Bonzini in the KVM (Kernel-based Virtual Machine) implementation for Intel CPUs, which could allow an L2 guest to cause a denial of service, leak sensitive information from the L1 guest or escalate his/her privileges.
The kernel update also fixes a vulnerability (CVE-2020-10942) discovered in Linux kernel’s vhost_net driver, which could allow a local attacker with access to /dev/vhost-net to cause a stack corruption by crafting system calls. This could lead to a denial of service (system crash) and even to privilege escalation.
There’s also a fix for a stack-based out-of-bounds write flaw (CVE-2020-11565) discovered by Entropy Moe in the shared memory filesystem (tmpfs). This could allow a local attacker to either escalate his/her privileges or cause a denial of service (system crash) if user namespaces were enabled on the system.
Also patched are a use-after-free (CVE-2020-8428) vulnerability found in the VFS layer that could allow a local attacker to either cause a denial-of-service (system crash) or obtain sensitive information from kernel memory, and a race condition (CVE-2020-11884) found in the memory management code for IBM Z (s390x architecture), which could let a local attacker to escalate his/her privileges.
These two issues were discovered by Al Viro, and the latter was also patched in Canonical’s latest Ubuntu 20.04 LTS release, as well as Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS systems.
The Debian Project recommends all Debian GNU/Linux 10 “Buster” users to update the kernel packages to version 4.19.98-1+deb10u1 as soon as possible. A system reboot is required after applying this new Debian Buster Linux security patch for the aforementioned vulnerabilities to be corrected.