Bug 49676 - linux: Multiple issues (4.4)
linux: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-0-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-18 12:14 CEST by Quality Assurance
Modified: 2019-06-19 15:52 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-06-18 12:14:22 CEST
New Debian linux 4.9.168-1+deb9u3 fixes:
This update addresses the following issues:
* Heap overflow in mwifiex_update_bss_desc_with_ie function in  marvell/mwifiex/scan.c (CVE-2019-3846)
* page cache side channel attacks (CVE-2019-5489)
* brcmfmac heap buffer overflow in brcmf_wowl_nd_results (CVE-2019-9500)
* brcmfmac frame validation bypass (CVE-2019-9503)
* Heap Overflow in mwifiex_uap_parse_tail_ies function in  drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126)
* tcp: integer overflow while processing SACK blocks allows remote denial of  service (CVE-2019-11477)
* tcp: excessive resource consumption while processing SACK blocks allows  remote denial of service (CVE-2019-11478)
* tcp: excessive resource consumption for TCP connections with low MSS allows  remote denial of service (CVE-2019-11479)
* multiple race conditions in Siemens R3964 line discipline driver in  drivers/tty/n_r3964.c leading to denial of service (CVE-2019-11486)
* fix race condition between mmget_not_zero()/get_task_mm() and core dumping  (CVE-2019-11599)
* race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to  use-after-free (CVE-2019-11815)
* fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)
* sensitive information disclosure from kernel stack memory via HIDPCONNADD  command (CVE-2019-11884)
Comment 1 Quality Assurance univentionstaff 2019-06-18 13:50:15 CEST
--- mirror/ftp/4.4/unmaintained/component/4.4-0-errata/source/linux_4.9.168-1+deb9u2.dsc
+++ apt/ucs_4.4-0-errata4.4-0/source/linux_4.9.168-1+deb9u3.dsc
@@ -1,3 +1,33 @@
+4.9.168-1+deb9u3 [Sun, 16 Jun 2019 15:38:39 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Salvatore Bonaccorso ]
+  * tcp: limit payload size of sacked skbs (CVE-2019-11477)
+  * tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478)
+  * tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479)
+  * tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
+  * tcp: fix fack_count accounting on tcp_shift_skb_data()
+
+  [ Ben Hutchings ]
+  * tcp: Avoid ABI change for DoS fixes
+  * mm/mincore.c: make mincore() more conservative (CVE-2019-5489)
+  * brcmfmac: add length checks in scheduled scan result handler
+  * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
+  * brcmfmac: add subtype check for event handling in data path (CVE-2019-9503)
+  * tty: mark Siemens R3964 line discipline as BROKEN (CVE-2019-11486)
+  * coredump: fix race condition between mmget_not_zero()/get_task_mm() and
+    core dumping (CVE-2019-11599)
+  * net: rds: force to destroy connection if t_sock is NULL in
+    rds_tcp_kill_sock(). (CVE-2019-11815) (Closes: #928989)
+  * ext4: zero out the unused memory region in the extent tree block
+    (CVE-2019-11833)
+  * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
+  * mwifiex: Fix possible buffer overflows at parsing bss descriptor
+    (CVE-2019-3846)
+  * mwifiex: Abort at too short BSS descriptor element
+  * mwifiex: Don't abort on small, spec-compliant vendor IEs
+  * mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
+    (CVE-2019-10126)
+
 4.9.168-1+deb9u2 [Mon, 13 May 2019 21:59:18 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.4-0/#51094133489667651>
Comment 2 Philipp Hahn univentionstaff 2019-06-18 15:12:34 CEST
[4.4-0] 1d30beb425 Bug #49676: Update to linux-4.9.168-1+deb9u3
 .../debian/changelog                               |   6 ++++++
 .../univention-kernel-image-signed/debian/control  |   4 ++--
 .../vmlinuz-4.9.0-9-amd64.efi.signed               | Bin 4253296 -> 4249200 bytes
 3 files changed, 8 insertions(+), 2 deletions(-)

Package: univention-kernel-image-signed
Version: 5.0.0-4A~4.4.0.201906181329
Branch: ucs_4.4-0
Scope: errata4.4-0

[4.4-0] 49f5db264a Bug #49676: univention-kernel-image-signed 5.0.0-4A~4.4.0.201906181329
 doc/errata/staging/linux.yaml                      |  1 +
 .../staging/univention-kernel-image-signed.yaml    | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)

OK: piupararts
OK: amd64 @ kvm OVMF + SB
OK: amd64 @ kvm SeaBIOS
OK: amd64 @ lynx
OK: i386 @ kvm
OK: dmesg
OK: uname -r