From ffa89fb7d73a9925f42f88883aa1cd6fa5c27ee0 Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Mon, 18 Sep 2017 15:45:59 +0200 Subject: [PATCH] Bug #45244: linux-3.10.107 Organization: Univention GmbH, Bremen, Germany --- advisories/3.2-linux.txt | 351 +++++++++++++++++++++++++++++ advisories/3.2-univention-kernel-image.txt | 351 +++++++++++++++++++++++++++++ 2 files changed, 702 insertions(+) create mode 100644 advisories/3.2-linux.txt create mode 100644 advisories/3.2-univention-kernel-image.txt diff --git a/advisories/3.2-linux.txt b/advisories/3.2-linux.txt new file mode 100644 index 0000000..9052a71 --- /dev/null +++ b/advisories/3.2-linux.txt @@ -0,0 +1,351 @@ +A new extended maintenance update is available for Univention Corporate Server 3.2. +It is applicable to the following patch-levels: 8. +It addresses the following problem: + +Program component: linux +Reference: CVE-2015-8550, CVE-2015-8551, CVE-2015-8962, CVE-2015-8964, + CVE-2015-8970, CVE-2016-2085, CVE-2016-2188, CVE-2016-3672, + CVE-2016-3961, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, + CVE-2016-7425, CVE-2016-7911, CVE-2016-7913, CVE-2016-8405, + CVE-2016-8633, CVE-2016-8645, CVE-2016-8650, CVE-2016-8655, + CVE-2016-8658, CVE-2016-9083, CVE-2016-9555, CVE-2016-9588, + CVE-2016-9604, CVE-2016-9794, CVE-2016-10088, + CVE-2016-10208, CVE-2017-2583, CVE-2017-2584, + CVE-2017-2618, CVE-2017-2636, CVE-2017-2671, CVE-2017-5549, + CVE-2017-5551, CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, + CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6346, + CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, + CVE-2017-7261, CVE-2017-7273, CVE-2017-7294, CVE-2017-7308, + CVE-2017-7472, CVE-2017-7495, CVE-2017-7616, CVE-2017-7645, + CVE-2017-7889, CVE-2017-8067, CVE-2017-8068, CVE-2017-8069, + CVE-2017-8070, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, + CVE-2017-1000363, CVE-2017-1000364, CVE-2016-10277, + CVE-2016-9576, bug 43602, bug 45244 +Fixed version: 3.10.104-0.1.228.201709081326 + +This update of the Linux kernel to 3.10.107 addresses the following issues: +* Xen, when used on a system providing PV backends, allows local guest OS + administrators to cause a denial of service (host OS crash) or gain + privileges by writing to memory shared between the frontend and backend, + aka a double fetch vulnerability (CVE-2015-8550) +* The PCI backend driver in Xen, when running on an x86 system and using + Linux 3.1.x through 4.3.x as the driver domain, allows local guest + administrators to hit BUG conditions and cause a denial of service (NULL + pointer dereference and host OS crash) by leveraging a system with access + to a passed-through MSI or MSI-X capable physical PCI device and a crafted + sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity + checks." (CVE-2015-8551) +* The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux + kernel before 4.5 allows local users to obtain sensitive information from + kernel memory by reading a tty data structure (CVE-2015-8964) +* crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify + that a setkey operation has been performed on an AF_ALG socket before an + accept system call is processed, which allows local users to cause a denial + of service (NULL pointer dereference and system crash) via a crafted + application that does not supply a key, related to the lrw_crypt function + in crypto/lrw.c (CVE-2015-8970) +* Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs + support in x86 PV guests, which allows local PV guest OS users to cause a + denial of service (guest OS crash) by attempting to access a hugetlbfs + mapped area (CVE-2016-3961) +* The tcp_check_send_head function in include/net/tcp.h in the Linux kernel + before 4.7.5 does not properly maintain certain SACK state after a failed + data copy, which allows local users to cause a denial of service + (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted + SACK option (CVE-2016-6828) +* The proc_keys_show function in security/keys/proc.c in the Linux kernel + through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is + enabled, uses an incorrect buffer size for certain timeout data, which + allows local users to cause a denial of service (stack memory corruption + and panic) by reading the /proc/keys file (CVE-2016-7042) +* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in + the Linux kernel through 4.8.2 does not restrict a certain length field, + which allows local users to gain privileges or cause a denial of service + (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control + code (CVE-2016-7425) +* drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual + hardware configurations, allows remote attackers to execute arbitrary code + via crafted fragmented packets (CVE-2016-8633) +* The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, + which allows local users to cause a denial of service (system crash) via a + crafted application that makes sendto system calls, related to + net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (CVE-2016-8645) +* The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through + 4.8.11 does not ensure that memory is allocated for limb data, which allows + local users to cause a denial of service (stack memory corruption and + panic) via an add_key system call for an RSA key with a zero exponent + (CVE-2016-8650) +* Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux + kernel before 4.7.5 allows local users to cause a denial of service (system + crash) or possibly have unspecified other impact via a long SSID + Information Element in a command to a Netlink socket (CVE-2016-8658) +* The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel + before 4.8.8 lacks chunk-length checking for the first chunk, which allows + remote attackers to cause a denial of service (out-of-bounds slab access) + or possibly have unspecified other impact via crafted SCTP data + (CVE-2016-9555) +* Race condition in the snd_pcm_period_elapsed function in + sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 + allows local users to cause a denial of service (use-after-free) or + possibly have unspecified other impact via a crafted + SNDRV_PCM_TRIGGER_START command (CVE-2016-9794) +* The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel + through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the + LISTEN state, which allows local users to obtain root privileges or cause a + denial of service (double free) via an application that makes an + IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074) +* Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, + and the fact that parport_ptr integer is static, a 'secure boot' kernel + command line adversary (can happen due to bootloader vulns, e.g. Google + Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has + partial control over the command line) can overflow the parport_nr array in + the following code, by appending many (>LP_NO) 'lp=none' arguments to the + command line (CVE-2017-1000363) +* The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the + Linux kernel through 4.10.15 allows attackers to cause a denial of service + (double free) or possibly have unspecified other impact by leveraging use + of the accept system call (CVE-2017-8890) +* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 + allows local users to gain privileges or cause a denial of service (double + free) by setting the HDLC line discipline (CVE-2017-2636) +* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly + restrict association peel-off operations during certain wait states, which + allows local users to cause a denial of service (invalid unlock and double + free) via a multithreaded application. NOTE: this vulnerability exists + because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353) +* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in + the Linux kernel before 4.9.11 allows local users to cause a denial of + service (assertion failure and panic) via a multithreaded application that + peels off an association in a certain buffer-full state (CVE-2017-5986) +* The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in + the Linux kernel before 4.6 allows local users to gain privileges or cause + a denial of service (use-after-free) via vectors involving omission of the + firmware name from a certain data structure (CVE-2016-7913) +* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through + 4.10.8 is too late in obtaining a certain lock and consequently cannot + ensure that disconnect function calls are safe, which allows local users to + cause a denial of service (panic) by leveraging access to the protocol + value of IPPROTO_ICMP in a socket system call (CVE-2017-2671) +* drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts + incorrectly with the CONFIG_VMAP_STACK option, which allows local users to + cause a denial of service (system crash or memory corruption) or possibly + have unspecified other impact by leveraging use of more than one virtual + page for a DMA scatterlist (CVE-2017-8068, CVE-2017-8069) +* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the + Linux kernel before 4.10.4 allows local users to obtain sensitive + information (in the dmesg ringbuffer and syslog) from uninitialized kernel + memory by using a crafted USB device (posing as an io_ti USB serial device) + to trigger an integer underflow (CVE-2017-8924) +* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux + kernel before 4.5.1 allows physically proximate attackers to cause a denial + of service (NULL pointer dereference and system crash) via a crafted + endpoints value in a USB device descriptor (CVE-2016-2188) +* The omninet_open function in drivers/usb/serial/omninet.c in the Linux + kernel before 4.10.4 allows local users to cause a denial of service (tty + exhaustion) by leveraging reference count mishandling (CVE-2017-8925) +* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 + allows local users to cause a denial of service (use-after-free) or + possibly have unspecified other impact via a multithreaded application that + makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) +* The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows + remote attackers to have unspecified impact via vectors involving GRE flags + in an IPv6 packet, which trigger an out-of-bounds access (CVE-2017-5897) +* The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux + kernel through 4.9.9 allows attackers to cause a denial of service (system + crash) via (1) an application that makes crafted system calls or possibly + (2) IPv4 traffic with invalid IP options (CVE-2017-5970) +* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in + the Linux kernel before 4.9.5 