Univention Bugzilla – Bug 37385
linux: Multiple security issues (4.0)
Last modified: 2015-07-20 17:48:53 CEST
After Bug 36969 the following security issues still need to be fixed: Denial of service in the dcache in the fs layer (CVE-2014-8559) User namespaces can bypass group-based restrictions (CVE-2014-8989) Denial of service in the dcache in the fs layer (CVE-2014-8559)
Denial of service in batman-adv (CVE-2014-9428) The Linux kernels in UCS 3.x are not affected, this was introduced in Linux 3.13
Kernel workaround for AMD CPU deadlock (CVE-2013-6885) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) Denial of service in isofs (CVE-2014-9420) espfix can by bypassed (CVE-2014-8133) espfix not available for KVM paravirtualised guests (CVE-2014-8134)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
Information leak in isofs (CVE-2014-9584)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) Insufficient randomisation of the vdso segment (CVE-2014-9585)
Denial of service in packet routing (CVE-2015-1465) (this only affects UCS 4.0) Use-after-free in SCTP (CVE-2015-1421) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Denial of service in nftables (CVE-2015-1573) (the kernels in UCS 3.1 and 3.2 are not affected)
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) Ext4: fallocate zero range page size > block size (CVE-2015-0275)
ecryptfs 1-byte overwrite (CVE-2014-9683)
(In reply to Moritz Muehlenhoff from comment #2) > Kernel workaround for AMD CPU deadlock (CVE-2013-6885) This was fixed upstream in 3.14, so the kernel in UCS 4.0 is not affected.
(In reply to Moritz Muehlenhoff from comment #8) > Denial of service in nftables (CVE-2015-1573) This was introduced in 3.18, so the kernel in UCS 4.0 is not affected.
These are fixed as of 3.16.7-ckt7: Denial of service in the dcache in the fs layer (CVE-2014-8559) (3.16.7-ckt4) User namespaces can bypass group-based restrictions (CVE-2014-8989) (3.16.7-ckt4) Denial of service in batman-adv (CVE-2014-9428) (3.16.7-ckt4) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.16.7-ckt4) Denial of service in isofs (CVE-2014-9420) (3.16.7-ckt4) espfix can by bypassed (CVE-2014-8133) (3.16.7-ckt4) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.16.7-ckt4) Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.16.7-ckt4) Information leak in isofs (CVE-2014-9584) (3.16.7-ckt4) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) (3.16.7-ckt5) Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.16.7-ckt5) Denial of service in packet routing (CVE-2015-1465) (3.16.7-ckt6) Use-after-free in SCTP (CVE-2015-1421) (3.16.7-ckt6) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) (3.16.7-ckt6) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.16.7-ckt6) ecryptfs 1-byte overwrite (CVE-2014-9683) (3.16.7-ckt4) These are pending for 3.16.7-ckt8: ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593) Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) These are unfixed in the upstream kernel: Ext4: fallocate zero range page size > block size (CVE-2015-0275) chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420)
Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
58_CVE-2014-9090_CVE-2014-9322.patch was removed; the following upstream fixes were merged into 3.16.7-ckt3: af726f21ed8af2cdaa4e93098dc211521218ae65 6f442be2fb22be02cafa606f1769fa1e6f894441 b645af2d5905c4e32399005b867987919cbfc3ae 7ddc6a2199f1da405a2fb68c40db8899b1a8cd87
These are fixed as of 3.16.7-ckt8: Denial of service in the dcache in the fs layer (CVE-2014-8559) (3.16.7-ckt4) User namespaces can bypass group-based restrictions (CVE-2014-8989) (3.16.7-ckt4) Denial of service in batman-adv (CVE-2014-9428) (3.16.7-ckt4) TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.16.7-ckt4) Denial of service in isofs (CVE-2014-9420) (3.16.7-ckt4) espfix can by bypassed (CVE-2014-8133) (3.16.7-ckt4) espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.16.7-ckt4) Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.16.7-ckt4) Information leak in isofs (CVE-2014-9584) (3.16.7-ckt4) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) (3.16.7-ckt5) Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.16.7-ckt5) Denial of service in packet routing (CVE-2015-1465) (3.16.7-ckt6) Use-after-free in SCTP (CVE-2015-1421) (3.16.7-ckt6) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) (3.16.7-ckt6) Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.16.7-ckt6) ecryptfs 1-byte overwrite (CVE-2014-9683) (3.16.7-ckt4) ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593) Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) These are unfixed in the upstream kernel: Ext4: fallocate zero range page size > block size (CVE-2015-0275) chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420) Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150) infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
(In reply to Moritz Muehlenhoff from comment #18) > These are fixed as of 3.16.7-ckt8: All stable kernels update to 3.16.7-ckt8 have been integrated and the univention-kernel-image meta package has been updated. As discussed, what remains to be done: - YAML files - Tests on hardware and KVM - Sign the kernel modules
