Univention Bugzilla – Attachment 9217 Details for
Bug 45244
linux: Multiple security issues (ES 3.2)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Advisories
0001-Bug-45244-linux-3.10.107.patch (text/plain), 45.50 KB, created by
Philipp Hahn
on 2017-09-18 15:47:30 CEST
(
hide
)
Description:
Advisories
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2017-09-18 15:47:30 CEST
Size:
45.50 KB
patch
obsolete
>From ffa89fb7d73a9925f42f88883aa1cd6fa5c27ee0 Mon Sep 17 00:00:00 2001 >Message-Id: <ffa89fb7d73a9925f42f88883aa1cd6fa5c27ee0.1505742392.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Mon, 18 Sep 2017 15:45:59 +0200 >Subject: [PATCH] Bug #45244: linux-3.10.107 >Organization: Univention GmbH, Bremen, Germany > >--- > advisories/3.2-linux.txt | 351 +++++++++++++++++++++++++++++ > advisories/3.2-univention-kernel-image.txt | 351 +++++++++++++++++++++++++++++ > 2 files changed, 702 insertions(+) > create mode 100644 advisories/3.2-linux.txt > create mode 100644 advisories/3.2-univention-kernel-image.txt > >diff --git a/advisories/3.2-linux.txt b/advisories/3.2-linux.txt >new file mode 100644 >index 0000000..9052a71 >--- /dev/null >+++ b/advisories/3.2-linux.txt >@@ -0,0 +1,351 @@ >+A new extended maintenance update is available for Univention Corporate Server 3.2. >+It is applicable to the following patch-levels: 8. >+It addresses the following problem: >+ >+Program component: linux >+Reference: CVE-2015-8550, CVE-2015-8551, CVE-2015-8962, CVE-2015-8964, >+ CVE-2015-8970, CVE-2016-2085, CVE-2016-2188, CVE-2016-3672, >+ CVE-2016-3961, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, >+ CVE-2016-7425, CVE-2016-7911, CVE-2016-7913, CVE-2016-8405, >+ CVE-2016-8633, CVE-2016-8645, CVE-2016-8650, CVE-2016-8655, >+ CVE-2016-8658, CVE-2016-9083, CVE-2016-9555, CVE-2016-9588, >+ CVE-2016-9604, CVE-2016-9794, CVE-2016-10088, >+ CVE-2016-10208, CVE-2017-2583, CVE-2017-2584, >+ CVE-2017-2618, CVE-2017-2636, CVE-2017-2671, CVE-2017-5549, >+ CVE-2017-5551, CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, >+ CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6346, >+ CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, >+ CVE-2017-7261, CVE-2017-7273, CVE-2017-7294, CVE-2017-7308, >+ CVE-2017-7472, CVE-2017-7495, CVE-2017-7616, CVE-2017-7645, >+ CVE-2017-7889, CVE-2017-8067, CVE-2017-8068, CVE-2017-8069, >+ CVE-2017-8070, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, >+ CVE-2017-1000363, CVE-2017-1000364, CVE-2016-10277, >+ CVE-2016-9576, bug 43602, bug 45244 >+Fixed version: 3.10.104-0.1.228.201709081326 >+ >+This update of the Linux kernel to 3.10.107 addresses the following issues: >+* Xen, when used on a system providing PV backends, allows local guest OS >+ administrators to cause a denial of service (host OS crash) or gain >+ privileges by writing to memory shared between the frontend and backend, >+ aka a double fetch vulnerability (CVE-2015-8550) >+* The PCI backend driver in Xen, when running on an x86 system and using >+ Linux 3.1.x through 4.3.x as the driver domain, allows local guest >+ administrators to hit BUG conditions and cause a denial of service (NULL >+ pointer dereference and host OS crash) by leveraging a system with access >+ to a passed-through MSI or MSI-X capable physical PCI device and a crafted >+ sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity >+ checks." (CVE-2015-8551) >+* The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux >+ kernel before 4.5 allows local users to obtain sensitive information from >+ kernel memory by reading a tty data structure (CVE-2015-8964) >+* crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify >+ that a setkey operation has been performed on an AF_ALG socket before an >+ accept system call is processed, which allows local users to cause a denial >+ of service (NULL pointer dereference and system crash) via a crafted >+ application that does not supply a key, related to the lrw_crypt function >+ in crypto/lrw.c (CVE-2015-8970) >+* Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs >+ support in x86 PV guests, which allows local PV guest OS users to cause a >+ denial of service (guest OS crash) by attempting to access a hugetlbfs >+ mapped area (CVE-2016-3961) >+* The tcp_check_send_head function in include/net/tcp.h in the Linux kernel >+ before 4.7.5 does not properly maintain certain SACK state after a failed >+ data copy, which allows local users to cause a denial of service >+ (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted >+ SACK option (CVE-2016-6828) >+* The proc_keys_show function in security/keys/proc.c in the Linux kernel >+ through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is >+ enabled, uses an incorrect buffer size for certain timeout data, which >+ allows local users to cause a denial of service (stack memory corruption >+ and panic) by reading the /proc/keys file (CVE-2016-7042) >+* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in >+ the Linux kernel through 4.8.2 does not restrict a certain length field, >+ which allows local users to gain privileges or cause a denial of service >+ (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control >+ code (CVE-2016-7425) >+* drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual >+ hardware configurations, allows remote attackers to execute arbitrary code >+ via crafted fragmented packets (CVE-2016-8633) >+* The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, >+ which allows local users to cause a denial of service (system crash) via a >+ crafted application that