|
Line 0
Link Here
|
| 0 |
- |
1 |
A new extended maintenance update is available for Univention Corporate Server 3.2. |
|
|
2 |
It is applicable to the following patch-levels: 8. |
| 3 |
It addresses the following problem: |
| 4 |
|
| 5 |
Program component: univention-kernel-image |
| 6 |
Reference: CVE-2015-8550, CVE-2015-8551, CVE-2015-8962, CVE-2015-8964, |
| 7 |
CVE-2015-8970, CVE-2016-2085, CVE-2016-2188, CVE-2016-3672, |
| 8 |
CVE-2016-3961, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, |
| 9 |
CVE-2016-7425, CVE-2016-7911, CVE-2016-7913, CVE-2016-8405, |
| 10 |
CVE-2016-8633, CVE-2016-8645, CVE-2016-8650, CVE-2016-8655, |
| 11 |
CVE-2016-8658, CVE-2016-9083, CVE-2016-9555, CVE-2016-9588, |
| 12 |
CVE-2016-9604, CVE-2016-9794, CVE-2016-10088, |
| 13 |
CVE-2016-10208, CVE-2017-2583, CVE-2017-2584, |
| 14 |
CVE-2017-2618, CVE-2017-2636, CVE-2017-2671, CVE-2017-5549, |
| 15 |
CVE-2017-5551, CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, |
| 16 |
CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6346, |
| 17 |
CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, |
| 18 |
CVE-2017-7261, CVE-2017-7273, CVE-2017-7294, CVE-2017-7308, |
| 19 |
CVE-2017-7472, CVE-2017-7495, CVE-2017-7616, CVE-2017-7645, |
| 20 |
CVE-2017-7889, CVE-2017-8067, CVE-2017-8068, CVE-2017-8069, |
| 21 |
CVE-2017-8070, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, |
| 22 |
CVE-2017-1000363, CVE-2017-1000364, CVE-2016-10277, |
| 23 |
CVE-2016-9576, bug 43602, bug 45244 |
| 24 |
Fixed version: 7.0.0-28.127.201709111629 |
| 25 |
|
| 26 |
This update of the Linux kernel to 3.10.107 addresses the following issues: |
| 27 |
* Xen, when used on a system providing PV backends, allows local guest OS |
| 28 |
administrators to cause a denial of service (host OS crash) or gain |
| 29 |
privileges by writing to memory shared between the frontend and backend, |
| 30 |
aka a double fetch vulnerability (CVE-2015-8550) |
| 31 |
* The PCI backend driver in Xen, when running on an x86 system and using |
| 32 |
Linux 3.1.x through 4.3.x as the driver domain, allows local guest |
| 33 |
administrators to hit BUG conditions and cause a denial of service (NULL |
| 34 |
pointer dereference and host OS crash) by leveraging a system with access |
| 35 |
to a passed-through MSI or MSI-X capable physical PCI device and a crafted |
| 36 |
sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity |
| 37 |
checks." (CVE-2015-8551) |
| 38 |
* The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux |
| 39 |
kernel before 4.5 allows local users to obtain sensitive information from |
| 40 |
kernel memory by reading a tty data structure (CVE-2015-8964) |
| 41 |
* crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify |
| 42 |
that a setkey operation has been performed on an AF_ALG socket before an |
| 43 |
accept system call is processed, which allows local users to cause a denial |
| 44 |
of service (NULL pointer dereference and system crash) via a crafted |
| 45 |
application that does not supply a key, related to the lrw_crypt function |
| 46 |
in crypto/lrw.c (CVE-2015-8970) |
| 47 |
* Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs |
| 48 |
support in x86 PV guests, which allows local PV guest OS users to cause a |
| 49 |
denial of service (guest OS crash) by attempting to access a hugetlbfs |
| 50 |
mapped area (CVE-2016-3961) |
| 51 |
* The tcp_check_send_head function in include/net/tcp.h in the Linux kernel |
| 52 |
before 4.7.5 does not properly maintain certain SACK state after a failed |
| 53 |
data copy, which allows local users to cause a denial of service |
| 54 |
(tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted |
| 55 |
SACK option (CVE-2016-6828) |
| 56 |
* The proc_keys_show function in security/keys/proc.c in the Linux kernel |
| 57 |
through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is |
| 58 |
enabled, uses an incorrect buffer size for certain timeout data, which |
| 59 |
allows local users to cause a denial of service (stack memory corruption |
| 60 |
and panic) by reading the /proc/keys file (CVE-2016-7042) |
| 61 |
* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in |
| 62 |
the Linux kernel through 4.8.2 does not restrict a certain length field, |
| 63 |
which allows local users to gain privileges or cause a denial of service |
| 64 |
(heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control |
| 65 |
code (CVE-2016-7425) |
| 66 |
* drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual |
| 67 |
hardware configurations, allows remote attackers to execute arbitrary code |
| 68 |
via crafted fragmented packets (CVE-2016-8633) |
| 69 |
* The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, |
| 70 |
which allows local users to cause a denial of service (system crash) via a |