These are fixed as of 3.16.7-ckt9: Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150) Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830) These are unfixed in the upstream kernel: infiniband: uverbs: unprotected physical memory access (CVE-2014-8159) btrfs: non-atomic xattr replace operation (CVE-2014-9710) Ext4: fallocate zero range page size > block size (CVE-2015-0275) chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420) Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666) IPv6 Hop limit lowering via RA messages (CVE-2015-2922)
These are fixed as of 3.16.7-ckt9-3: * Buffer overruns in Linux kernel RFC4106 implementation using AESNI (CVE-2015-3331) * TCP Fast Open local DoS (CVE-2015-3332) * chown() was racy relative to execve() (CVE-2015-3339)
DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715)
USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
These are now fixed in upstream package version 3.16.7-ckt10: infiniband: uverbs: unprotected physical memory access (CVE-2014-8159) btrfs: non-atomic xattr replace operation (CVE-2014-9710) DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715) Ext4: fallocate zero range page size > block size (CVE-2015-0275) Race condition in file handle support (CVE-2015-1420) Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666) IPv6 Hop limit lowering via RA messages (CVE-2015-2922) These are currently still unfixed in the upstream kernel package: chown can be abused to remove xattr permissions of files (CVE-2015-1350) USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
One more: * privilege escalation via ping sockets due to use-after-free (CVE-2015-3636) Fixed in http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt11: CVE-2015-0275 CVE-2015-3339 CVE-2015-3636
Fixed in http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13: * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * Race condition in file handle support (CVE-2015-1420) [Now really]. These are currently still unfixed in the upstream kernel package: chown can be abused to remove xattr permissions of files (CVE-2015-1350) USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
Additional CVE fixed in (3.16.7-ckt9-1) for the changelog: * drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036)
New version linux (3.16.7-ckt11-1~bpo70+1) wheezy-backports built as linux (3.16.7-ckt11-1~bpo70+1.134.201506231755) yielding linux-image-3.16.0-ucs134* . Tests (KVM): OK
univention-kernel-image updated with new dependency in 8.0.6-6.74.201506241245 univention-kernel-image-signed updated with new signed binary and dependencies in 1.0.3-1.6.201506241503 Tests (UEFI/SecureBoot): OK
Still unfixed issues moved to Bug #38764
Advisories: 2015-06-24-linux.yaml 2015-06-24-univention-kernel-image-signed.yaml 2015-06-24-univention-kernel-image.yaml
OK: univention-install univention-kernel-image OK: amd64 KVM OK: i386 KVM OK: amd64 HW OK: uname -r # 3.16.0-ucs134-amd64 FAIL: univention-install univention-kernel-header → linux-headers-3.16.0-ucs134-* → linux-compiler-gcc-4.6-x86 → gcc-4.6 OK: zless /usr/share/doc/linux-image-3.16.0-ucs134-amd64/changelog.Debian.gz FIXED: 2015-06-24-linux.yaml → r61610 FIXED: 2015-06-24-univention-kernel-image.yaml → r61610 FIXED: 2015-06-24-univention-kernel-image-signed.yaml → r61610 OK: announce-errata -V *.yaml OK: CVE-2014-8559 OK: CVE-2014-8989 OK: CVE-2014-9428 SKIP: CVE-2013-6885 not affected OK: CVE-2014-9419 OK: CVE-2014-9420 OK: CVE-2014-8133 OK: CVE-2014-8134 OK: CVE-2014-9529 OK: CVE-2014-9584 OK: CVE-2014-8160 OK: CVE-2014-9585 OK: CVE-2015-1465 OK: CVE-2015-1421 OK: CVE-2015-0239 OK: CVE-2013-7421 CVE-2014-9644 PENDING: CVE-2015-1350 → Bug #387640 PENDING: CVE-2015-1420 incomplete → Bug #387647 SKIP: CVE-2015-1573 not affected OK: CVE-2015-1593 OK: CVE-2015-2042 OK: CVE-2015-2041 OK: CVE-2015-0275 OK: CVE-2014-9683 'eCryptfs: Remove buggy and unnecessary write in file name decode routine' OK: CVE-2015-2150 OK: CVE-2015-2830 OK: CVE-2015-3331 OK: CVE-2015-3332 OK: CVE-2015-3339 OK: CVE-2014-8159 OK: CVE-2014-9710 OK: CVE-2014-9715 Debian #741667 PENDING: CVE-2014-9717 → Bug #387647 OK: CVE-2015-2666 OK: CVE-2015-2922 OK: CVE-2015-3636 PENDING: CVE-2015-4167 → Bug #38764 OK: CVE-2015-4036 'vhost/scsi: potential memory corruption'
(In reply to Philipp Hahn from comment #32) > OK: univention-install univention-kernel-image > OK: amd64 KVM > OK: i386 KVM > OK: amd64 HW > OK: uname -r # 3.16.0-ucs134-amd64 > FAIL: univention-install univention-kernel-header → > linux-headers-3.16.0-ucs134-* → linux-compiler-gcc-4.6-x86 → gcc-4.6 Patched to use gcc-4.7: linux Updated: univention-kernel-image univention-kernel-image-signed Advisories Tests (UEFI): OK Tests (KVM i386/amd64): OK
OK: r14975 r14976 OK: r62220 YAML OK: uname -r 3.16.0-ucs135-amd64 3.16.0-ucs135-686-pae OK: univention-install univention-kernel-image OK: amd64@hw amd64@kvm i386@kvm SKIPPED: @xen OK: univention-install univention-kernel-headers OK: zless /usr/share/doc/linux-image-3.16.0-ucs134-686-pae/changelog.Debian.gz OK: 2015-06-24-linux.yaml OK: 2015-06-24-univention-kernel-image.yaml OK: 2015-06-24-univention-kernel-image-signed.yaml OK: errata-announce -V 2015-06-24-*.yaml
<http://errata.univention.de/ucs/4.0/248.html> <http://errata.univention.de/ucs/4.0/249.html> <http://errata.univention.de/ucs/4.0/250.html>