makes sendto system calls, related to >+ net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (CVE-2016-8645) >+* The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through >+ 4.8.11 does not ensure that memory is allocated for limb data, which allows >+ local users to cause a denial of service (stack memory corruption and >+ panic) via an add_key system call for an RSA key with a zero exponent >+ (CVE-2016-8650) >+* Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in >+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux >+ kernel before 4.7.5 allows local users to cause a denial of service (system >+ crash) or possibly have unspecified other impact via a long SSID >+ Information Element in a command to a Netlink socket (CVE-2016-8658) >+* The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel >+ before 4.8.8 lacks chunk-length checking for the first chunk, which allows >+ remote attackers to cause a denial of service (out-of-bounds slab access) >+ or possibly have unspecified other impact via crafted SCTP data >+ (CVE-2016-9555) >+* Race condition in the snd_pcm_period_elapsed function in >+ sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 >+ allows local users to cause a denial of service (use-after-free) or >+ possibly have unspecified other impact via a crafted >+ SNDRV_PCM_TRIGGER_START command (CVE-2016-9794) >+* The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel >+ through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the >+ LISTEN state, which allows local users to obtain root privileges or cause a >+ denial of service (double free) via an application that makes an >+ IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074) >+* Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, >+ and the fact that parport_ptr integer is static, a 'secure boot' kernel >+ command line adversary (can happen due to bootloader vulns, e.g. Google >+ Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has >+ partial control over the command line) can overflow the parport_nr array in >+ the following code, by appending many (>LP_NO) 'lp=none' arguments to the >+ command line (CVE-2017-1000363) >+* The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the >+ Linux kernel through 4.10.15 allows attackers to cause a denial of service >+ (double free) or possibly have unspecified other impact by leveraging use >+ of the accept system call (CVE-2017-8890) >+* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 >+ allows local users to gain privileges or cause a denial of service (double >+ free) by setting the HDLC line discipline (CVE-2017-2636) >+* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly >+ restrict association peel-off operations during certain wait states, which >+ allows local users to cause a denial of service (invalid unlock and double >+ free) via a multithreaded application. NOTE: this vulnerability exists >+ because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353) >+* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in >+ the Linux kernel before 4.9.11 allows local users to cause a denial of >+ service (assertion failure and panic) via a multithreaded application that >+ peels off an association in a certain buffer-full state (CVE-2017-5986) >+* The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in >+ the Linux kernel before 4.6 allows local users to gain privileges or cause >+ a denial of service (use-after-free) via vectors involving omission of the >+ firmware name from a certain data structure (CVE-2016-7913) >+* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through >+ 4.10.8 is too late in obtaining a certain lock and consequently cannot >+ ensure that disconnect function calls are safe, which allows local users to >+ cause a denial of service (panic) by leveraging access to the protocol >+ value of IPPROTO_ICMP in a socket system call (CVE-2017-2671) >+* drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts >+ incorrectly with the CONFIG_VMAP_STACK option, which allows local users to >+ cause a denial of service (system crash or memory corruption) or possibly >+ have unspecified other impact by leveraging use of more than one virtual >+ page for a DMA scatterlist (CVE-2017-8068, CVE-2017-8069) >+* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the >+ Linux kernel before 4.10.4 allows local users to obtain sensitive >+ information (in the dmesg ringbuffer and syslog) from uninitialized kernel >+ memory by using a crafted USB device (posing as an io_ti USB serial device) >+ to trigger an integer underflow (CVE-2017-8924) >+* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux >+ kernel before 4.5.1 allows physically proximate attackers to cause a denial >+ of service (NULL pointer dereference and system crash) via a crafted >+ endpoints value in a USB device descriptor (CVE-2016-2188) >+* The omninet_open function in drivers/usb/serial/omninet.c in the Linux >+ kernel before 4.10.4 allows local users to cause a denial of service (tty >+ exhaustion) by leveraging reference count mishandling (CVE-2017-8925) >+* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 >+ allows local users to cause a denial of service (use-after-free) or >+ possibly have unspecified other impact via a multithreaded application that >+ makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) >+* The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows >+ remote attackers to have unspecified impact via vectors involving GRE flags >+ in an IPv6 packet, which trigger an out-of-bounds access (CVE-2017-5897) >+* The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux >+ kernel through 4.9.9 allows attackers to cause a denial of service (system >+ crash) via (1) an application that makes crafted system calls or possibly >+ (2) IPv4 traffic with invalid IP options (CVE-2017-5970) >+* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in >+ the Linux kernel before 4.9.5 places uninitialized heap-memory contents >+ into a log entry upon a failure to read the line status, which allows local >+ users to obtain sensitive information by reading the log (CVE-2017-5549) >+* fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered >+ mode is used, mishandles a needs-flushing-before-commit list, which allows >+ local users to obtain sensitive information from other users' files in >+ opportunistic circumstances by waiting for a hardware reset, creating a new >+ file, making write system calls, and reading this file (CVE-2017-7495) >+* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to >+ cause a denial of service (memory consumption) via a series of >+ KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls >+ (CVE-2017-7472) >+* The keyring_search_aux function in security/keys/keyring.c in the Linux >+ kernel through 3.14.79 allows local users to cause a denial of service >+ (NULL pointer dereference and OOPS) via a request_key system call for the >+ "dead" type (CVE-2017-6951) >+* The built-in keyrings for security tokens can be joined as a session and >+ then modified by the root user (CVE-2016-9604) >+* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux >+ kernel through 4.10.6 does not validate certain size data after an >+ XFRM_MSG_NEWAE update, which allows local users to obtain root privileges >+ or cause a denial of service (heap-based out-of-bounds access) by >+ leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own >+ competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package >+ 4.8.0.41.52 (CVE-2017-7184) >+* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before >+ 4.9.11 allows remote attackers to cause a denial of service (infinite loop >+ and soft lockup) via vectors involving a TCP packet with the URG flag >+ (CVE-2017-6214) >+* Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate) >+ (CVE-2017-2618) >+* An information disclosure vulnerability in kernel components including the >+ ION subsystem, Binder, USB driver and networking subsystem could enable a >+ local malicious application to access data outside of its permission >+ levels. This issue is rated as Moderate because it first requires >+ compromising a privileged process. Product: Android. Versions: Kernel-3.10, >+ Kernel-3.18. Android ID: A-31651010 (CVE-2016-8405) >+* The simple_set_acl function in fs/posix_acl.c in the Linux kernel before >+ 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs >+ filesystem, which allows local users to gain group privileges by leveraging >+ the existence of a setgid program with restrictions on execute permissions. >+ NOTE: this vulnerability exists because of an incomplete fix for >+ CVE-2016-7097 (CVE-2017-5551) >+* The filesystem implementation in the Linux kernel through 4.8.2 preserves >+ the setgid bit during a setxattr call, which allows local users to gain >+ group privileges by leveraging the existence of a setgid program with >+ restrictions on execute permissions (CVE-2016-7097) >+* arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users >+ to obtain sensitive information from kernel memory or cause a denial of >+ service (use-after-free) via a crafted application that leverages >+ instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584) >+* The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the >+ Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" >+ instruction, which allows guest OS users to cause a denial of service >+ (guest OS crash) or gain guest OS privileges via a crafted application >+ (CVE-2017-2583) >+* The evm_verify_hmac function in security/integrity/evm/evm_main.c in the >+ Linux kernel before 4.5 does not properly copy data, which makes it easier >+ for local users to forge MAC values via a timing side-channel attack >+ (CVE-2016-2085) >+* Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 >+ allows local users to gain privileges or cause a denial of service >+ (use-after-free) by leveraging the CAP_NET_RAW capability to change a >+ socket version, related to the packet_set_ring and packet_setsockopt >+ functions (CVE-2016-8655) >+* An issue was discovered in the size of the stack guard page on Linux, >+ specifically a 4k stack guard page is not sufficiently large and can be >+ "jumped" over (the stack guard page is bypassed), this affects Linux Kernel >+ versions 4.11.5 and earlier (the stackguard page was introduced in 2010) >+ (CVE-2017-1000364) >+* The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux >+ kernel through 4.5.2 does not properly randomize the legacy base address, >+ which makes it easier for local users to defeat the intended restrictions >+ on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for >+ a setuid or setgid program, by disabling stack-consumption resource limits >+ (CVE-2016-3672) >+* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and >+ #OF exceptions, which allows guest OS users to cause a denial of service >+ (guest OS crash) by declining to handle an exception thrown by an L2 guest >+ (CVE-2016-9588) >+* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through >+ 4.10.11 allows remote attackers to cause a denial of service (system crash) >+ via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and >+ fs/nfsd/nfsxdr.c (CVE-2017-7645) >+* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel >+ through 4.10.6 does not properly validate certain block-size data, which >+ allows local users to cause a denial of service (integer signedness error >+ and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability >+ is held), via crafted system calls (CVE-2017-7308) >+* drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts >+ incorrectly with the CONFIG_VMAP_STACK option, which allows local users to >+ cause a denial of service (system crash or memory corruption) or possibly >+ have unspecified other impact by leveraging use of more than one virtual >+ page for a DMA scatterlist (CVE-2017-8070) >+* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before >+ 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which >+ allows local users to cause a denial of service (system crash or memory >+ corruption) or possibly have unspecified other impact by leveraging use of >+ more than one virtual page for a DMA scatterlist (CVE-2017-8067) >+* The mm subsystem in the Linux kernel through 4.10.10 does not properly >+ enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local >+ users to read or write to kernel memory locations in the first megabyte >+ (and bypass slab-allocation access restrictions) via an application that >+ opens the /dev/mem file, related to arch/x86/mm/init.c and >+ drivers/char/mem.c (CVE-2017-7889) >+* Incorrect error handling in the set_mempolicy and mbind compat syscalls in >+ mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to >+ obtain sensitive information from uninitialized stack data by triggering >+ failure of a certain bitmap operation (CVE-2017-7616) >+* The vmw_surface_define_ioctl function in >+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 >+ does not validate addition of certain levels data, which allows local users >+ to trigger an integer overflow and out-of-bounds write, and cause a denial >+ of service (system hang or crash) or possibly gain privileges, via a >+ crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) >+* The vmw_surface_define_ioctl function in >+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 >+ does not check for a zero value of certain levels data, which allows local >+ users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and >+ possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device >+ (CVE-2017-7261) >+* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does >+ not restrict the address calculated by a certain rounding operation, which >+ allows local users to map page zero, and consequently bypass a protection >+ mechanism that exists for the mmap system call, by making crafted shmget >+ and shmat system calls in a privileged context (CVE-2017-5669) >+* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel >+ before 4.9.13 improperly manages lock dropping, which allows local users to >+ cause a denial of service (deadlock) via crafted operations on IrDA devices >+ (CVE-2017-6348) >+* Double free vulnerability in the sg_common_write function in >+ drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain >+ privileges or cause a denial of service (memory corruption and system >+ crash) by detaching a device during an SG_IO ioctl call (CVE-2015-8962) >+* drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local >+ users to bypass integer overflow checks, and cause a denial of service >+ (memory corruption) or have unspecified other impact, by leveraging access >+ to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a >+ "state machine confusion bug." (CVE-2016-9083) >+* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux >+ kernel 4.x before 4.9.4 allows physically proximate attackers to cause a >+ denial of service (integer underflow) or possibly have unspecified other >+ impact via a crafted HID report (CVE-2017-7273) >+* The sg implementation in the Linux kernel through 4.9 does not properly >+ restrict write operations in situations where the KERNEL_DS option is set, >+ which allows local users to read or write to arbitrary kernel memory >+ locations or cause a denial of service (use-after-free) by leveraging >+ access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. >+ NOTE: this vulnerability exists because of an incomplete fix for >+ CVE-2016-9576 (CVE-2016-10088) >+* Race condition in the get_task_ioprio function in block/ioprio.c in the >+ Linux kernel before 4.6.6 allows local users to gain privileges or cause a >+ denial of service (use-after-free) via a crafted ioprio_get system call >+ (CVE-2016-7911) >+* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through >+ 4.9.8 does not properly validate meta block groups, which allows physically >+ proximate attackers to cause a denial of service (out-of-bounds read and >+ system crash) via a crafted ext4 image (CVE-2016-10208) >+ >+This is the first part of the update. >+ >+We recommend to update your UCS installation. Updated packages are >+available in the Univention online repository, which is automatically >+added to the apt packages sources. The following procedures can be >+used to update a UCS installation: >+ >+1. A single system can be updated in the web interface of the >+Univention Management Console through the "Software update" module. >+ >+2. A single system can be updated on the command line by running the >+command "univention-upgrade" >+ >+3. Multiple systems can be updated through a maintenance policy. >+ >+Additional