Comment 1 Arvid Requate 2015-07-13 16:53:44 CEST

• It is possible to escape from bind mounts (CVE-2015-2925)
• SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212)
• kvm: x86: NULL pointer dereference in kvm_apic_has_events function (CVE-2015-4692)
• Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700)
• Linux UDP checksum DoS (CVE-2015-5364)
• Linux UDP checksum DoS EGAIN part (CVE-2015-5366)

Comment 2 Arvid Requate 2015-08-14 09:48:35 CEST

DSA 3313-1 mentions these as fixed in 3.16.7-ckt11-1+deb8u3:

* Denial of service and possible privilege escalation by local unprivileged user due to incorrect handling of a NMI that interrupts userspace and encounters an IRET (CVE-2015-5157)

* Privilege escalation by local unprivileged user due to improper handling of nested NMIs (CVE-2015-3290)

* Denial of service due to skiped NMIs triggered by a malicious userspace program (CVE-2015-3291)

Comment 3 Arvid Requate 2015-08-14 10:10:20 CEST

Additional fixes in that Debian security update version:

* Denial of service due to a flaw in the add_key function of the Linux kernel's keyring subsystem causing memory exhaustion, exploitable by a local user (CVE-2015-1333)

* Potential privilege escalation due to a use-after-free vulnerability in path lookup, user triggerable (CVE-2015-5706)

* Potential privilege escalation due to an integer overflow in the SCSI generic driver, exploitable by a local user with write permission on a SCSI generic device (CVE-2015-5707)

* Information leak in the md driver (CVE-2015-5697)

Comment 4 Arvid Requate 2016-01-19 23:29:02 CET

Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u4 fixes these issues

CVE-2015-0272

    It was discovered that NetworkManager would set IPv6 MTUs based on
    the values received in IPv6 RAs (Router Advertisements), without
    sufficiently validating these values. A remote attacker could
    exploit this attack to disable IPv6 connectivity. This has been
    mitigated by adding validation in the kernel.

CVE-2015-2925

    Jann Horn discovered that when a subdirectory of a filesystem is
    bind-mounted into a container that has its own user and mount
    namespaces, a process with CAP_SYS_ADMIN capability in the user
    namespace can access files outside of the subdirectory.  The
    default Debian configuration mitigated this as it does not allow
    unprivileged users to create new user namespaces.

CVE-2015-5156

    Jason Wang discovered that when a virtio_net device is connected
    to a bridge in the same VM, a series of TCP packets forwarded
    through the bridge may cause a heap buffer overflow.  A remote
    attacker could use this to cause a denial of service (crash) or
    possibly for privilege escalation.

CVE-2015-6252

    Michael S. Tsirkin of Red Hat Engineering found that the vhost
    driver leaked file descriptors passed to it with the
    VHOST_SET_LOG_FD ioctl command. A privileged local user with access
    to the /dev/vhost-net file, either directly or via libvirt, could
    use this to cause a denial of service (hang or crash).

CVE-2015-6937

    It was found that the Reliable Datagram Sockets (RDS) protocol
    implementation did not verify that an underlying transport exists
    when creating a connection.  Depending on how a local RDS
    application initialised its sockets, a remote attacker might be
    able to cause a denial of service (crash) by sending a crafted
    packet.

Comment 5 Arvid Requate 2016-01-19 23:29:51 CET

Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u5 fixes these issues

CVE-2015-2925

    Jann Horn discovered that when a subdirectory of a filesystem was
    bind-mounted into a chroot or mount namespace, a user that should
    be confined to that chroot or namespace could access the whole of
    that filesystem if they had write permission on an ancestor of
    the subdirectory.  This is not a common configuration for wheezy,
    and the issue has previously been fixed for jessie.

CVE-2015-5257

    Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB
    device could cause a denial of service (crash) by imitating a
    Whiteheat USB serial device but presenting a smaller number of
    endpoints.

CVE-2015-5283

    Marcelo Ricardo Leitner discovered that creating multiple SCTP
    sockets at the same time could cause a denial of service (crash)
    if the sctp module had not previously been loaded.  This issue
    only affects jessie.

CVE-2015-7613

    Dmitry Vyukov discovered that System V IPC objects (message queues
    and shared memory segments) were made accessible before their
    ownership and other attributes were fully initialised.  If a local
    user can race against another user or service creating a new IPC
    object, this may result in unauthorised information disclosure,
    unauthorised information modification, denial of service and/or
    privilege escalation.

    A similar issue existed with System V semaphore arrays, but was
    less severe because they were always cleared before being fully
    initialised.