| 71 |
crafted application that makes sendto system calls, related to |
| 72 |
net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (CVE-2016-8645) |
| 73 |
* The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through |
| 74 |
4.8.11 does not ensure that memory is allocated for limb data, which allows |
| 75 |
local users to cause a denial of service (stack memory corruption and |
| 76 |
panic) via an add_key system call for an RSA key with a zero exponent |
| 77 |
(CVE-2016-8650) |
| 78 |
* Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in |
| 79 |
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux |
| 80 |
kernel before 4.7.5 allows local users to cause a denial of service (system |
| 81 |
crash) or possibly have unspecified other impact via a long SSID |
| 82 |
Information Element in a command to a Netlink socket (CVE-2016-8658) |
| 83 |
* The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel |
| 84 |
before 4.8.8 lacks chunk-length checking for the first chunk, which allows |
| 85 |
remote attackers to cause a denial of service (out-of-bounds slab access) |
| 86 |
or possibly have unspecified other impact via crafted SCTP data |
| 87 |
(CVE-2016-9555) |
| 88 |
* Race condition in the snd_pcm_period_elapsed function in |
| 89 |
sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 |
| 90 |
allows local users to cause a denial of service (use-after-free) or |
| 91 |
possibly have unspecified other impact via a crafted |
| 92 |
SNDRV_PCM_TRIGGER_START command (CVE-2016-9794) |
| 93 |
* The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel |
| 94 |
through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the |
| 95 |
LISTEN state, which allows local users to obtain root privileges or cause a |
| 96 |
denial of service (double free) via an application that makes an |
| 97 |
IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074) |
| 98 |
* Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, |
| 99 |
and the fact that parport_ptr integer is static, a 'secure boot' kernel |
| 100 |
command line adversary (can happen due to bootloader vulns, e.g. Google |
| 101 |
Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has |
| 102 |
partial control over the command line) can overflow the parport_nr array in |
| 103 |
the following code, by appending many (>LP_NO) 'lp=none' arguments to the |
| 104 |
command line (CVE-2017-1000363) |
| 105 |
* The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the |
| 106 |
Linux kernel through 4.10.15 allows attackers to cause a denial of service |
| 107 |
(double free) or possibly have unspecified other impact by leveraging use |
| 108 |
of the accept system call (CVE-2017-8890) |
| 109 |
* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 |
| 110 |
allows local users to gain privileges or cause a denial of service (double |
| 111 |
free) by setting the HDLC line discipline (CVE-2017-2636) |
| 112 |
* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly |
| 113 |
restrict association peel-off operations during certain wait states, which |
| 114 |
allows local users to cause a denial of service (invalid unlock and double |
| 115 |
free) via a multithreaded application. NOTE: this vulnerability exists |
| 116 |
because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353) |
| 117 |
* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in |
| 118 |
the Linux kernel before 4.9.11 allows local users to cause a denial of |
| 119 |
service (assertion failure and panic) via a multithreaded application that |
| 120 |
peels off an association in a certain buffer-full state (CVE-2017-5986) |
| 121 |
* The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in |
| 122 |
the Linux kernel before 4.6 allows local users to gain privileges or cause |
| 123 |
a denial of service (use-after-free) via vectors involving omission of the |
| 124 |
firmware name from a certain data structure (CVE-2016-7913) |
| 125 |
* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through |
| 126 |
4.10.8 is too late in obtaining a certain lock and consequently cannot |
| 127 |
ensure that disconnect function calls are safe, which allows local users to |
| 128 |
cause a denial of service (panic) by leveraging access to the protocol |
| 129 |
value of IPPROTO_ICMP in a socket system call (CVE-2017-2671) |
| 130 |
* drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts |
| 131 |
incorrectly with the CONFIG_VMAP_STACK option, which allows local users to |
| 132 |
cause a denial of service (system crash or memory corruption) or possibly |
| 133 |
have unspecified other impact by leveraging use of more than one virtual |
| 134 |
page for a DMA scatterlist (CVE-2017-8068, CVE-2017-8069) |
| 135 |
* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the |
| 136 |