information can be found in the UCS manual. >+ >+ >+An overview of all available errata updates can be found online at >+http://errata.univention.de/ >+-- >+Univention GmbH >+be open. >+Mary-Somerville-Str.1 >+28359 Bremen >+Tel. : +49 421 22232-0 >+Fax : +49 421 22232-99 >+ >+<info@univention.de> >+http://www.univention.de/ >+ >+Geschäftsführer: Peter H. Ganten >+HRB 20755 Amtsgericht Bremen >+Steuer-Nr.: 71-597-02876 >diff --git a/advisories/3.2-univention-kernel-image.txt b/advisories/3.2-univention-kernel-image.txt >new file mode 100644 >index 0000000..be3a3b5 >--- /dev/null >+++ b/advisories/3.2-univention-kernel-image.txt >@@ -0,0 +1,351 @@ >+ A new extended maintenance update is available for Univention Corporate Server 3.2. >+It is applicable to the following patch-levels: 8. >+It addresses the following problem: >+ >+Program component: univention-kernel-image >+Reference: CVE-2015-8550, CVE-2015-8551, CVE-2015-8962, CVE-2015-8964, >+ CVE-2015-8970, CVE-2016-2085, CVE-2016-2188, CVE-2016-3672, >+ CVE-2016-3961, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, >+ CVE-2016-7425, CVE-2016-7911, CVE-2016-7913, CVE-2016-8405, >+ CVE-2016-8633, CVE-2016-8645, CVE-2016-8650, CVE-2016-8655, >+ CVE-2016-8658, CVE-2016-9083, CVE-2016-9555, CVE-2016-9588, >+ CVE-2016-9604, CVE-2016-9794, CVE-2016-10088, >+ CVE-2016-10208, CVE-2017-2583, CVE-2017-2584, >+ CVE-2017-2618, CVE-2017-2636, CVE-2017-2671, CVE-2017-5549, >+ CVE-2017-5551, CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, >+ CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6346, >+ CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, >+ CVE-2017-7261, CVE-2017-7273, CVE-2017-7294, CVE-2017-7308, >+ CVE-2017-7472, CVE-2017-7495, CVE-2017-7616, CVE-2017-7645, >+ CVE-2017-7889, CVE-2017-8067, CVE-2017-8068, CVE-2017-8069, >+ CVE-2017-8070, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, >+ CVE-2017-1000363, CVE-2017-1000364, CVE-2016-10277, >+ CVE-2016-9576, bug 43602, bug 45244 >+Fixed version: 7.0.0-28.127.201709111629 >+ >+This update of the Linux kernel to 3.10.107 addresses the following issues: >+* Xen, when used on a system providing PV backends, allows local guest OS >+ administrators to cause a denial of service (host OS crash) or gain >+ privileges by writing to memory shared between the frontend and backend, >+ aka a double fetch vulnerability (CVE-2015-8550) >+* The PCI backend driver in Xen, when running on an x86 system and using >+ Linux 3.1.x through 4.3.x as the driver domain, allows local guest >+ administrators to hit BUG conditions and cause a denial of service (NULL >+ pointer dereference and host OS crash) by leveraging a system with access >+ to a passed-through MSI or MSI-X capable physical PCI device and a crafted >+ sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity >+ checks." (CVE-2015-8551) >+* The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux >+ kernel before 4.5 allows local users to obtain sensitive information from >+ kernel memory by reading a tty data structure (CVE-2015-8964) >+* crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify >+ that a setkey operation has been performed on an AF_ALG socket before an >+ accept system call is processed, which allows local users to cause a denial >+ of service (NULL pointer dereference and system crash) via a crafted >+ application that does not supply a key, related to the lrw_crypt function >+ in crypto/lrw.c (CVE-2015-8970) >+* Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs >+ support in x86 PV guests, which allows local PV guest OS users to cause a >+ denial of service (guest OS crash) by attempting to access a hugetlbfs >+ mapped area (CVE-2016-3961) >+* The tcp_check_send_head function in include/net/tcp.h in the Linux kernel >+ before 4.7.5 does not properly maintain certain SACK state after a failed >+ data copy, which allows local users to cause a denial of service >+ (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted >+ SACK option (CVE-2016-6828) >+* The proc_keys_show function in security/keys/proc.c in the Linux kernel >+ through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is >+ enabled, uses an incorrect buffer size for certain timeout data, which >+ allows local users to cause a denial of service (stack memory corruption >+ and panic) by reading the /proc/keys file (CVE-2016-7042) >+* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in >+ the Linux kernel through 4.8.2 does not restrict a certain length field, >+ which allows local users to gain privileges or cause a denial of service >+ (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control >+ code (CVE-2016-7425) >+* drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual >+ hardware configurations, allows remote attackers to execute arbitrary code >+ via crafted fragmented packets (CVE-2016-8633) >+* The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, >+ which allows local users to cause a denial of service (system crash) via a >+ crafted application that makes sendto system calls, related to >+ net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (CVE-2016-8645) >+* The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through >+ 4.8.11 does not ensure that memory is allocated for limb data, which allows >+ local users to cause a denial of service (stack memory corruption and >+ panic) via an add_key system call for an RSA key with a zero exponent >+ (CVE-2016-8650) >+* Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in >+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux >+ kernel