places uninitialized heap-memory contents + into a log entry upon a failure to read the line status, which allows local + users to obtain sensitive information by reading the log (CVE-2017-5549) +* fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered + mode is used, mishandles a needs-flushing-before-commit list, which allows + local users to obtain sensitive information from other users' files in + opportunistic circumstances by waiting for a hardware reset, creating a new + file, making write system calls, and reading this file (CVE-2017-7495) +* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to + cause a denial of service (memory consumption) via a series of + KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls + (CVE-2017-7472) +* The keyring_search_aux function in security/keys/keyring.c in the Linux + kernel through 3.14.79 allows local users to cause a denial of service + (NULL pointer dereference and OOPS) via a request_key system call for the + "dead" type (CVE-2017-6951) +* The built-in keyrings for security tokens can be joined as a session and + then modified by the root user (CVE-2016-9604) +* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux + kernel through 4.10.6 does not validate certain size data after an + XFRM_MSG_NEWAE update, which allows local users to obtain root privileges + or cause a denial of service (heap-based out-of-bounds access) by + leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own + competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package + 4.8.0.41.52 (CVE-2017-7184) +* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before + 4.9.11 allows remote attackers to cause a denial of service (infinite loop + and soft lockup) via vectors involving a TCP packet with the URG flag + (CVE-2017-6214) +* Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate) + (CVE-2017-2618) +* An information disclosure vulnerability in kernel components including the + ION subsystem, Binder, USB driver and networking subsystem could enable a + local malicious application to access data outside of its permission + levels. This issue is rated as Moderate because it first requires + compromising a privileged process. Product: Android. Versions: Kernel-3.10, + Kernel-3.18. Android ID: A-31651010 (CVE-2016-8405) +* The simple_set_acl function in fs/posix_acl.c in the Linux kernel before + 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs + filesystem, which allows local users to gain group privileges by leveraging + the existence of a setgid program with restrictions on execute permissions. + NOTE: this vulnerability exists because of an incomplete fix for + CVE-2016-7097 (CVE-2017-5551) +* The filesystem implementation in the Linux kernel through 4.8.2 preserves + the setgid bit during a setxattr call, which allows local users to gain + group privileges by leveraging the existence of a setgid program with + restrictions on execute permissions (CVE-2016-7097) +* arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users + to obtain sensitive information from kernel memory or cause a denial of + service (use-after-free) via a crafted application that leverages + instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584) +* The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the + Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" + instruction, which allows guest OS users to cause a denial of service + (guest OS crash) or gain guest OS privileges via a crafted application + (CVE-2017-2583) +* The evm_verify_hmac function in security/integrity/evm/evm_main.c in the + Linux kernel before 4.5 does not properly copy data, which makes it easier + for local users to forge MAC values via a timing side-channel attack + (CVE-2016-2085) +* Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 + allows local users to gain privileges or cause a denial of service + (use-after-free) by leveraging the CAP_NET_RAW capability to change a + socket version, related to the packet_set_ring and packet_setsockopt + functions (CVE-2016-8655) +* An issue was discovered in the size of the stack guard page on Linux, + specifically a 4k stack guard page is not sufficiently large and can be + "jumped" over (the stack guard page is bypassed), this affects Linux Kernel + versions 4.11.5 and earlier (the stackguard page was introduced in 2010) + (CVE-2017-1000364) +* The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux + kernel through 4.5.2 does not properly randomize the legacy base address, + which makes it easier for local users to defeat the intended restrictions + on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for + a setuid or setgid program, by disabling stack-consumption resource limits + (CVE-2016-3672) +* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and + #OF exceptions, which allows guest OS users to cause a denial of service + (guest OS crash) by declining to handle an exception thrown by an L2 guest + (CVE-2016-9588) +* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through + 4.10.11 allows remote attackers to cause a denial of service (system crash) + via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and + fs/nfsd/nfsxdr.c (CVE-2017-7645) +* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel + through 4.10.6 does not properly validate certain block-size data, which + allows local users to cause a