Univention Bugzilla – Bug 45243
linux: Multiple security issues (4.1)
Last modified: 2018-01-30 10:27:26 CET
Linux 4.1.42 fixes at least the following security issues compared to 4.1.40: git log v4.1.40..v4.1.41 CVE-2017-7487: ee0d8d8482345ff97a75a7d747efc309f13b0d80 CVE-2017-10662: b9dd46188edc2f0d1f37328637860bb65a771124 CVE-2017-10661: 1e38da300e1e395a15048b0af1e5305bd91402f6 CVE-2017-7308: bcc5364bdcfe131e6379363f089e7b4108d35b70 CVE-2017-7308: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b CVE-2017-2671: 43a6684519ab0a6c52024b5e25322476cabad893 CVE-2016-9120: 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 CVE-2016-9083: 05692d7005a364add85c6e25a6c4447ce08f913a CVE-2016-7913: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 CVE-2017-8070: 2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478 CVE-2017-8069: 7926aff5c57b577ab0f43364ff0c59d968f6a414 CVE-2017-8068: 5593523f968bc86d42a035c6df47d5e0979b5ace CVE-2017-8067: c4baad50297d84bde1a7ad45e50c73adae4a2192 CVE-2017-7889: a4866aa812518ed1a37d8ea0c881dc946409de94 CVE-2017-8064: 005145378c9ad7575a01b6ce1ba118fb427f583a CVE-2017-2596: 06ce521af9558814b8606c0476c54497cf83a653 CVE-2017-7308: 2b6867c2ce76c596676bec7d2d525af525fdc6e2 CVE-2017-7616: cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 CVE-2017-1000363: 3e21f4af170bebf47c187c1ff8bf155583c9f3b1 CVE-2017-6074: 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 git log v4.1.41..v4.1.42 CVE-2017-1000364: 1be7107fbe18eed3e319a6c3e83c78254b693acb CVE-2017-1000380: ba3021b2c79b2fa9114f92790a99deb27a65b728 CVE-2017-1000380: d11662f4f798b50d8c8743f433842c3e40fe3378 CVE-2017-9074: e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789 CVE-2017-9074: 6e80ac5cc992ab6256c3dae87f7e57db15e1a58c CVE-2017-9242: 232cd35d0804cc241eb887bb8d4d9b3b9881c64a CVE-2017-9074: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 CVE-2017-9074: 2423496af35d94a87156b063ea5cedffc10a70a1 CVE-2017-9075: fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 CVE-2017-8890: 657831ffc38e30092a2d5f03d385d710eb88b09a
We should update the UCS 4.1-5 Kernel to the one built for UCS 4.2 (Bug 45981).
a customer asked for patches for UCS 4.1
r17960 | Bug #45243: Allow linux-4.9 kernel r17960 | Bug #45243: Compatibility to linux-4.1 kernel r17962 | Bug #45243: Allow linux-4.9 kernel Package: udev Version: 175-7.2.47.201801110908 Version: 175-7.2.49.201801111117 Version: 175-7.2.50.201801111212 Branch: ucs_4.1-0 Scope: errata4.1-5 r17959 | Bug #45243: Allow initramfs-tools_0.115~bpo from UCS-4.1 OK: amd64 @ kvm SeaBIOS OK: dmesg d49357b4ba Bug #45243: linux-4.9.76 linux.yaml udev.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml
Verified: * Package update & reboot (virtualized and hardware): Ok * KVM-Host (guest: paravirt windows VM): Ok * Quick performance comparison: ldapsearch (read): No regression * Advisories: Ok
Reopen: univention-upgrade does not upgrade automatically to the new kernel version in some cases While testing the errata announce: The package does not get automatically installed if xserver-xorg-input-vmmouse is installed (e.g. by KDE or system-setup cleanup was not successful) # apt-cache show linux-image-4.9.0-ucs107-amd64 Package: linux-image-4.9.0-ucs107-amd64 ... Breaks: initramfs-tools (<< 0.115~), xserver-xorg-input-vmmouse (<< 1:13.0.99)
(In reply to Erik Damrose from comment #5) > Reopen: univention-upgrade does not upgrade automatically to the new kernel > version in some cases > > While testing the errata announce: The package does not get automatically > installed if xserver-xorg-input-vmmouse is installed (e.g. by KDE or > system-setup cleanup was not successful) > > # apt-cache show linux-image-4.9.0-ucs107-amd64 > Package: linux-image-4.9.0-ucs107-amd64 > ... > Breaks: initramfs-tools (<< 0.115~), xserver-xorg-input-vmmouse (<< > 1:13.0.99) r17963 | Bug #45243: Allow xserver-xorg-input-vmmouse from UCS-4.1 Packages modified manually in apt/ucs_4.2-0-errata4.2-3/ FYI: Xorg fails to load with "cirrus" in Qemu - known workaround is grep QEMU /proc/cpuinfo && ucr set repository/online/unmaintained=yes univention-install xserver-xorg-video-modesetting && rm -f /usr/lib/xorg/modules/drivers/cirrus_ && /etc/init.d/kdm retsrt
Okay, package modified. Verified as discussed
<http://errata.software-univention.de/ucs/4.1/490.html> <http://errata.software-univention.de/ucs/4.1/491.html> <http://errata.software-univention.de/ucs/4.1/492.html> <http://errata.software-univention.de/ucs/4.1/493.html> <http://errata.software-univention.de/ucs/4.1/494.html>