New Debian Buster Linux Kernel Security Update Fixes 11 Vulnerabilities

Debian GNU/Linux 10.3


The Debian Project released today a new Linux kernel security update for its stable Debian GNU/Linux 10 “Buster” operating system series to address several vulnerabilities and some bugs.

The new Linux kernel update for Debian GNU/Linux 10 is here to fix no less than 11 security vulnerabilities, including CVE-2020-28374, a critical flaw discovered by David Disseldorp in Linux kernel’s LIO SCSI target implementation, allowing a remote attacker with access to at least one iSCSI LUN in a multiple backstore environment to expose sensitive information or modify data.

Same goes for CVE-2020-36158, a buffer overflow flaw discovered in the mwifiex Wi-Fi driver that could allow remote attackers to execute arbitrary code via a long SSID value.

Also fixed in this new Debian kernel security update is CVE-2021-20177, a flaw discovered in Linux kernel’s string matching implementation within a packet, which could allow a privileged user with root or CAP_NET_ADMIN privileges to cause a kernel panic when inserting iptables rules, as well as CVE-2020-27825, a use-after-free flaw found in the ftrace ring buffer resizing logic, which could result in denial of service or information leak.

Two other use-after-free flaws were fixed, namely CVE-2020-29569, discovered by Olivier Benjamin and Pawel Wieczorkiewicz in the Linux kernel through 5.10.1, allowing a misbehaving guest to trigger a dom0 crash by continuously connecting and disconnecting a block frontend, and CVE-2021-3347, discovered in the Linux kernel through 5.10.11 and allowing an unprivileged user to crash the kernel or escalate his/her privileges.

Thanks to Google Project Zero’s Jann Horn, two other flaws (CVE-2020-29660 and CVE-2020-29661) causing a locking inconsistency issue in Linux kernel’s tty subsystem through version 5.9.13 were patched in the new kernel update for Debian Buster. While CVE-2020-29660 lets a local attacker to mount a read-after-free attack against TIOCGSID, CVE-2020-29661 could be used by a local attacker for memory corruption or privilege escalation.

Last but not least, the new Debian Buster kernel security update addresses CVE-2020-27815, a flaw discovered in the JFS file system code that could allow a local attacker with the ability to set extended attributes to cause a denial of service, CVE-2020-29568, an issue discovered by Michael Kurth and Pawel Wieczorkiewicz in Xen through 4.14.x allowing a guest to trigger an OOM in the backend by updating a watched path, as well as CVE-2020-27830, a NULL pointer dereference flaw discovered by Shisong Qin in the Speakup screen reader core driver.

The Debian Project urges all Debian GNU/Linux 10 “Buster” users to update the kernel packages in their installations to version 4.19.171-2 as soon as possible. To update your installations, simply run the sudo apt update && sudo apt full-upgrade commands in a terminal emulator. Don’t forget to save your work and reboot your computers after installing the new kernel version!

Last updated 10 months ago