Linux kernel before 4.10.4 allows local users to obtain sensitive |
| 137 |
information (in the dmesg ringbuffer and syslog) from uninitialized kernel |
| 138 |
memory by using a crafted USB device (posing as an io_ti USB serial device) |
| 139 |
to trigger an integer underflow (CVE-2017-8924) |
| 140 |
* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux |
| 141 |
kernel before 4.5.1 allows physically proximate attackers to cause a denial |
| 142 |
of service (NULL pointer dereference and system crash) via a crafted |
| 143 |
endpoints value in a USB device descriptor (CVE-2016-2188) |
| 144 |
* The omninet_open function in drivers/usb/serial/omninet.c in the Linux |
| 145 |
kernel before 4.10.4 allows local users to cause a denial of service (tty |
| 146 |
exhaustion) by leveraging reference count mishandling (CVE-2017-8925) |
| 147 |
* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 |
| 148 |
allows local users to cause a denial of service (use-after-free) or |
| 149 |
possibly have unspecified other impact via a multithreaded application that |
| 150 |
makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) |
| 151 |
* The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows |
| 152 |
remote attackers to have unspecified impact via vectors involving GRE flags |
| 153 |
in an IPv6 packet, which trigger an out-of-bounds access (CVE-2017-5897) |
| 154 |
* The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux |
| 155 |
kernel through 4.9.9 allows attackers to cause a denial of service (system |
| 156 |
crash) via (1) an application that makes crafted system calls or possibly |
| 157 |
(2) IPv4 traffic with invalid IP options (CVE-2017-5970) |
| 158 |
* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in |
| 159 |
the Linux kernel before 4.9.5 places uninitialized heap-memory contents |
| 160 |
into a log entry upon a failure to read the line status, which allows local |
| 161 |
users to obtain sensitive information by reading the log (CVE-2017-5549) |
| 162 |
* fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered |
| 163 |
mode is used, mishandles a needs-flushing-before-commit list, which allows |
| 164 |
local users to obtain sensitive information from other users' files in |
| 165 |
opportunistic circumstances by waiting for a hardware reset, creating a new |
| 166 |
file, making write system calls, and reading this file (CVE-2017-7495) |
| 167 |
* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to |
| 168 |
cause a denial of service (memory consumption) via a series of |
| 169 |
KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls |
| 170 |
(CVE-2017-7472) |
| 171 |
* The keyring_search_aux function in security/keys/keyring.c in the Linux |
| 172 |
kernel through 3.14.79 allows local users to cause a denial of service |
| 173 |
(NULL pointer dereference and OOPS) via a request_key system call for the |
| 174 |
"dead" type (CVE-2017-6951) |
| 175 |
* The built-in keyrings for security tokens can be joined as a session and |
| 176 |
then modified by the root user (CVE-2016-9604) |
| 177 |
* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux |
| 178 |
kernel through 4.10.6 does not validate certain size data after an |
| 179 |
XFRM_MSG_NEWAE update, which allows local users to obtain root privileges |
| 180 |
or cause a denial of service (heap-based out-of-bounds access) by |
| 181 |
leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own |
| 182 |
competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package |
| 183 |
4.8.0.41.52 (CVE-2017-7184) |
| 184 |
* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before |
| 185 |
4.9.11 allows remote attackers to cause a denial of service (infinite loop |
| 186 |
and soft lockup) via vectors involving a TCP packet with the URG flag |
| 187 |
(CVE-2017-6214) |
| 188 |
* Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate) |
| 189 |
(CVE-2017-2618) |
| 190 |
* An information disclosure vulnerability in kernel components including the |
| 191 |
ION subsystem, Binder, USB driver and networking subsystem could enable a |
| 192 |
local malicious application to access data outside of its permission |
| 193 |
levels. This issue is rated as Moderate because it first requires |
| 194 |
compromising a privileged process. Product: Android. Versions: Kernel-3.10, |
| 195 |
Kernel-3.18. Android ID: A-31651010 (CVE-2016-8405) |
| 196 |
* The simple_set_acl function in fs/posix_acl.c in the Linux kernel before |
| 197 |
4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs |
| 198 |
filesystem, which allows local users to gain group privileges by leveraging |
| 199 |
the existence of a setgid program with restrictions on execute permissions. |
| 200 |
NOTE: this vulnerability exists because of an incomplete fix for |
| 201 |