denial of service (integer signedness error + and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability + is held), via crafted system calls (CVE-2017-7308) +* drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts + incorrectly with the CONFIG_VMAP_STACK option, which allows local users to + cause a denial of service (system crash or memory corruption) or possibly + have unspecified other impact by leveraging use of more than one virtual + page for a DMA scatterlist (CVE-2017-8070) +* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before + 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which + allows local users to cause a denial of service (system crash or memory + corruption) or possibly have unspecified other impact by leveraging use of + more than one virtual page for a DMA scatterlist (CVE-2017-8067) +* The mm subsystem in the Linux kernel through 4.10.10 does not properly + enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local + users to read or write to kernel memory locations in the first megabyte + (and bypass slab-allocation access restrictions) via an application that + opens the /dev/mem file, related to arch/x86/mm/init.c and + drivers/char/mem.c (CVE-2017-7889) +* Incorrect error handling in the set_mempolicy and mbind compat syscalls in + mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to + obtain sensitive information from uninitialized stack data by triggering + failure of a certain bitmap operation (CVE-2017-7616) +* The vmw_surface_define_ioctl function in + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 + does not validate addition of certain levels data, which allows local users + to trigger an integer overflow and out-of-bounds write, and cause a denial + of service (system hang or crash) or possibly gain privileges, via a + crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) +* The vmw_surface_define_ioctl function in + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 + does not check for a zero value of certain levels data, which allows local + users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and + possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device + (CVE-2017-7261) +* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does + not restrict the address calculated by a certain rounding operation, which + allows local users to map page zero, and consequently bypass a protection + mechanism that exists for the mmap system call, by making crafted shmget + and shmat system calls in a privileged context (CVE-2017-5669) +* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel + before 4.9.13 improperly manages lock dropping, which allows local users to + cause a denial of service (deadlock) via crafted operations on IrDA devices + (CVE-2017-6348) +* Double free vulnerability in the sg_common_write function in + drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain + privileges or cause a denial of service (memory corruption and system + crash) by detaching a device during an SG_IO ioctl call (CVE-2015-8962) +* drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local + users to bypass integer overflow checks, and cause a denial of service + (memory corruption) or have unspecified other impact, by leveraging access + to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a + "state machine confusion bug." (CVE-2016-9083) +* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux + kernel 4.x before 4.9.4 allows physically proximate attackers to cause a + denial of service (integer underflow) or possibly have unspecified other + impact via a crafted HID report (CVE-2017-7273) +* The sg implementation in the Linux kernel through 4.9 does not properly + restrict write operations in situations where the KERNEL_DS option is set, + which allows local users to read or write to arbitrary kernel memory + locations or cause a denial of service (use-after-free) by leveraging + access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. + NOTE: this vulnerability exists because of an incomplete fix for + CVE-2016-9576 (CVE-2016-10088) +* Race condition in the get_task_ioprio function in block/ioprio.c in the + Linux kernel before 4.6.6 allows local users to gain privileges or cause a + denial of service (use-after-free) via a crafted ioprio_get system call + (CVE-2016-7911) +* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through + 4.9.8 does not properly validate meta block groups, which allows physically + proximate attackers to cause a denial of service (out-of-bounds read and + system crash) via a crafted ext4 image (CVE-2016-10208) + +This is the first part of the update. + +We recommend to update your UCS installation. Updated packages are +available in the Univention online repository, which is automatically +added to the apt packages sources. The following procedures can be +used to update a UCS installation: + +1. A single system can be updated in the web interface of the +Univention Management Console through the "Software update" module. + +2. A single system can be updated on the command line by running the +command "univention-upgrade" + +3. Multiple systems can be updated through a maintenance policy. + +Additional information can be found in the UCS manual. + + +An overview of all available errata updates can be found online at +http://errata.univention.de/ +-- +Univention GmbH +be