Bug 45981 - linux: Multiple security issues (4.2)
linux: Multiple security issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P2 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
https://security.googleblog.com/2018/...
:
Depends on: 45242
Blocks: 45243 46009
  Show dependency treegraph
 
Reported: 2018-01-04 20:42 CET by Arvid Requate
Modified: 2018-01-11 13:35 CET (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2018010521000309
Bug group (optional): Security
Max CVSS v3 score: 8.2 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-01-04 20:42:46 CET
Kernel 4.9.75 rc1 is currently in upstream review:

* https://lkml.org/lkml/2018/1/3/660
* https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-4.9.y

We should pull the patches, once they are final.
Amongst other things, I assume Kernel 4.9.75 will provide fixes for:

* cpu: speculative execution permission faults handling (CVE-2017-5754)
* cpu: speculative execution bounds-check bypass (CVE-2017-5753)
* cpu: speculative execution branch target injection (CVE-2017-5715)
Comment 1 Arvid Requate univentionstaff 2018-01-05 00:07:28 CET
Debian package version 4.9.65-3+deb9u2 fixes CVE-2017-5754.
Comment 2 Christina Scheinig univentionstaff 2018-01-05 15:39:32 CET
A customer already asked for a patch
Comment 3 Philipp Hahn univentionstaff 2018-01-05 18:46:38 CET
Might also require <https://tracker.debian.org/news/899110>

r17945 | Bug #45981: linux-4.9.75
Comment 4 Philipp Hahn univentionstaff 2018-01-08 14:12:33 CET
Package: linux
Version: 4.9.30-2A~4.2.0.201801051733
Branch: ucs_4.2-0
Scope: errata4.2-3

OK: Kernel/User page tables isolation: enabled

ea72c9fc2d Bug #45981: Copyright 2018
8652283eff Bug #45981: Update to linux-4.9.75-ucs106

Package: univention-kernel-image-signed
Version: 3.0.2-10A~4.2.0.201801081343
Branch: ucs_4.2-0
Scope: errata4.2-3

9bfa217616 Bug #45981: Copyright 2018
70c631590a Bug #45981: Update to linux-4.9.75-ucs106

Package: univention-kernel-image
Version: 10.0.0-9A~4.2.0.201801081348
Branch: ucs_4.2-0
Scope: errata4.2-3

322ec43ed5 Bug #45981: linux-4.9.75
 linux.yaml
 univention-kernel-image-signed.yaml
 univention-kernel-image.yaml

UNFIXED:
* cpu: speculative execution bounds-check bypass (CVE-2017-5753)
* cpu: speculative execution branch target injection (CVE-2017-5715)
Comment 5 Philipp Hahn univentionstaff 2018-01-08 14:14:14 CET
FYI: As our build system was offline last weekend, the kernel was build on kiwik. The patches were hand-applied; I forgot to list 4.9.75 in debian/changelog, but it was applied as `dmesg` shows:
> Kernel/User page tables isolation: enabled
Comment 6 Nico Stöckigt univentionstaff 2018-01-08 14:26:26 CET
again a customer asked for patches for UCS 4.1-5 kernel: 4.1.6-1.227.201706090945 (2017-06-09)
Comment 7 Arvid Requate univentionstaff 2018-01-08 15:05:57 CET
> again a customer asked for patches for UCS 4.1-5 kernel: 4.1.6-1.227.201706090945 (2017-06-09)


This is the Bug for UCS 4.2, Bug 45243 is for the UCS 4.1 kernel.
Comment 8 Arvid Requate univentionstaff 2018-01-08 16:20:25 CET
* 4.9.65 - 4.9.75 Patches: ok
* Package update & reboot: ok
* dmesg message found "Kernel/User page tables isolation: enabled"
* UEFI Kernel boots: ok
* Advisories: ok