before 4.7.5 allows local users to cause a denial of service (system >+ crash) or possibly have unspecified other impact via a long SSID >+ Information Element in a command to a Netlink socket (CVE-2016-8658) >+* The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel >+ before 4.8.8 lacks chunk-length checking for the first chunk, which allows >+ remote attackers to cause a denial of service (out-of-bounds slab access) >+ or possibly have unspecified other impact via crafted SCTP data >+ (CVE-2016-9555) >+* Race condition in the snd_pcm_period_elapsed function in >+ sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 >+ allows local users to cause a denial of service (use-after-free) or >+ possibly have unspecified other impact via a crafted >+ SNDRV_PCM_TRIGGER_START command (CVE-2016-9794) >+* The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel >+ through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the >+ LISTEN state, which allows local users to obtain root privileges or cause a >+ denial of service (double free) via an application that makes an >+ IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074) >+* Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, >+ and the fact that parport_ptr integer is static, a 'secure boot' kernel >+ command line adversary (can happen due to bootloader vulns, e.g. Google >+ Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has >+ partial control over the command line) can overflow the parport_nr array in >+ the following code, by appending many (>LP_NO) 'lp=none' arguments to the >+ command line (CVE-2017-1000363) >+* The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the >+ Linux kernel through 4.10.15 allows attackers to cause a denial of service >+ (double free) or possibly have unspecified other impact by leveraging use >+ of the accept system call (CVE-2017-8890) >+* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 >+ allows local users to gain privileges or cause a denial of service (double >+ free) by setting the HDLC line discipline (CVE-2017-2636) >+* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly >+ restrict association peel-off operations during certain wait states, which >+ allows local users to cause a denial of service (invalid unlock and double >+ free) via a multithreaded application. NOTE: this vulnerability exists >+ because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353) >+* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in >+ the Linux kernel before 4.9.11 allows local users to cause a denial of >+ service (assertion failure and panic) via a multithreaded application that >+ peels off an association in a certain buffer-full state (CVE-2017-5986) >+* The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in >+ the Linux kernel before 4.6 allows local users to gain privileges or cause >+ a denial of service (use-after-free) via vectors involving omission of the >+ firmware name from a certain data structure (CVE-2016-7913) >+* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through >+ 4.10.8 is too late in obtaining a certain lock and consequently cannot >+ ensure that disconnect function calls are safe, which allows local users to >+ cause a denial of service (panic) by leveraging access to the protocol >+ value of IPPROTO_ICMP in a socket system call (CVE-2017-2671) >+* drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts >+ incorrectly with the CONFIG_VMAP_STACK option, which allows local users to >+ cause a denial of service (system crash or memory corruption) or possibly >+ have unspecified other impact by leveraging use of more than one virtual >+ page for a DMA scatterlist (CVE-2017-8068, CVE-2017-8069) >+* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the >+ Linux kernel before 4.10.4 allows local users to obtain sensitive >+ information (in the dmesg ringbuffer and syslog) from uninitialized kernel >+ memory by using a crafted USB device (posing as an io_ti USB serial device) >+ to trigger an integer underflow (CVE-2017-8924) >+* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux >+ kernel before 4.5.1 allows physically proximate attackers to cause a denial >+ of service (NULL pointer dereference and system crash) via a crafted >+ endpoints value in a USB device descriptor (CVE-2016-2188) >+* The omninet_open function in drivers/usb/serial/omninet.c in the Linux >+ kernel before 4.10.4 allows local users to cause a denial of service (tty >+ exhaustion) by leveraging reference count mishandling (CVE-2017-8925) >+* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 >+ allows local users to cause a denial of service (use-after-free) or >+ possibly have unspecified other impact via a multithreaded application that >+ makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) >+* The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows >+ remote attackers to have unspecified impact via vectors involving GRE flags >+ in an IPv6 packet, which trigger an out-of-bounds access (CVE-2017-5897) >+* The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux >+ kernel through 4.9.9 allows attackers to cause a denial of service (system >+ crash) via (1) an application that makes crafted system calls or possibly >+ (2) IPv4 traffic with invalid IP options (CVE-2017-5970) >+* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in >+ the Linux kernel before 4.9.5 places uninitialized heap-memory contents >+ into a log entry upon a failure to read the line status, which allows local >+ users to obtain sensitive information by reading the