Univention Bugzilla – Bug 37353
linux: Multiple security issues (3.2)
Last modified: 2015-03-23 13:12:49 CET
Race condition in ext4 permission handling (CVE-2014-8086) Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in VMX handling in KVM (CVE-2014-3645, CVE-2014-3646) Denial of service in the VMX handling in KVM (CVE-2014-3690) Denial of service in the dcache in the fs layer (CVE-2014-8559)
Kernel workaround for AMD CPU deadlock (CVE-2013-6885) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) Denial of service in isofs (CVE-2014-9420) espfix can by bypassed (CVE-2014-8133) espfix not available for KVM paravirtualised guests (CVE-2014-8134)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
Information leak in isofs (CVE-2014-9584)
(In reply to Moritz Muehlenhoff from comment #1) > Kernel workaround for AMD CPU deadlock (CVE-2013-6885) This was already merged in 3.10.29, so UCS 3.2 is already fixed.
These are fixed as of 3.10.64: Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64) Denial of service in isofs (CVE-2014-9420) (3.10.64) espfix can be bypassed (CVE-2014-8133) (3.10.64) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64) Information leak in isofs (CVE-2014-9584) (3.10.64) These are unfixed as of 3.10.64: Race condition in ext4 permission handling (CVE-2014-8086) Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in the VMX handling in KVM (CVE-2014-3690) Denial of service in VMX handling in KVM (CVE-2014-3646) Denial of service in the dcache in the fs layer (CVE-2014-8559) Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) Insufficient randomisation of the vdso segment (CVE-2014-9585)
Use-after-free in SCTP (CVE-2015-1421) ext4 denial of service (CVE-2014-7822) (this only affects UCS 3.1/3.2) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
CVE-2014-8086 doesn't affect 3.10.x, it was introduced in 3.16. These are fixed as of 3.10.68: Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64) Denial of service in isofs (CVE-2014-9420) (3.10.64) espfix can be bypassed (CVE-2014-8133) (3.10.64) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64) Information leak in isofs (CVE-2014-9584) (3.10.64) Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67) Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67) These are unfixed as of 3.10.68: Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in the VMX handling in KVM (CVE-2014-3690) Denial of service in VMX handling in KVM (CVE-2014-3646) Denial of service in the dcache in the fs layer (CVE-2014-8559) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) Use-after-free in SCTP (CVE-2015-1421) ext4 denial of service (CVE-2014-7822) (this only affects UCS 3.1/3.2) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) These are unfixed in the upstream kernel: chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420)
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) Ext4: fallocate zero range page size > block size (CVE-2015-0275)
ecryptfs 1-byte overwrite (CVE-2014-9683)
(In reply to Arvid Requate from comment #12) > Ext4: fallocate zero range page size > block size (CVE-2015-0275) This was introduced in 3.15 and doesn't affect UCS 3.2
These are fixed as of 3.10.70: Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64) Denial of service in isofs (CVE-2014-9420) (3.10.64) espfix can be bypassed (CVE-2014-8133) (3.10.64) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64) Information leak in isofs (CVE-2014-9584) (3.10.64) Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67) Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67) Denial of service in the VMX handling in KVM (CVE-2014-3690) (3.10.69) Denial of service in VMX handling in KVM (CVE-2014-3646) (3.10.69) Use-after-free in SCTP (CVE-2015-1421) (3.10.70) ecryptfs 1-byte overwrite (CVE-2014-9683) (3.10.64) These are unfixed as of 3.10.70: Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in the dcache in the fs layer (CVE-2014-8559) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) ext4 denial of service (CVE-2014-7822) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593) Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) These are unfixed in the upstream kernel: chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420)
53-fix-ext2-quota.patch was removed; it was integrated into 3.10.63
3.0.71 has been released: These are fixed as of 3.10.71: Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64) Denial of service in isofs (CVE-2014-9420) (3.10.64) espfix can be bypassed (CVE-2014-8133) (3.10.64) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64) Information leak in isofs (CVE-2014-9584) (3.10.64) Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67) Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67) Denial of service in the VMX handling in KVM (CVE-2014-3690) (3.10.69) Denial of service in VMX handling in KVM (CVE-2014-3646) (3.10.69) Use-after-free in SCTP (CVE-2015-1421) (3.10.70) ecryptfs 1-byte overwrite (CVE-2014-9683) (3.10.64) ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593) (3.10.71) These are unfixed as of 3.10.71: Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in the dcache in the fs layer (CVE-2014-8559) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) ext4 denial of service (CVE-2014-7822) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) Soft lockup in AIO (CVE-2014-8172) These are unfixed in the upstream kernel: chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420)
The kernel has been updated to 3.10.71. Tests on hardware (amd64) and in virtualisation (i386) were successful. YAML files: 2015-03-09-linux.yaml 2015-03-09-univention-kernel-image.yaml
OK: apt-cache policy univention-kernel-image # 7.0.0-18.71.201503111143 OK: DEBIAN_FRONTEND=noninteractive aptitude install '?source-package(univention-kernel-image)?installed' # i386 amd64 OK: linux-image-3.10.0-ucs114-686-pae_3.10.11-1.114.201503091200_i386.deb OK: uname -r # 3.10.0-ucs114-686-pae OK: zdiff /usr/share/doc/linux-image-3.10.0-ucs1{08,14}-686-pae/changelog.Debian.gz -53-fix-ext2-quota +53-stable-63-to-70 +54-stable-71 OK: CVE-2014-3645 CVE-2014-9419 CVE-2014-9420 CVE-2014-8133 CVE-2014-8134 CVE-2014-9584 CVE-2014-9529 CVE-2014-9585 CVE-2013-7421 CVE-2014-9644 CVE-2014-3690 CVE-2014-3646 CVE-2015-1421 CVE-2014-9683 CVE-2015-1593 OK: 2015-03-09-linux.yaml OK: 2015-03-09-univention-kernel-image.yaml OK: errata-announce -V 2015-03-09-linux.yaml OK: errata-announce -V 2015-03-09-univention-kernel-image.yaml
http://errata.univention.de/ucs/3.2/296.html http://errata.univention.de/ucs/3.2/297.html