CVE-2016-7097 (CVE-2017-5551) |
| 202 |
* The filesystem implementation in the Linux kernel through 4.8.2 preserves |
| 203 |
the setgid bit during a setxattr call, which allows local users to gain |
| 204 |
group privileges by leveraging the existence of a setgid program with |
| 205 |
restrictions on execute permissions (CVE-2016-7097) |
| 206 |
* arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users |
| 207 |
to obtain sensitive information from kernel memory or cause a denial of |
| 208 |
service (use-after-free) via a crafted application that leverages |
| 209 |
instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584) |
| 210 |
* The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the |
| 211 |
Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" |
| 212 |
instruction, which allows guest OS users to cause a denial of service |
| 213 |
(guest OS crash) or gain guest OS privileges via a crafted application |
| 214 |
(CVE-2017-2583) |
| 215 |
* The evm_verify_hmac function in security/integrity/evm/evm_main.c in the |
| 216 |
Linux kernel before 4.5 does not properly copy data, which makes it easier |
| 217 |
for local users to forge MAC values via a timing side-channel attack |
| 218 |
(CVE-2016-2085) |
| 219 |
* Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 |
| 220 |
allows local users to gain privileges or cause a denial of service |
| 221 |
(use-after-free) by leveraging the CAP_NET_RAW capability to change a |
| 222 |
socket version, related to the packet_set_ring and packet_setsockopt |
| 223 |
functions (CVE-2016-8655) |
| 224 |
* An issue was discovered in the size of the stack guard page on Linux, |
| 225 |
specifically a 4k stack guard page is not sufficiently large and can be |
| 226 |
"jumped" over (the stack guard page is bypassed), this affects Linux Kernel |
| 227 |
versions 4.11.5 and earlier (the stackguard page was introduced in 2010) |
| 228 |
(CVE-2017-1000364) |
| 229 |
* The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux |
| 230 |
kernel through 4.5.2 does not properly randomize the legacy base address, |
| 231 |
which makes it easier for local users to defeat the intended restrictions |
| 232 |
on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for |
| 233 |
a setuid or setgid program, by disabling stack-consumption resource limits |
| 234 |
(CVE-2016-3672) |
| 235 |
* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and |
| 236 |
#OF exceptions, which allows guest OS users to cause a denial of service |
| 237 |
(guest OS crash) by declining to handle an exception thrown by an L2 guest |
| 238 |
(CVE-2016-9588) |
| 239 |
* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through |
| 240 |
4.10.11 allows remote attackers to cause a denial of service (system crash) |
| 241 |
via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and |
| 242 |
fs/nfsd/nfsxdr.c (CVE-2017-7645) |
| 243 |
* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel |
| 244 |
through 4.10.6 does not properly validate certain block-size data, which |
| 245 |
allows local users to cause a denial of service (integer signedness error |
| 246 |
and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability |
| 247 |
is held), via crafted system calls (CVE-2017-7308) |
| 248 |
* drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts |
| 249 |
incorrectly with the CONFIG_VMAP_STACK option, which allows local users to |
| 250 |
cause a denial of service (system crash or memory corruption) or possibly |
| 251 |
have unspecified other impact by leveraging use of more than one virtual |
| 252 |
page for a DMA scatterlist (CVE-2017-8070) |
| 253 |
* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before |
| 254 |
4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which |
| 255 |
allows local users to cause a denial of service (system crash or memory |
| 256 |
corruption) or possibly have unspecified other impact by leveraging use of |
| 257 |
more than one virtual page for a DMA scatterlist (CVE-2017-8067) |
| 258 |
* The mm subsystem in the Linux kernel through 4.10.10 does not properly |
| 259 |
enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local |
| 260 |
users to read or write to kernel memory locations in the first megabyte |
| 261 |
(and bypass slab-allocation access restrictions) via an application that |
| 262 |
opens the /dev/mem file, related to arch/x86/mm/init.c and |
| 263 |
drivers/char/mem.c (CVE-2017-7889) |
| 264 |
* Incorrect error handling in the set_mempolicy and mbind compat syscalls in |
| 265 |
mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to |
| 266 |
obtain sensitive information from uninitialized stack data by triggering |
| 267 |
failure of a certain bitmap operation (CVE-2017-7616) |
| 268 |
* The vmw_surface_define_ioctl function in |