log (CVE-2017-5549) >+* fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered >+ mode is used, mishandles a needs-flushing-before-commit list, which allows >+ local users to obtain sensitive information from other users' files in >+ opportunistic circumstances by waiting for a hardware reset, creating a new >+ file, making write system calls, and reading this file (CVE-2017-7495) >+* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to >+ cause a denial of service (memory consumption) via a series of >+ KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls >+ (CVE-2017-7472) >+* The keyring_search_aux function in security/keys/keyring.c in the Linux >+ kernel through 3.14.79 allows local users to cause a denial of service >+ (NULL pointer dereference and OOPS) via a request_key system call for the >+ "dead" type (CVE-2017-6951) >+* The built-in keyrings for security tokens can be joined as a session and >+ then modified by the root user (CVE-2016-9604) >+* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux >+ kernel through 4.10.6 does not validate certain size data after an >+ XFRM_MSG_NEWAE update, which allows local users to obtain root privileges >+ or cause a denial of service (heap-based out-of-bounds access) by >+ leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own >+ competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package >+ 4.8.0.41.52 (CVE-2017-7184) >+* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before >+ 4.9.11 allows remote attackers to cause a denial of service (infinite loop >+ and soft lockup) via vectors involving a TCP packet with the URG flag >+ (CVE-2017-6214) >+* Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate) >+ (CVE-2017-2618) >+* An information disclosure vulnerability in kernel components including the >+ ION subsystem, Binder, USB driver and networking subsystem could enable a >+ local malicious application to access data outside of its permission >+ levels. This issue is rated as Moderate because it first requires >+ compromising a privileged process. Product: Android. Versions: Kernel-3.10, >+ Kernel-3.18. Android ID: A-31651010 (CVE-2016-8405) >+* The simple_set_acl function in fs/posix_acl.c in the Linux kernel before >+ 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs >+ filesystem, which allows local users to gain group privileges by leveraging >+ the existence of a setgid program with restrictions on execute permissions. >+ NOTE: this vulnerability exists because of an incomplete fix for >+ CVE-2016-7097 (CVE-2017-5551) >+* The filesystem implementation in the Linux kernel through 4.8.2 preserves >+ the setgid bit during a setxattr call, which allows local users to gain >+ group privileges by leveraging the existence of a setgid program with >+ restrictions on execute permissions (CVE-2016-7097) >+* arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users >+ to obtain sensitive information from kernel memory or cause a denial of >+ service (use-after-free) via a crafted application that leverages >+ instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584) >+* The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the >+ Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" >+ instruction, which allows guest OS users to cause a denial of service >+ (guest OS crash) or gain guest OS privileges via a crafted application >+ (CVE-2017-2583) >+* The evm_verify_hmac function in security/integrity/evm/evm_main.c in the >+ Linux kernel before 4.5 does not properly copy data, which makes it easier >+ for local users to forge MAC values via a timing side-channel attack >+ (CVE-2016-2085) >+* Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 >+ allows local users to gain privileges or cause a denial of service >+ (use-after-free) by leveraging the CAP_NET_RAW capability to change a >+ socket version, related to the packet_set_ring and packet_setsockopt >+ functions (CVE-2016-8655) >+* An issue was discovered in the size of the stack guard page on Linux, >+ specifically a 4k stack guard page is not sufficiently large and can be >+ "jumped" over (the stack guard page is bypassed), this affects Linux Kernel >+ versions 4.11.5 and earlier (the stackguard page was introduced in 2010) >+ (CVE-2017-1000364) >+* The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux >+ kernel through 4.5.2 does not properly randomize the legacy base address, >+ which makes it easier for local users to defeat the intended restrictions >+ on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for >+ a setuid or setgid program, by disabling stack-consumption resource limits >+ (CVE-2016-3672) >+* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and >+ #OF exceptions, which allows guest OS users to cause a denial of service >+ (guest OS crash) by declining to handle an exception thrown by an L2 guest >+ (CVE-2016-9588) >+* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through >+ 4.10.11 allows remote attackers to cause a denial of service (system crash) >+ via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and >+ fs/nfsd/nfsxdr.c (CVE-2017-7645) >+* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel >+ through 4.10.6 does not properly validate certain block-size data, which >+ allows local users to cause a denial of service (integer signedness error >+ and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability >+ is held), via crafted system calls (CVE-2017-7308) >+* drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts >+ incorrectly with the CONFIG_VMAP_STACK option, which