Comment 6 Arvid Requate 2016-01-19 23:30:11 CET

Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u6 fixes these issues

CVE-2015-5307

    Ben Serebrin from Google discovered a guest to host denial of
    service flaw affecting the KVM hypervisor. A malicious guest can
    trigger an infinite stream of "alignment check" (#AC) exceptions
    causing the processor microcode to enter an infinite loop where the
    core never receives another interrupt. This leads to a panic of the
    host kernel.

CVE-2015-7833

    Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a
    flaw in the processing of certain USB device descriptors in the
    usbvision driver. An attacker with physical access to the system can
    use this flaw to crash the system.

CVE-2015-7872

    Dmitry Vyukov discovered a vulnerability in the keyrings garbage
    collector allowing a local user to trigger a kernel panic.

CVE-2015-7990

    It was discovered that the fix for CVE-2015-6937 was incomplete. A
    race condition when sending a message on unbound socket can still
    cause a NULL pointer dereference. A remote attacker might be able to
    cause a denial of service (crash) by sending a crafted packet.

Comment 7 Arvid Requate 2016-01-19 23:30:34 CET

Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u1 fixes these issues

CVE-2013-7446

    Dmitry Vyukov discovered that a particular sequence of valid
    operations on local (AF_UNIX) sockets can result in a
    use-after-free. This may be used to cause a denial of service
    (crash) or possibly for privilege escalation.

CVE-2015-7799

    It was discovered that a user granted access to /dev/ppp can cause a
    denial of service (crash) by passing invalid parameters to the
    PPPIOCSMAXCID ioctl. This also applies to ISDN PPP device nodes.

CVE-2015-7833

    Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a
    flaw in the processing of certain USB device descriptors in the
    usbvision driver. An attacker with physical access to the system can
    use this flaw to crash the system. This was partly fixed by the
    changes listed in DSA 3396-1.

CVE-2015-8104

    Jan Beulich reported a guest to host denial-of-service flaw
    affecting the KVM hypervisor running on AMD processors. A malicious
    guest can trigger an infinite stream of "debug" (#DB) exceptions
    causing the processor microcode to enter an infinite loop where the
    core never receives another interrupt. This leads to a panic of the
    host kernel.

CVE-2015-8374

    It was discovered that Btrfs did not correctly implement truncation
    of compressed inline extents. This could lead to an information
    leak, if a file is truncated and later made readable by other users.
    Additionally, it could cause data loss. This has been fixed for the
    stable distribution (jessie) only.

CVE-2015-8543

    It was discovered that a local user permitted to create raw sockets
    could cause a denial-of-service by specifying an invalid protocol
    number for the socket. The attacker must have the CAP_NET_RAW
    capability in their user namespace. This has been fixed for the
    stable distribution (jessie) only.

Comment 8 Arvid Requate 2016-01-19 23:30:54 CET

Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u2 fixes these issues

CVE-2015-7513

    It was discovered that a local user permitted to use the x86 KVM
    subsystem could configure the PIT emulation to cause a denial of
    service (crash).

CVE-2015-7550

    Dmitry Vyukov discovered a race condition in the keyring subsystem
    that allows a local user to cause a denial of service (crash).

CVE-2015-8543

    It was discovered that a local user permitted to create raw sockets
    could cause a denial-of-service by specifying an invalid protocol
    number for the socket. The attacker must have the CAP_NET_RAW
    capability.

CVE-2015-8550

    Felix Wilhelm of ERNW discovered that the Xen PV backend drivers
    may read critical data from shared memory multiple times. This
    flaw can be used by a guest kernel to cause a denial of service
    (crash) on the host, or possibly for privilege escalation.

CVE-2015-8551 / CVE-2015-8552

    Konrad Rzeszutek Wilk of Oracle discovered that the Xen PCI
    backend driver does not adequately validate the device state when
    a guest configures MSIs. This flaw can be used by a guest kernel
    to cause a denial of service (crash or disk space exhaustion) on
    the host.

CVE-2015-8569

    Dmitry Vyukov discovered a flaw in the PPTP sockets implementation
    that leads to an information leak to local users.

CVE-2015-8575

    David Miller discovered a flaw in the Bluetooth SCO sockets
    implementation that leads to an information leak to local users.

CVE-2015-8709

    Jann Horn discovered a flaw in the permission checks for use of
    the ptrace feature. A local user who has the CAP_SYS_PTRACE
    capability within their own user namespace could use this flaw for
    privilege escalation if a more privileged process ever enters that
    user namespace. This affects at least the LXC system.

