Debian GNU/Linux users need to update to 3.16.36-1+deb8u1

Sep 6, 2016 21:03 GMT  ·  By

Debian Project has recently released a new update to the kernel packages of its current stable distribution, namely Debian GNU/Linux 8.5 "Jessie," patching four security flaws discovered by various hackers and researchers.

Salvatore Bonaccorso is the one to inform the community about the new Linux kernel security update for Debian Jessie via the Debian Security Advisory DSA-3659-1 announcement, which details a total of four security flaws, namely CVE-2016-5696, CVE-2016-6136, CVE-2016-6480, and CVE-2016-6828.

However, it appears that the most important one is CVE-2016-5696, describing a serious bug in Linux kernel's TCP (Transmission Control Protocol) implementation, whose Challenge ACK feature could have allowed an attacker to inject messages into the connections between specific IP addresses.

"Where a service is made available through TCP, this may allow remote attackers to impersonate another connected user to the server or to impersonate the server to another connected user. In case the service uses a protocol with message authentication (e.g. TLS or SSH), this vulnerability only allows denial of service (connection failure)," reads the security advisory.

The issue was addressed by increasing the rate limit for the respective TCP Challenge ACK feature to a number that it can never be exceeded (e.g. sysctl net.ipv4.tcp_challenge_ack_limit=1000000000). This infamous TCP flaw affected 1.4 billion Android devices running an outdated Linux kernel.

Debian GNU/Linux 8 "Jessie" users need to update their systems now

The new Linux kernel security update also patches issues in Linux kernel's audit subsystem, the aacraid driver for Adaptec RAID controllers, and another "use-after-free" bug in the TCP implementation, whose security impact is not known at the moment, but it is believed to cause privilege escalation or denial of service.

Debian Project urges all users of the Debian GNU/Linux 8 "Jessie" operating system to update their systems to the new kernel version (3.16.36-1+deb8u1) as soon as possible. The updated kernel packages are already available in the repositories, so all you have to do to update your system is to fire up your favorite package manager and apply all updates.