open. +Mary-Somerville-Str.1 +28359 Bremen +Tel. : +49 421 22232-0 +Fax : +49 421 22232-99 + + +http://www.univention.de/ + +Geschäftsführer: Peter H. Ganten +HRB 20755 Amtsgericht Bremen +Steuer-Nr.: 71-597-02876 diff --git a/advisories/3.2-univention-kernel-image.txt b/advisories/3.2-univention-kernel-image.txt new file mode 100644 index 0000000..be3a3b5 --- /dev/null +++ b/advisories/3.2-univention-kernel-image.txt @@ -0,0 +1,351 @@ + A new extended maintenance update is available for Univention Corporate Server 3.2. +It is applicable to the following patch-levels: 8. +It addresses the following problem: + +Program component: univention-kernel-image +Reference: CVE-2015-8550, CVE-2015-8551, CVE-2015-8962, CVE-2015-8964, + CVE-2015-8970, CVE-2016-2085, CVE-2016-2188, CVE-2016-3672, + CVE-2016-3961, CVE-2016-6828, CVE-2016-7042, CVE-2016-7097, + CVE-2016-7425, CVE-2016-7911, CVE-2016-7913, CVE-2016-8405, + CVE-2016-8633, CVE-2016-8645, CVE-2016-8650, CVE-2016-8655, + CVE-2016-8658, CVE-2016-9083, CVE-2016-9555, CVE-2016-9588, + CVE-2016-9604, CVE-2016-9794, CVE-2016-10088, + CVE-2016-10208, CVE-2017-2583, CVE-2017-2584, + CVE-2017-2618, CVE-2017-2636, CVE-2017-2671, CVE-2017-5549, + CVE-2017-5551, CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, + CVE-2017-5986, CVE-2017-6074, CVE-2017-6214, CVE-2017-6346, + CVE-2017-6348, CVE-2017-6353, CVE-2017-6951, CVE-2017-7184, + CVE-2017-7261, CVE-2017-7273, CVE-2017-7294, CVE-2017-7308, + CVE-2017-7472, CVE-2017-7495, CVE-2017-7616, CVE-2017-7645, + CVE-2017-7889, CVE-2017-8067, CVE-2017-8068, CVE-2017-8069, + CVE-2017-8070, CVE-2017-8890, CVE-2017-8924, CVE-2017-8925, + CVE-2017-1000363, CVE-2017-1000364, CVE-2016-10277, + CVE-2016-9576, bug 43602, bug 45244 +Fixed version: 7.0.0-28.127.201709111629 + +This update of the Linux kernel to 3.10.107 addresses the following issues: +* Xen, when used on a system providing PV backends, allows local guest OS + administrators to cause a denial of service (host OS crash) or gain + privileges by writing to memory shared between the frontend and backend, + aka a double fetch vulnerability (CVE-2015-8550) +* The PCI backend driver in Xen, when running on an x86 system and using + Linux 3.1.x through 4.3.x as the driver domain, allows local guest + administrators to hit BUG conditions and cause a denial of service (NULL + pointer dereference and host OS crash) by leveraging a system with access + to a passed-through MSI or MSI-X capable physical PCI device and a crafted + sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity + checks." (CVE-2015-8551) +* The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux + kernel before 4.5 allows local users to obtain sensitive information from + kernel memory by reading a tty data structure (CVE-2015-8964) +* crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify + that a setkey operation has been performed on an AF_ALG socket before an + accept system call is processed, which allows local users to cause a denial + of service (NULL pointer dereference and system crash) via a crafted + application that does not supply a key, related to the lrw_crypt function + in crypto/lrw.c (CVE-2015-8970) +* Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs + support in x86 PV guests, which allows local PV guest OS users to cause a + denial of service (guest OS crash) by attempting to access a hugetlbfs + mapped area (CVE-2016-3961) +* The tcp_check_send_head function in include/net/tcp.h in the Linux kernel + before 4.7.5 does not properly maintain certain SACK state after a failed + data copy, which allows local users to cause a denial of service + (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted + SACK option (CVE-2016-6828) +* The proc_keys_show function in security/keys/proc.c in the Linux kernel + through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is + enabled, uses an incorrect buffer size for certain timeout data, which + allows local users to cause a denial of service (stack memory corruption + and panic) by reading the /proc/keys file (CVE-2016-7042) +* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in + the Linux kernel through 4.8.2 does not restrict a certain length field, + which allows local users to gain privileges or cause a denial of service + (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control + code (CVE-2016-7425) +* drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual + hardware configurations, allows remote attackers to execute arbitrary code + via crafted fragmented packets (CVE-2016-8633) +* The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, + which allows local users to cause a denial of service (system crash) via a + crafted application that makes sendto system calls, related to + net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (CVE-2016-8645) +* The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through + 4.8.11 does not ensure that memory is allocated for limb data, which allows + local users to cause a denial of service (stack memory corruption and + panic) via an add_key system call for an RSA key with a zero exponent + (CVE-2016-8650) +* Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux + kernel before 4.7.5 allows local users to cause a denial of service (system + crash) or possibly have unspecified other impact via a long SSID + Information Element in a command