Bug 45243 – linux: Multiple security issues (4.1)

Bug 45243 - linux: Multiple security issues (4.1)


Summary:	linux: Multiple security issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-5-errata
Assigned To:	Philipp Hahn
QA Contact:	Erik Damrose

URL:	http://git.kernel.org/cgit/linux/kern...
Keywords:

Depends on:	45981 46009
Blocks:	46188
	Show dependency tree / graph

Reported:	2017-08-22 15:18 CEST by Arvid Requate
Modified:	2018-01-30 10:27 CET (History)
CC List:	4 users (show)

See Also:	44706
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018010821000385
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-08-22 15:18:32 CEST

Linux 4.1.42 fixes at least the following security issues compared to 4.1.40:

git log v4.1.40..v4.1.41
CVE-2017-7487: ee0d8d8482345ff97a75a7d747efc309f13b0d80
CVE-2017-10662: b9dd46188edc2f0d1f37328637860bb65a771124
CVE-2017-10661: 1e38da300e1e395a15048b0af1e5305bd91402f6
CVE-2017-7308: bcc5364bdcfe131e6379363f089e7b4108d35b70
CVE-2017-7308: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
CVE-2017-2671: 43a6684519ab0a6c52024b5e25322476cabad893
CVE-2016-9120: 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7
CVE-2016-9083: 05692d7005a364add85c6e25a6c4447ce08f913a
CVE-2016-7913: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
CVE-2017-8070: 2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478
CVE-2017-8069: 7926aff5c57b577ab0f43364ff0c59d968f6a414
CVE-2017-8068: 5593523f968bc86d42a035c6df47d5e0979b5ace
CVE-2017-8067: c4baad50297d84bde1a7ad45e50c73adae4a2192
CVE-2017-7889: a4866aa812518ed1a37d8ea0c881dc946409de94
CVE-2017-8064: 005145378c9ad7575a01b6ce1ba118fb427f583a
CVE-2017-2596: 06ce521af9558814b8606c0476c54497cf83a653
CVE-2017-7308: 2b6867c2ce76c596676bec7d2d525af525fdc6e2
CVE-2017-7616: cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
CVE-2017-1000363: 3e21f4af170bebf47c187c1ff8bf155583c9f3b1
CVE-2017-6074: 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
git log v4.1.41..v4.1.42
CVE-2017-1000364: 1be7107fbe18eed3e319a6c3e83c78254b693acb
CVE-2017-1000380: ba3021b2c79b2fa9114f92790a99deb27a65b728
CVE-2017-1000380: d11662f4f798b50d8c8743f433842c3e40fe3378
CVE-2017-9074: e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
CVE-2017-9074: 6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
CVE-2017-9242: 232cd35d0804cc241eb887bb8d4d9b3b9881c64a
CVE-2017-9074: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531
CVE-2017-9074: 2423496af35d94a87156b063ea5cedffc10a70a1
CVE-2017-9075: fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
CVE-2017-8890: 657831ffc38e30092a2d5f03d385d710eb88b09a

Comment 1 Arvid Requate

2018-01-08 14:47:45 CET

We should update the UCS 4.1-5 Kernel to the one built for UCS 4.2 (Bug 45981).

Comment 2 Nico Stöckigt

2018-01-08 16:11:33 CET

a customer asked for patches for UCS 4.1

Comment 3 Philipp Hahn

2018-01-11 13:35:48 CET

r17960 | Bug #45243: Allow linux-4.9 kernel
r17960 | Bug #45243: Compatibility to linux-4.1 kernel
r17962 | Bug #45243: Allow linux-4.9 kernel

Package: udev
Version: 175-7.2.47.201801110908
Version: 175-7.2.49.201801111117
Version: 175-7.2.50.201801111212
Branch: ucs_4.1-0
Scope: errata4.1-5

r17959 | Bug #45243: Allow initramfs-tools_0.115~bpo from UCS-4.1

OK: amd64 @ kvm SeaBIOS
OK: dmesg

d49357b4ba Bug #45243: linux-4.9.76
 linux.yaml
 udev.yaml
 univention-kernel-image-signed.yaml
 univention-kernel-image.yaml

Comment 4 Arvid Requate

2018-01-12 00:30:42 CET

Verified:

* Package update & reboot (virtualized and hardware): Ok
* KVM-Host (guest: paravirt windows VM): Ok
* Quick performance comparison: ldapsearch (read): No regression
* Advisories: Ok

Comment 5 Erik Damrose

2018-01-12 11:54:43 CET

Reopen: univention-upgrade does not upgrade automatically to the new kernel version in some cases

While testing the errata announce: The package does not get automatically installed if xserver-xorg-input-vmmouse is installed (e.g. by KDE or system-setup cleanup was not successful)

# apt-cache show linux-image-4.9.0-ucs107-amd64
Package: linux-image-4.9.0-ucs107-amd64
...
Breaks: initramfs-tools (<< 0.115~), xserver-xorg-input-vmmouse (<< 1:13.0.99)

Comment 6 Philipp Hahn

2018-01-12 14:30:11 CET

(In reply to Erik Damrose from comment #5)
> Reopen: univention-upgrade does not upgrade automatically to the new kernel
> version in some cases
> 
> While testing the errata announce: The package does not get automatically
> installed if xserver-xorg-input-vmmouse is installed (e.g. by KDE or
> system-setup cleanup was not successful)
> 
> # apt-cache show linux-image-4.9.0-ucs107-amd64
> Package: linux-image-4.9.0-ucs107-amd64
> ...
> Breaks: initramfs-tools (<< 0.115~), xserver-xorg-input-vmmouse (<<
> 1:13.0.99)

r17963 | Bug #45243: Allow xserver-xorg-input-vmmouse from UCS-4.1

Packages modified manually in apt/ucs_4.2-0-errata4.2-3/

FYI: Xorg fails to load with "cirrus" in Qemu - known workaround is
  grep QEMU /proc/cpuinfo &&
  ucr set repository/online/unmaintained=yes
  univention-install xserver-xorg-video-modesetting &&
  rm -f /usr/lib/xorg/modules/drivers/cirrus_ &&
  /etc/init.d/kdm retsrt

Comment 7 Erik Damrose

2018-01-12 15:15:54 CET

Okay, package modified. Verified as discussed

Comment 8 Philipp Hahn

2018-01-12 15:47:04 CET

<http://errata.software-univention.de/ucs/4.1/490.html>
<http://errata.software-univention.de/ucs/4.1/491.html>
<http://errata.software-univention.de/ucs/4.1/492.html>
<http://errata.software-univention.de/ucs/4.1/493.html>
<http://errata.software-univention.de/ucs/4.1/494.html>