| 269 |
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 |
| 270 |
does not validate addition of certain levels data, which allows local users |
| 271 |
to trigger an integer overflow and out-of-bounds write, and cause a denial |
| 272 |
of service (system hang or crash) or possibly gain privileges, via a |
| 273 |
crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) |
| 274 |
* The vmw_surface_define_ioctl function in |
| 275 |
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 |
| 276 |
does not check for a zero value of certain levels data, which allows local |
| 277 |
users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and |
| 278 |
possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device |
| 279 |
(CVE-2017-7261) |
| 280 |
* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does |
| 281 |
not restrict the address calculated by a certain rounding operation, which |
| 282 |
allows local users to map page zero, and consequently bypass a protection |
| 283 |
mechanism that exists for the mmap system call, by making crafted shmget |
| 284 |
and shmat system calls in a privileged context (CVE-2017-5669) |
| 285 |
* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel |
| 286 |
before 4.9.13 improperly manages lock dropping, which allows local users to |
| 287 |
cause a denial of service (deadlock) via crafted operations on IrDA devices |
| 288 |
(CVE-2017-6348) |
| 289 |
* Double free vulnerability in the sg_common_write function in |
| 290 |
drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain |
| 291 |
privileges or cause a denial of service (memory corruption and system |
| 292 |
crash) by detaching a device during an SG_IO ioctl call (CVE-2015-8962) |
| 293 |
* drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local |
| 294 |
users to bypass integer overflow checks, and cause a denial of service |
| 295 |
(memory corruption) or have unspecified other impact, by leveraging access |
| 296 |
to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a |
| 297 |
"state machine confusion bug." (CVE-2016-9083) |
| 298 |
* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux |
| 299 |
kernel 4.x before 4.9.4 allows physically proximate attackers to cause a |
| 300 |
denial of service (integer underflow) or possibly have unspecified other |
| 301 |
impact via a crafted HID report (CVE-2017-7273) |
| 302 |
* The sg implementation in the Linux kernel through 4.9 does not properly |
| 303 |
restrict write operations in situations where the KERNEL_DS option is set, |
| 304 |
which allows local users to read or write to arbitrary kernel memory |
| 305 |
locations or cause a denial of service (use-after-free) by leveraging |
| 306 |
access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. |
| 307 |
NOTE: this vulnerability exists because of an incomplete fix for |
| 308 |
CVE-2016-9576 (CVE-2016-10088) |
| 309 |
* Race condition in the get_task_ioprio function in block/ioprio.c in the |
| 310 |
Linux kernel before 4.6.6 allows local users to gain privileges or cause a |
| 311 |
denial of service (use-after-free) via a crafted ioprio_get system call |
| 312 |
(CVE-2016-7911) |
| 313 |
* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through |
| 314 |
4.9.8 does not properly validate meta block groups, which allows physically |
| 315 |
proximate attackers to cause a denial of service (out-of-bounds read and |
| 316 |
system crash) via a crafted ext4 image (CVE-2016-10208) |
| 317 |
|
| 318 |
This is the second part of the update. |
| 319 |
|
| 320 |
We recommend to update your UCS installation. Updated packages are |
| 321 |
available in the Univention online repository, which is automatically |
| 322 |
added to the apt packages sources. The following procedures can be |
| 323 |
used to update a UCS installation: |
| 324 |
|
| 325 |
1. A single system can be updated in the web interface of the |
| 326 |
Univention Management Console through the "Software update" module. |
| 327 |
|
| 328 |
2. A single system can be updated on the command line by running the |
| 329 |
command "univention-upgrade" |
| 330 |
|
| 331 |
3. Multiple systems can be updated through a maintenance policy. |
| 332 |
|
| 333 |
Additional information can be found in the UCS manual. |
| 334 |
|
| 335 |
|
| 336 |
An overview of all available errata updates can be found online at |
| 337 |
http://errata.univention.de/ |
| 338 |
-- |
| 339 |
Univention GmbH |
| 340 |
be open. |
| 341 |
Mary-Somerville-Str.1 |
| 342 |
28359 Bremen |
| 343 |
Tel. : +49 421 22232-0 |
| 344 |
Fax : +49 421 22232-99 |
| 345 |
|
| 346 |
<info@univention.de> |
| 347 |
http://www.univention.de/ |
| 348 |
|
| 349 |
Geschäftsführer: Peter H. Ganten |
| 350 |
HRB 20755 Amtsgericht Bremen |
| 351 |
Steuer-Nr.: 71-597-02876 |