Bug 50004 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-13 08:51 CEST by Quality Assurance
Modified: 2019-08-14 17:05 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-08-13 08:51:53 CEST
New Debian linux 4.9.168-1+deb9u5 fixes:
This update addresses the following issues:
* non-maskable interrupts triggerable by guests (xsa120) (CVE-2015-8553)
* Information Exposure through dmesg data from a "pages/cpu" printk call  (CVE-2018-5995)
* race condition in smp_task_timedout() and smp_task_done() in  drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)
* Use-after-free in __blk_drain_queue() function in block/blk-core.c  (CVE-2018-20856)
* hw: Spectre SWAPGS gadget vulnerability (CVE-2019-1125)
* denial of service vector through vfio DMA mappings (CVE-2019-3882)
* vhost_net: infinite loop while receiving packets leads to DoS  (CVE-2019-3900)
* null-pointer dereference in hci_uart_set_flow_control (CVE-2019-10207)
* net: weak IP ID generation leads to remote device tracking (CVE-2019-10638)
* net: using kernel space address bits to derive IP ID may potentially break  KASLR (CVE-2019-10639)
* OOB writes in parse_hid_report_descriptor in drivers/input/tablet/gtco.c  (CVE-2019-13631)
* denial of service in arch/powerpc/kernel/signal_32.c and  arch/powerpc/kernel/signal_64.c via sigreturn() system call  (CVE-2019-13648)
* integer overflow and OOB read in drivers/block/floppy.c (CVE-2019-14283)
* denial of service in drivers/block/floppy.c by setup_format_params  division-by-zero (CVE-2019-14284)
Comment 1 Quality Assurance univentionstaff 2019-08-13 09:00:27 CEST
--- mirror/ftp/4.3/unmaintained/component/4.3-4-errata/source/linux_4.9.168-1+deb9u4.dsc
+++ apt/ucs_4.3-0-errata4.3-4/source/linux_4.9.168-1+deb9u5.dsc
@@ -1,3 +1,42 @@
+4.9.168-1+deb9u5 [Sun, 11 Aug 2019 15:53:40 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * [amd64] Add mitigation for Spectre v1 swapgs (CVE-2019-1125):
+    - cpufeatures: Sort feature word 7
+    - speculation: Prepare entry code for Spectre v1 swapgs mitigations
+    - speculation: Enable Spectre v1 swapgs mitigations
+    - entry: Use JMP instead of JMPQ
+    - speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
+  * [x86] xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
+    (CVE-2015-8553)
+    - Add Breaks relation to incompatible qemu-system-x86 versions
+  * ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
+  * percpu: stop printing kernel addresses (CVE-2018-5995)
+  * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
+  * block: blk_init_allocated_queue() set q->fq as NULL in the fail case
+    (CVE-2018-20856)
+  * vfio/type1: Limit DMA mappings per container (CVE-2019-3882)
+  * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207)
+  * siphash: add cryptographically secure PRF
+  * inet: switch IP ID generator to siphash (CVE-2019-10638, CVE-2019-10639)
+  * Input: gtco - bounds check collection indent level (CVE-2019-13631)
+  * [ppc64el] tm: Fix oops on sigreturn on systems without TM (CVE-2019-13648)
+  * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
+  * floppy: fix out-of-bounds read in next_valid_format
+  * floppy: fix invalid pointer dereference in drive_name
+  * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
+  * inet: Avoid ABI change for IP ID hash change
+  * vhost: Fix possible infinite loop (CVE-2019-3900):
+    - vhost-net: set packet weight of tx polling to 2 * vq size
+    - vhost_net: use packet weight for rx handler, too
+    - vhost_net: introduce vhost_exceeds_weight()
+    - vhost: introduce vhost_exceeds_weight()
+    - vhost_net: fix possible infinite loop
+    - vhost: scsi: add weight support
+  * vhost: Ignore ABI changes
+  * netfilter: ctnetlink: don't use conntrack/expect object addresses as id
+  * xen: let alloc_xenballooned_pages() fail if not enough memory free
+  * tcp: Clear sk_send_head after purging the write queue
+
 4.9.168-1+deb9u4 [Fri, 19 Jul 2019 13:41:00 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)

<http://10.200.17.11/4.3-4/#51094133496162801>
Comment 2 Philipp Hahn univentionstaff 2019-08-13 11:48:43 CEST
OK: apt install linux-image-4.9.0-9-amd64-signed=... linux-image-4.9.0-9-amd64=4.9...
OK: amd64 @ kvm + SeaBIOS
OK: amd64 @ kvm + OVMF + SB
SKIP: amd64 @ xenX
OK: cat /sys/kernel/security/securelevel ; echo
SKIP: i386 @ kvm
OK: uname -a
OK: dmesg
+ Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
OK: YAML
OK: announce-errata -V