allows local users to >+ cause a denial of service (system crash or memory corruption) or possibly >+ have unspecified other impact by leveraging use of more than one virtual >+ page for a DMA scatterlist (CVE-2017-8070) >+* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before >+ 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which >+ allows local users to cause a denial of service (system crash or memory >+ corruption) or possibly have unspecified other impact by leveraging use of >+ more than one virtual page for a DMA scatterlist (CVE-2017-8067) >+* The mm subsystem in the Linux kernel through 4.10.10 does not properly >+ enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local >+ users to read or write to kernel memory locations in the first megabyte >+ (and bypass slab-allocation access restrictions) via an application that >+ opens the /dev/mem file, related to arch/x86/mm/init.c and >+ drivers/char/mem.c (CVE-2017-7889) >+* Incorrect error handling in the set_mempolicy and mbind compat syscalls in >+ mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to >+ obtain sensitive information from uninitialized stack data by triggering >+ failure of a certain bitmap operation (CVE-2017-7616) >+* The vmw_surface_define_ioctl function in >+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 >+ does not validate addition of certain levels data, which allows local users >+ to trigger an integer overflow and out-of-bounds write, and cause a denial >+ of service (system hang or crash) or possibly gain privileges, via a >+ crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) >+* The vmw_surface_define_ioctl function in >+ drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 >+ does not check for a zero value of certain levels data, which allows local >+ users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and >+ possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device >+ (CVE-2017-7261) >+* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does >+ not restrict the address calculated by a certain rounding operation, which >+ allows local users to map page zero, and consequently bypass a protection >+ mechanism that exists for the mmap system call, by making crafted shmget >+ and shmat system calls in a privileged context (CVE-2017-5669) >+* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel >+ before 4.9.13 improperly manages lock dropping, which allows local users to >+ cause a denial of service (deadlock) via crafted operations on IrDA devices >+ (CVE-2017-6348) >+* Double free vulnerability in the sg_common_write function in >+ drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain >+ privileges or cause a denial of service (memory corruption and system >+ crash) by detaching a device during an SG_IO ioctl call (CVE-2015-8962) >+* drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local >+ users to bypass integer overflow checks, and cause a denial of service >+ (memory corruption) or have unspecified other impact, by leveraging access >+ to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a >+ "state machine confusion bug." (CVE-2016-9083) >+* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux >+ kernel 4.x before 4.9.4 allows physically proximate attackers to cause a >+ denial of service (integer underflow) or possibly have unspecified other >+ impact via a crafted HID report (CVE-2017-7273) >+* The sg implementation in the Linux kernel through 4.9 does not properly >+ restrict write operations in situations where the KERNEL_DS option is set, >+ which allows local users to read or write to arbitrary kernel memory >+ locations or cause a denial of service (use-after-free) by leveraging >+ access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. >+ NOTE: this vulnerability exists because of an incomplete fix for >+ CVE-2016-9576 (CVE-2016-10088) >+* Race condition in the get_task_ioprio function in block/ioprio.c in the >+ Linux kernel before 4.6.6 allows local users to gain privileges or cause a >+ denial of service (use-after-free) via a crafted ioprio_get system call >+ (CVE-2016-7911) >+* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through >+ 4.9.8 does not properly validate meta block groups, which allows physically >+ proximate attackers to cause a denial of service (out-of-bounds read and >+ system crash) via a crafted ext4 image (CVE-2016-10208) >+ >+This is the second part of the update. >+ >+We recommend to update your UCS installation. Updated packages are >+available in the Univention online repository, which is automatically >+added to the apt packages sources. The following procedures can be >+used to update a UCS installation: >+ >+1. A single system can be updated in the web interface of the >+Univention Management Console through the "Software update" module. >+ >+2. A single system can be updated on the command line by running the >+command "univention-upgrade" >+ >+3. Multiple systems can be updated through a maintenance policy. >+ >+Additional information can be found in the UCS manual. >+ >+ >+An overview of all available errata updates can be found online at >+http://errata.univention.de/ >+-- >+Univention GmbH >+be open. >+Mary-Somerville-Str.1 >+28359 Bremen >+Tel. : +49 421 22232-0 >+Fax : +49 421 22232-99 >+ >+<info@univention.de> >+http://www.univention.de/ >+ >+Geschäftsführer: Peter H. Ganten >+HRB 20755 Amtsgericht Bremen >+Steuer-Nr.: 71-597-02876 >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9217">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 45244
: 9217