Univention Bugzilla – Bug 50140
linux: Multiple issues (4.4)
Last modified: 2019-09-11 15:25:35 CEST
New Debian linux 4.9.189-3 fixes: This update addresses the following issues: * The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading " ref *desc *node" lines in a debugfs file. (CVE-2018-20509) * The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "*from *code *flags" lines in a debugfs file. (CVE-2018-20510) * Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136) * The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. (CVE-2019-9506) * A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects. (CVE-2019-10142) * The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (CVE-2019-11487) * An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. (CVE-2019-15211) * An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212) * An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215) * An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (CVE-2019-15216) * An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218) * An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (CVE-2019-15219) * An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220) * An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221) * An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c. (CVE-2019-15292) * An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS. (CVE-2019-15538) * An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation. (CVE-2019-15666) * In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807) * An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure. (CVE-2019-15924) * An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c. (CVE-2019-15926)
--- mirror/ftp/4.4/unmaintained/component/4.4-1-errata/source/univention-kernel-image-signed_5.0.0-6A~4.4.0.201908130928.dsc +++ apt/ucs_4.4-0-errata4.4-1/source/univention-kernel-image-signed_5.0.0-7A~4.4.0.201909091658.dsc @@ -1,6 +1,10 @@ -5.0.0-6A~4.4.0.201908130928 [Tue, 13 Aug 2019 09:28:09 +0200] Univention builddaemon <buildd@univention.de>: +5.0.0-7A~4.4.0.201909091658 [Mon, 09 Sep 2019 16:58:55 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.0-7 [Mon, 09 Sep 2019 16:31:18 +0200] Philipp Hahn <hahn@univention.de>: + + * Bug #50140: Update to linux-4.9.189-3 5.0.0-6 [Tue, 13 Aug 2019 09:23:29 +0200] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-1/#5028424817790559312>
OK: apt install univention-kernel-image= OK: amd64 @ xen16 OK: amd64 @ kvm OK: amd64 @ kvm+OVMF OK: cat /sys/kernel/security/securelevel ; echo OK: i386 @ kvm OK: uname -a OK: dmesg OK: YAML OK: announce-errata -V
<http://errata.software-univention.de/ucs/4.4/271.html> <http://errata.software-univention.de/ucs/4.4/272.html> <http://errata.software-univention.de/ucs/4.4/273.html>