Univention Bugzilla – Bug 42353
linux: Multiple security issues (3.3)
Last modified: 2016-10-27 18:22:21 CEST
We should update UCS-3.3 to the latest 3.16[.36] (or later, e.g. .37 from <https://www.kernel.org/>) kernel, as <http://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_3.16.36-1+deb8u1_changelog> contains a lot more fixes than <http://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_3.16.7-ckt25-2+deb8u3~bpo70+1_changelog> Currently there is no Debian-Wheezy backport, so we can take the version from Debian-Jessie, but must add the changes to support the old build-system: > * Rebuild for wheezy: > - Disable architectures that weren't part of wheezy > - Use gcc-4.6 for all architectures > - Change ABI number to 0.bpo.4 > - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS) > - linux-image: Depend on initramfs-tools without any alternatives, so > that neither apt nor aptitude will automatically switch to dracut +++ This bug was initially created as a clone of Bug #41693 +++
Upstream Debian (Jessie) package version 3.16.36-1+deb8u2 fixes the following issues: * The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956) * privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195) * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) * The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
requested here: Ticket#2016102621000346
Package: linux Version: 3.16.38-0.1~bpo70+1.211.201610261422 Version: 3.16.38-0.1~bpo70+1.212.201610261445 Branch: ucs_3.3-0 Scope: errata3.3-0 r73665 | Bug #42353 kernel: Update to linux-3.16.38 Package: univention-kernel-image Version: 7.100.0-9.115.201610261744 Branch: ucs_3.3-0 Scope: errata3.3-0 r73667 | Bug #42353 kernel: Update to linux-3.16.38 YAML
Ok, the 3.16.36-1+deb8u2~bpo70+1 Debian source package has been updated to the state of the kernel.org linux-stable branch linux-3.16.y tag v3.16.38 and the UCS and Debian patches have been merged into the source package, see Bug 41693 and: * This UCS patch for 3.16.7-ckt25-2~bpo70+1: 60_KVM-x86-bit-ops-emulation-ignores-offset-on-64-bit.patch is now part of 3.16.38-0.1+deb8u2~bpo70+1-errata3.3-0 applied as debian/patches: bugfix/x86/KVM-x86-bit-ops-emulation-ignores-offset-on-64-bit.patch * Package update and reboot: Ok * Advisory: Ok From my research there are a couple of additional CVEs fixed between 3.16.7-ckt25-2_bpo70+1 and 3.16.36-1+deb8u2_bpo70+1 and between v3.16.36..v3.16.38 , e.g. CVE-2016-7117, but that's ok, i guess. The important thing is that we have an updated package.
Damn, the Bug ID was missing in the advisory. Marking it as duplicate of Bug 41693, so this can be detected via that Bug. *** This bug has been marked as a duplicate of bug 41693 ***