Univention Bugzilla – Bug 46984
linux: Multiple issues (4.3)
Last modified: 2018-05-16 17:04:26 CEST
New Debian linux 4.9.88-1+deb9u1 fixes: This update of the Linux kernel to version 4.9.88 addresses the following issues: * use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c (CVE-2017-17975) * Mishandled extent trees in fs/f2fs/extent_cache.c can allow a local user to cause a denial of service (CVE-2017-18193) * Null pointer dereference in fs/ocfs2/cluster/nodemanager.c allows local users to cause denial of service (CVE-2017-18216) * Use-after-free vulnerability in drivers/net/ethernet/hisilicon/hns/hns_enet.c allows local attacker to cause denial of service (CVE-2017-18218) * Memory corruption in ethtool_get_strings function in hns driver (CVE-2017-18222) * race condition due to concurrent access to extent tree in fs/ocfs2/aops.c (CVE-2017-18224) * Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service (CVE-2017-18241) * Inifinite loop caused by integer overflow in fs/f2fs/data.c:__get_data_block() allows for denial of service (CVE-2017-18257) * netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash (CVE-2018-1065) * Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel (CVE-2018-1066) * Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068) * KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087) * NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image (CVE-2018-1093) * drivers: getrandom(2) unblocks too early after system boot (CVE-2018-1108) * Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803) * Double free in block/blk-cgroup.c:blkcg_init_queue() can allow a local user to cause a denial of service (CVE-2018-7480) * race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566) * Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) * Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c (CVE-2018-7995) * Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087) * Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c (CVE-2018-8822) * error in exception handling leads to DoS (CVE-2018-8897) * Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service (CVE-2018-10323) * ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199) CVE-2017-17975 kernel: use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c CVE-2017-18193 kernel: Mishandled extent trees in fs/f2fs/extent_cache.c can allow a local user to cause a denial of service CVE-2017-18216 kernel: Null pointer dereference in fs/ocfs2/cluster/nodemanager.c allows local users to cause denial of service CVE-2017-18218 kernel: Use-after-free vulnerability in drivers/net/ethernet/hisilicon/hns/hns_enet.c allows local attacker to cause denial of service CVE-2017-18222 kernel: Memory corruption in ethtool_get_strings function in hns driver CVE-2017-18224 kernel: race condition due to concurrent access to extent tree in fs/ocfs2/aops.c CVE-2017-18241 kernel: Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service CVE-2017-18257 kernel: Inifinite loop caused by integer overflow in fs/f2fs/data.c:__get_data_block() allows for denial of service CVE-2018-1065 kernel: netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash CVE-2018-1066 kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image CVE-2018-1093 kernel: Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service CVE-2018-7480 kernel: Double free in block/blk-cgroup.c:blkcg_init_queue() can allow a local user to cause a denial of service CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access CVE-2018-7740 kernel: Denial of service in resv_map_release function in mm/hugetlb.c CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c CVE-2018-7995 kernel: Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c CVE-2018-8087 kernel: Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space CVE-2018-8822 kernel: Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c CVE-2018-8897 Kernel: error in exception handling leads to DoS CVE-2018-10323 kernel: Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS
Package: univention-kernel-image-signed Version: 4.0.0-3A~4.3.0.201805091310 Branch: ucs_4.3-0 Scope: errata4.3-0 [4.3-0] 16e5266fdc Bug #46984: linux_4.9.88-1+deb9u1 YAML doc/errata/staging/linux.yaml | 2 +- doc/errata/staging/univention-kernel-image-signed.yaml | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) [4.3-0] 09d2de9abd Bug #46984: Update to linux-4.9.88 kernel/univention-kernel-image-signed/debian/changelog | 6 ++++++ kernel/univention-kernel-image-signed/vmlinuz-4.9.0-6-amd64.efi.signed | Bin 4224624 -> 4228720 bytes 2 files changed, 6 insertions(+) [4.3-0] bd1bed7490 Bug #46984: linux_4.9.88-1+deb9u1 doc/errata/staging/linux.yaml | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) OK: apt-get install linux-image-4.9.0-6-amd64 linux-image-4.9.0-6-amd64-signed OK: amd64 @ kvm-bios OK: amd64 @ HW OK: diff <(./linux-dmesg-norm 4.9.0-6-amd64.82) <(./linux-dmesg-norm 4.9.0-6-amd64.88) < Spectre V2 : Enabling Indirect Branch Prediction Barrier > Spectre V2 : Enabling Restricted Speculation for firmware calls > Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier FYI: As there is no API change in the Debian Linux package, the package is still names the same and thus there is no need to update univention-kernel-image.
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update and reboot Ok * Advisories Ok
<http://errata.software-univention.de/ucs/4.3/79.html> <http://errata.software-univention.de/ucs/4.3/80.html>