to a Netlink socket (CVE-2016-8658) +* The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel + before 4.8.8 lacks chunk-length checking for the first chunk, which allows + remote attackers to cause a denial of service (out-of-bounds slab access) + or possibly have unspecified other impact via crafted SCTP data + (CVE-2016-9555) +* Race condition in the snd_pcm_period_elapsed function in + sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 + allows local users to cause a denial of service (use-after-free) or + possibly have unspecified other impact via a crafted + SNDRV_PCM_TRIGGER_START command (CVE-2016-9794) +* The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel + through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the + LISTEN state, which allows local users to obtain root privileges or cause a + denial of service (double free) via an application that makes an + IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074) +* Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, + and the fact that parport_ptr integer is static, a 'secure boot' kernel + command line adversary (can happen due to bootloader vulns, e.g. Google + Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has + partial control over the command line) can overflow the parport_nr array in + the following code, by appending many (>LP_NO) 'lp=none' arguments to the + command line (CVE-2017-1000363) +* The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the + Linux kernel through 4.10.15 allows attackers to cause a denial of service + (double free) or possibly have unspecified other impact by leveraging use + of the accept system call (CVE-2017-8890) +* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 + allows local users to gain privileges or cause a denial of service (double + free) by setting the HDLC line discipline (CVE-2017-2636) +* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly + restrict association peel-off operations during certain wait states, which + allows local users to cause a denial of service (invalid unlock and double + free) via a multithreaded application. NOTE: this vulnerability exists + because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353) +* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in + the Linux kernel before 4.9.11 allows local users to cause a denial of + service (assertion failure and panic) via a multithreaded application that + peels off an association in a certain buffer-full state (CVE-2017-5986) +* The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in + the Linux kernel before 4.6 allows local users to gain privileges or cause + a denial of service (use-after-free) via vectors involving omission of the + firmware name from a certain data structure (CVE-2016-7913) +* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through + 4.10.8 is too late in obtaining a certain lock and consequently cannot + ensure that disconnect function calls are safe, which allows local users to + cause a denial of service (panic) by leveraging access to the protocol + value of IPPROTO_ICMP in a socket system call (CVE-2017-2671) +* drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts + incorrectly with the CONFIG_VMAP_STACK option, which allows local users to + cause a denial of service (system crash or memory corruption) or possibly + have unspecified other impact by leveraging use of more than one virtual + page for a DMA scatterlist (CVE-2017-8068, CVE-2017-8069) +* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the + Linux kernel before 4.10.4 allows local users to obtain sensitive + information (in the dmesg ringbuffer and syslog) from uninitialized kernel + memory by using a crafted USB device (posing as an io_ti USB serial device) + to trigger an integer underflow (CVE-2017-8924) +* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux + kernel before 4.5.1 allows physically proximate attackers to cause a denial + of service (NULL pointer dereference and system crash) via a crafted + endpoints value in a USB device descriptor (CVE-2016-2188) +* The omninet_open function in drivers/usb/serial/omninet.c in the Linux + kernel before 4.10.4 allows local users to cause a denial of service (tty + exhaustion) by leveraging reference count mishandling (CVE-2017-8925) +* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 + allows local users to cause a denial of service (use-after-free) or + possibly have unspecified other impact via a multithreaded application that + makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346) +* The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows + remote attackers to have unspecified impact via vectors involving GRE flags + in an IPv6 packet, which trigger an out-of-bounds access (CVE-2017-5897) +* The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux + kernel through 4.9.9 allows attackers to cause a denial of service (system + crash) via (1) an application that makes crafted system calls or possibly + (2) IPv4 traffic with invalid IP options (CVE-2017-5970) +* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in + the Linux kernel before 4.9.5 places uninitialized heap-memory contents + into a log entry upon a failure to read the line status, which allows local + users to obtain sensitive information by reading the log (CVE-2017-5549) +* fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered + mode is used, mishandles a needs-flushing-before-commit list, which allows + local users to obtain sensitive information from other users' files in + opportunistic circumstances by waiting for a hardware reset, creating a new + file, making write system calls, and reading this file (CVE-2017-7495) +* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to + cause a denial of service (memory consumption) via a series of + KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls + (CVE-2017-7472) +* The keyring_search_aux function in security/keys/keyring.c in the Linux + kernel through 3.14.79 allows local users to cause a denial of service + (NULL pointer dereference and OOPS) via a request_key system call for the + "dead" type (CVE-2017-6951) +* The built-in keyrings for security tokens can be joined as a session and + then modified by the root user (CVE-2016-9604) +* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux + kernel through 4.10.6 does not validate certain size data after an + XFRM_MSG_NEWAE update, which allows local users to obtain root privileges + or cause a denial of service (heap-based out-of-bounds access) by + leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own + competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package + 4.8.0.41.52 (CVE-2017-7184) +* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before + 4.9.11 allows remote attackers to cause a denial of service (infinite loop + and soft lockup) via vectors involving a TCP packet with the URG flag + (CVE-2017-6214) +* Off-by-one error in selinux_setprocattr (/proc/self/attr/fscreate) + (CVE-2017-2618) +* An information disclosure vulnerability in kernel components including the + ION subsystem, Binder, USB driver and networking subsystem could enable a + local malicious application to access data outside of its permission + levels. This issue is rated as Moderate because it first requires + compromising a privileged process. Product: Android. Versions: Kernel-3.10, + Kernel-3.18. Android ID: A-31651010 (CVE-2016-8405) +* The simple_set_acl function in fs/posix_acl.c in the Linux kernel before + 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs + filesystem, which allows local users to gain group privileges by leveraging + the existence of a setgid program with restrictions on execute permissions. + NOTE: this vulnerability exists because of an incomplete fix for + CVE-2016-7097 (CVE-2017-5551) +* The filesystem implementation in the Linux kernel through 4.8.2 preserves + the setgid bit during a setxattr call, which allows local users to gain + group privileges by leveraging the existence of a setgid program with + restrictions on execute permissions (CVE-2016-7097) +* arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users + to obtain sensitive information from kernel memory or cause a denial of + service (use-after-free) via a crafted application that leverages + instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584) +* The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the + Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" + instruction, which allows guest OS users to cause a denial of service + (guest OS crash) or gain guest OS privileges via a crafted application + (CVE-2017-2583) +* The evm_verify_hmac function in security/integrity/evm/evm_main.c in the + Linux kernel before 4.5 does not properly copy data, which makes it easier + for local users to forge MAC values via a timing side-channel attack + (CVE-2016-2085) +* Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 + allows local users to gain privileges or cause a denial of service + (use-after-free) by leveraging the CAP_NET_RAW capability to change a + socket version, related to the packet_set_ring and packet_setsockopt + functions (CVE-2016-8655) +* An issue was discovered in the size of the stack guard page on Linux, + specifically a 4k stack guard page is not sufficiently large and can be + "jumped" over (the stack guard page is bypassed), this affects Linux Kernel + versions 4.11.5 and earlier (the stackguard page was introduced in 2010) + (CVE-2017-1000364) +* The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux + kernel through 4.5.2 does not properly randomize the legacy base address, + which makes it easier for local users to defeat the intended restrictions + on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for + a setuid or setgid program, by disabling stack-consumption resource limits + (CVE-2016-3672) +* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and + #OF exceptions, which allows guest OS users to cause a denial of service + (guest OS crash) by declining to handle an exception thrown by an L2 guest + (CVE-2016-9588) +* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through + 4.10.11 allows remote attackers to cause a denial of service (system crash) + via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and + fs/nfsd/nfsxdr.c (CVE-2017-7645) +* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel + through 4.10.6 does not properly validate certain block-size data, which + allows local users to cause a denial of service (integer signedness error + and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability + is held), via crafted system calls (CVE-2017-7308) +* drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts + incorrectly with the CONFIG_VMAP_STACK option, which allows local users to + cause a denial of service (system crash or memory corruption) or possibly + have unspecified other impact by leveraging use of more than one virtual + page for a DMA scatterlist (CVE-2017-8070) +* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before + 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which + allows local users to cause a denial of service (system crash or memory + corruption) or possibly have unspecified other impact by leveraging use of + more than one virtual page for a DMA scatterlist (CVE-2017-8067) +* The mm subsystem in the Linux kernel through 4.10.10 does not properly + enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local + users to read or write to kernel memory locations in the first megabyte + (and bypass slab-allocation access restrictions) via an application that + opens the /dev/mem file, related to arch/x86/mm/init.c and + drivers/char/mem.c (CVE-2017-7889) +* Incorrect error handling in the set_mempolicy and mbind compat syscalls in + mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to + obtain sensitive information from uninitialized stack data by triggering + failure of a certain bitmap operation (CVE-2017-7616) +* The vmw_surface_define_ioctl function in + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 + does not validate addition of certain levels data, which allows local users + to trigger an integer overflow and out-of-bounds write, and cause a denial + of service (system hang or crash) or possibly gain privileges, via a + crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) +* The vmw_surface_define_ioctl function in + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 + does not check for a zero value of certain levels data, which allows local + users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and + possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device + (CVE-2017-7261) +* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does + not restrict the address calculated by a certain rounding operation, which + allows local users to map page zero, and consequently bypass a protection + mechanism that exists for the mmap system call, by making crafted shmget + and shmat system calls in a privileged context (CVE-2017-5669) +* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel + before 4.9.13 improperly manages lock dropping, which allows local users to + cause a denial of service (deadlock) via crafted operations on IrDA devices + (CVE-2017-6348) +* Double free vulnerability in the sg_common_write function in + drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain + privileges or cause a denial of service (memory corruption and system + crash) by detaching a device during an SG_IO ioctl call (CVE-2015-8962) +* drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local + users to bypass integer overflow checks, and cause a denial of service + (memory corruption) or have unspecified other impact, by leveraging access + to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a + "state machine confusion bug." (CVE-2016-9083) +* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux + kernel 4.x before 4.9.4 allows physically proximate attackers to cause a + denial of service (integer underflow) or possibly have unspecified other + impact via a crafted HID report (CVE-2017-7273) +* The sg implementation in the Linux kernel through 4.9 does not properly + restrict write operations in situations where the KERNEL_DS option is set, + which allows local users to read or write to arbitrary kernel memory + locations or cause a denial of service (use-after-free) by leveraging + access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. + NOTE: this vulnerability exists because of an incomplete fix for + CVE-2016-9576 (CVE-2016-10088) +* Race condition in the get_task_ioprio function in block/ioprio.c in the + Linux kernel before 4.6.6 allows local users to gain privileges or cause a + denial of service (use-after-free) via a crafted ioprio_get system call + (CVE-2016-7911) +* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through + 4.9.8 does not properly validate meta block groups, which allows physically + proximate attackers to cause a denial of service (out-of-bounds read and + system crash) via a crafted ext4 image (CVE-2016-10208) + +This is the second part of the update. + +We recommend to update your UCS installation. Updated packages are +available in the Univention online repository, which is automatically +added to the apt packages sources. The following procedures can be +used to update a UCS installation: + +1. A single system can be updated in the web interface of the +Univention Management Console through the "Software update" module. + +2. A single system can be updated on the command line by running the +command "univention-upgrade" + +3. Multiple systems can be updated through a maintenance policy. + +Additional information can be found in the UCS manual. + + +An overview of all available errata updates can be found online at +http://errata.univention.de/ +-- +Univention GmbH +be open. +Mary-Somerville-Str.1 +28359 Bremen +Tel. : +49 421 22232-0 +Fax : +49 421 22232-99 + + +http://www.univention.de/ + +Geschäftsführer: Peter H. Ganten +HRB 20755 Amtsgericht Bremen +Steuer-Nr.: 71-597-02876 -- 2.11.0