Univention Bugzilla – Bug 49676
linux: Multiple issues (4.4)
Last modified: 2019-06-19 15:52:48 CEST
New Debian linux 4.9.168-1+deb9u3 fixes: This update addresses the following issues: * Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * page cache side channel attacks (CVE-2019-5489) * brcmfmac heap buffer overflow in brcmf_wowl_nd_results (CVE-2019-9500) * brcmfmac frame validation bypass (CVE-2019-9503) * Heap Overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * tcp: integer overflow while processing SACK blocks allows remote denial of service (CVE-2019-11477) * tcp: excessive resource consumption while processing SACK blocks allows remote denial of service (CVE-2019-11478) * tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service (CVE-2019-11479) * multiple race conditions in Siemens R3964 line discipline driver in drivers/tty/n_r3964.c leading to denial of service (CVE-2019-11486) * fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to use-after-free (CVE-2019-11815) * fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884)
--- mirror/ftp/4.4/unmaintained/component/4.4-0-errata/source/linux_4.9.168-1+deb9u2.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/linux_4.9.168-1+deb9u3.dsc @@ -1,3 +1,33 @@ +4.9.168-1+deb9u3 [Sun, 16 Jun 2019 15:38:39 +0100] Ben Hutchings <ben@decadent.org.uk>: + + [ Salvatore Bonaccorso ] + * tcp: limit payload size of sacked skbs (CVE-2019-11477) + * tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478) + * tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479) + * tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() + * tcp: fix fack_count accounting on tcp_shift_skb_data() + + [ Ben Hutchings ] + * tcp: Avoid ABI change for DoS fixes + * mm/mincore.c: make mincore() more conservative (CVE-2019-5489) + * brcmfmac: add length checks in scheduled scan result handler + * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500) + * brcmfmac: add subtype check for event handling in data path (CVE-2019-9503) + * tty: mark Siemens R3964 line discipline as BROKEN (CVE-2019-11486) + * coredump: fix race condition between mmget_not_zero()/get_task_mm() and + core dumping (CVE-2019-11599) + * net: rds: force to destroy connection if t_sock is NULL in + rds_tcp_kill_sock(). (CVE-2019-11815) (Closes: #928989) + * ext4: zero out the unused memory region in the extent tree block + (CVE-2019-11833) + * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884) + * mwifiex: Fix possible buffer overflows at parsing bss descriptor + (CVE-2019-3846) + * mwifiex: Abort at too short BSS descriptor element + * mwifiex: Don't abort on small, spec-compliant vendor IEs + * mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() + (CVE-2019-10126) + 4.9.168-1+deb9u2 [Mon, 13 May 2019 21:59:18 +0100] Ben Hutchings <ben@decadent.org.uk>: [ Salvatore Bonaccorso ] <http://10.200.17.11/4.4-0/#51094133489667651>
[4.4-0] 1d30beb425 Bug #49676: Update to linux-4.9.168-1+deb9u3 .../debian/changelog | 6 ++++++ .../univention-kernel-image-signed/debian/control | 4 ++-- .../vmlinuz-4.9.0-9-amd64.efi.signed | Bin 4253296 -> 4249200 bytes 3 files changed, 8 insertions(+), 2 deletions(-) Package: univention-kernel-image-signed Version: 5.0.0-4A~4.4.0.201906181329 Branch: ucs_4.4-0 Scope: errata4.4-0 [4.4-0] 49f5db264a Bug #49676: univention-kernel-image-signed 5.0.0-4A~4.4.0.201906181329 doc/errata/staging/linux.yaml | 1 + .../staging/univention-kernel-image-signed.yaml | 46 ++++++++++++++++++++++ 2 files changed, 47 insertions(+) OK: piupararts OK: amd64 @ kvm OVMF + SB OK: amd64 @ kvm SeaBIOS OK: amd64 @ lynx OK: i386 @ kvm OK: dmesg OK: uname -r
<http://errata.software-univention.de/ucs/4.4/152.html> <http://errata.software-univention.de/ucs/4.4/153.html>