Bug 51702 – linux: Multiple issues (4.4)

Bug 51702 - linux: Multiple issues (4.4)


Summary:	linux: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-07-22 15:01 CEST by Quality Assurance
Modified:	2020-07-29 16:50 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2020-07-22 15:01:30 CEST

New Debian linux 4.9.228-1 fixes:
This update addresses the following issues:
* l2tp: Race condition between pppol2tp_session_create() and  l2tp_eth_create() (CVE-2018-9517)
* go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux  kernel before 5.6 does not call snd_card_free for a failure path, which  causes a memory leak (CVE-2019-20810)
* In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to  shared memory due to a permissions bypass. This could lead to local  escalation of privilege by corrupting memory shared between processes, with  no additional execution privileges needed. User interaction is not needed  for exploitation. Product: Android Versions: Android kernel Android ID:  A-142938932 (CVE-2020-0009)
* some ipv6 protocols not encrypted over ipsec tunnel. (CVE-2020-1749)
* use-after-free in cdev_put() when a PTP device is removed while it's  chardev is open (CVE-2020-10690)
* Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an  attacker to turn off the SSBD protection. (CVE-2020-10766)
* Indirect Branch Prediction Barrier is force-disabled when STIBP is  unavailable or enhanced IBRS is available. (CVE-2020-10767)
* Indirect branch speculation can be enabled after it was force-disabled by  the PR_SPEC_FORCE_DISABLE prctl command. (CVE-2020-10768)
* DoS via concurrent calls to dw_spi_irq and dw_spi_transfer_one functions in  drivers/spi/spi-dw.c (CVE-2020-12769)
* possible to send arbitrary signals to a privileged (suidroot) parent  process (CVE-2020-12826)
* ** DISPUTED ** An issue was discovered in the Linux kernel through 5.7.1.  drivers/tty/vt/keyboard.c has an integer overflow if k_ascii is called  several times in a row, aka CID-b86dab054059. NOTE: Members in the  community argue that the integer overflow does not lead to a security issue  in this case. (CVE-2020-13974)

Comment 1 Quality Assurance

2020-07-23 13:16:06 CEST

--- mirror/ftp/4.4/unmaintained/4.4-4/source/univention-kernel-image_12.0.0-4A~4.4.0.202002271621.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/univention-kernel-image_12.0.0-5A~4.4.0.202007231023.dsc
@@ -1,6 +1,10 @@
-12.0.0-4A~4.4.0.202002271621 [Thu, 27 Feb 2020 16:21:28 +0100] Univention builddaemon <buildd@univention.de>:
+12.0.0-5A~4.4.0.202007231023 [Thu, 23 Jul 2020 10:23:20 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+12.0.0-5 [Thu, 23 Jul 2020 10:18:25 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #51702: Update to linux-4.9.0-13
 
 12.0.0-4 [Thu, 27 Feb 2020 16:20:13 +0100] Philipp Hahn <hahn@univention.de>:
 

<http://10.200.17.11/4.4-5/#929156092278504870>

Comment 2 Quality Assurance

2020-07-23 13:16:09 CEST

--- mirror/ftp/4.4/unmaintained/4.4-5/source/univention-kernel-image-signed_5.0.0-11A~4.4.0.202006171143.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/univention-kernel-image-signed_5.0.0-12A~4.4.0.202007231029.dsc
@@ -1,6 +1,10 @@
-5.0.0-11A~4.4.0.202006171143 [Wed, 17 Jun 2020 11:43:04 +0200] Univention builddaemon <buildd@univention.de>:
+5.0.0-12A~4.4.0.202007231029 [Thu, 23 Jul 2020 10:29:58 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+5.0.0-12 [Thu, 23 Jul 2020 10:28:28 +0200] Philipp Hahn <hahn@univention.de>:
+
+  * Bug #51702: Update to linux-4.9.228-1
 
 5.0.0-11 [Wed, 17 Jun 2020 11:30:09 +0200] Philipp Hahn <hahn@univention.de>:
 

<http://10.200.17.11/4.4-5/#929156092278504870>

Comment 3 Philipp Hahn

2020-07-23 16:43:35 CEST

OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 ABI change lead to new package names

OK: apt install -t apt univention-kernel-image
OK: amd64 @ kvm + SeaBIOS
OK: amd64 @ kvm + OVMF + SB
OK: cat /sys/kernel/security/securelevel
OK: amd64 @ hdmi1
OK: i386 @ kvm
OK: uname -a
OK: dmesg -H
OK: ./linux-dmesg-norm -a
OK: YAML
OK: announce-errata -V

[4.4-5] cf73bb4b7e Bug #51702: linux 4.9.228-1
 doc/errata/staging/linux.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

[4.4-5] 71a30fbe7c Bug #51702: Update to linux-4.9.0-13
 doc/errata/staging/linux.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

[4.4-5] 8a454c2a41 Bug #51702: linux 4.9.228-1
 doc/errata/staging/linux.yaml | 50 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

Comment 4 Erik Damrose

2020-07-29 16:50:36 CEST

<https://errata.software-univention.de/#/?erratum=4.4x680>
<https://errata.software-univention.de/#/?erratum=4.4x681>
<https://errata.software-univention.de/#/?erratum=4.4x682>