Users are urged to update their systems immediately

Oct 2, 2018 16:06 GMT  ·  By

The Debian Project released a new Linux kernel update for the Debian GNU/Linux 9 "Stretch" operating system series that addresses several security vulnerabilities discovered by various security researchers recently.

Affecting the long-term supported Linux 4.9 kernel used by the Debian GNU/Linux 9 "Stretch" operating system series, there are a total of 18 security vulnerabilities patched in this major update that have been discovered in the upstream Linux kernel and may lead to information leaks, privilege escalation, or denial of service.

These include a memory leak in the irda_bind function and a flaw in the irda_setsockopt function of Linux kernel's IrDA subsystem, a flaw in the fd_locked_ioctl function in the Floppy driver, a buffer overflow in the Bluetooth HIDP implementation, and a double-realloc (double free) flaw in the rawmidi kernel driver.

Furthermore, a use-after-free bug and a potential null pointer dereference were discovered in Linux kernel's F2FS (Flash-Friendly File System) implementation, a potential null pointer dereference in the HFS+ implementation, and a stack-based buffer overflow flaw in the chap_server_compute_md5() function of the iSCSI target code.

The security patch also addresses a use-after-free bug was in Linux kernel's InfiniBand communication manager, and a variant of the Spectre V2 vulnerability dubbed SpectreRSB. Mitigations are also available for the Spectre Variant 2 flaw for some indirect function calls used in paravirtualised guests.

Security flaws were also discovered in the HID events interface in debugfs, the Cipso IPv4 module, the Linux kernel exit code used on 64-bit (amd64) systems running as Xen PV guests, the yurex driver, the cdrom driver, and a use-after-free flaw in the vmacache_flush_all function.

Update your Debian GNU/Linux 9 "Stretch" system now

The Debian Project urges all users of the Debian GNU/Linux 9 "Stretch" operating system series to update their installations as soon as possible to Linux kernel version 4.9.110-3+deb9u5, which is now available for installation from the main archives. All you have to do is run the "sudo apt-get update && sudo apt-get full-upgrade" command in a terminal emulator.

Please note that after a kernel update you'll have to reboot your system for the security fixes to take effect. More details about how these security flaws affect your Debian machines can be found in the new security advisory published by Salvatore Bonaccorso on the debian-security-announce mailing list.