Matthew Miller

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.11.6 **Description** The issue concerns the improper initialization of memory by the ext2 make empty function call when creating a block for a new directory entry. This allows local users to potentially obtain sensitive information by reading the block. **Recommendations** For Linux kernel versions prior to 2.6.11.6, update to version 2.6.11.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 2.4.6 through 2.4.30-rc1 Linux kernel versions 2.6 through 2.6.11.5 **Description** The issue allows local users to gain privileges through the bluez sock create function in the Bluetooth stack. This can be achieved via a socket or socketpair call with a negative protocol value. **Recommendations** For Linux kernel versions 2.4.6 through 2.4.30-rc1, consider updating to a version outside of this range to resolve the issue. For Linux kernel versions 2.6 through 2.6.11.5, consider updating to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the bluez sock create function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux versions prior to 2.6.11 **Description** The issue is related to "range checking flaws" in the ISO9660 filesystem handler, which may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem. **Recommendations** For Linux versions prior to 2.6.11, update to a version newer than 2.6.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6.8.1 Debian GNU/Linux kernel-image-2.4.19-sun4u-smp Debian GNU/Linux kernel-image-2.4.18-powerpc-xfs Debian GNU/Linux kernel-image-2.4.18-sun4u Debian GNU/Linux kernel-patch-benh Debian GNU/Linux kernel-image-2.4.18-sun4u-smp Debian GNU/Linux kernel-headers-2.4.19-sparc Debian GNU/Linux kernel-headers-2.4.18-sparc Debian GNU/Linux kernel-image-2.4.19-sun4u **Description** The issue is related to multiple vulnerabilities in the Linux kernel and Debian GNU/Linux kernel packages, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely, potentially causing a denial of service (kernel crash) via a pppd client. **Recommendations** For Linux kernel version 2.6.8.1: Update to a newer version to mitigate the risk. For Debian GNU/Linux kernel-image-2.4.19-sun4u-smp: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-image-2.4.18-powerpc-xfs: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-image-2.4.18-sun4u: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-patch-benh: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-image-2.4.18-sun4u-smp: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-headers-2.4.19-sparc: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-headers-2.4.18-sparc: Apply the available patch or update to a newer version. For Debian GNU/Linux kernel-image-2.4.19-sun4u: Apply the available patch or update to a newer version.

**Name of the Vulnerable Software and Affected Versions** zlib versions 1.2 and later zsync (affected versions not specified) sash (affected versions not specified) zlib-devel (affected versions not specified) zlib-devel-32bit (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow. This can be demonstrated using a crafted PNG file. The exploitation of these vulnerabilities may lead to a disruption of confidentiality, integrity, and availability of protected information. **Recommendations** For zlib versions 1.2 and later, consider updating to a version that fixes the buffer overflow issue. For zsync, sash, zlib-devel, and zlib-devel-32bit, at the moment, there is no information about a newer version that contains a fix for this vulnerability.