Comment 9 Arvid Requate 2016-01-19 23:31:09 CET

Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u3 fixes these issues:

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial-of-service.

CVE-2013-4312

    Tetsuo Handa discovered that it is possible for a process to open
    far more files than the process' limit leading to denial-of-service
    conditions.

CVE-2015-7566

    Ralf Spenneberg of OpenSource Security reported that the visor
    driver crashes when a specially crafted USB device without bulk-out
    endpoint is detected.

CVE-2015-8767

    An SCTP denial-of-service was discovered which can be triggered by a
    local attacker during a heartbeat timeout event after the 4-way
    handshake.

CVE-2016-0723

    A use-after-free vulnerability was discovered in the TIOCGETD ioctl.
    A local attacker could use this flaw for denial-of-service.

CVE-2016-0728

    The Perception Point research team discovered a use-after-free
    vulnerability in the keyring facility, possibly leading to local
    privilege escalation.

Comment 10 Philipp Hahn 2016-01-21 15:16:58 CET

# repo_admin.py -U -p linux -d wheezy-backports -r 4.0-0-0 -s errata4.0-4
 -> 3.16.7-ckt20-1+deb8u3
 -> 3.16.7-ckt20-1+deb8u2~bpo70+1
                        ^ wrong version → delayed for now.
# b40-scope errata4.0-4 linux

r15755 | Bug #38764: UCS-4.0 linux
 Update to 3.16.7-ckt20-1+deb8u2~bpo70+1 and refresh patches
r15756 | Bug #38764 linux: wheezy-backports
 Fix wrong import

Release is tagged in <https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=debian/3.16.7-ckt20-1%2bdeb8u3_bpo70%2b1&id=92064eed7ddc549e061695915f23cc29fca75fe7>, but not yet available from Debian <http://incoming.debian.org/debian-buildd/pool/main/l/linux/> nor <http://ftp.de.debian.org/debian/pool/main/l/linux/>

Comment 11 Philipp Hahn 2016-01-22 17:20:43 CET

Stolen from <http://ftp.de.debian.org/debian/pool/main/l/linux/>
# repo_admin.py -F -p linux -r 4.0-0-0 -s errata4.0-4

Package: linux
Version: 3.16.7-ckt20-1+deb8u3~bpo70+1.165.201601221131
Branch: ucs_4.0-0
Scope: errata4.0-4

Comment 12 Janek Walkenhorst 2016-01-22 18:18:19 CET

r66939 r66940

univention-kernel-image-signed (1.0.3-3)

  * Update to ucs165 (Bug #38764)

Comment 13 Philipp Hahn 2016-01-25 14:51:12 CET

Package: univention-kernel-image
Version: 8.0.6-8.84.201601231355
Branch: ucs_4.0-0
Scope: errata4.0-4

r66944 | Bug #38764 linux: 3.16.7-ckt20-1+deb8u3~bpo70
 linux.yaml
 univention-kernel-image-signed.yaml
 univention-kernel-image.yaml

OK: amd64 KVM
OK: i386 KMV
OK: amd64 xen14

Comment 14 Philipp Hahn 2016-01-25 14:59:38 CET

FYI: Review for ckt23 started 2016-01-24 and is open for 3 days.
<https://lkml.org/lkml/2016/1/24/169>
<http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-review>

Comment 15 Arvid Requate 2016-01-26 20:04:48 CET

Verified:
* 3.16.7-ckt20-1+deb8u3~bpo70+1 has been imported into errata4.0-4
* errata4.0-2 patches have been merged and adjusted
* build log shows patch application and success
* univention-kernel-image: ABI and dependency updated to ucs165
* univention-kernel-image-signed: updated to ucs165
* Package-Update: Ok
* Boot-Tests: Ok on:
** KVM i386
** KVM amd64
** hardware amd64
** UEFI hardware amd64 (USB Keyboard)
* KVM-Test: Ok (hardware amd64)
* Advisories: Ok


I guess repo-apt-dependencies needs to be run before finally announcing the errata? I didn't see a notice about this in the Errata-Updates wiki page.



Note: These are currently still unfixed in the upstream kernel package:

* chown can be abused to remove xattr permissions of files (CVE-2015-1350)
* USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)

Comment 16 Janek Walkenhorst 2016-01-27 17:11:31 CET

<http://errata.software-univention.de/ucs/4.0/390.html>
<http://errata.software-univention.de/ucs/4.0/391.html>
<http://errata.software-univention.de/ucs/4.0/392.html>