Univention Bugzilla – Bug 54529
linux: Multiple issues (4.4)
Last modified: 2022-03-16 14:14:02 CET
New Debian linux 4.9.303-1 fixes: This updates the Linux kernel to version 4.9.303, which addresses (among others) the following security issues: * Bluetooth: sco: Fix `lock_sock()` blockage by `memcpy_from_msg()` (CVE-2021-3640) * Bluetooth: fix use-after-free error in `lock_sock_nested()` (CVE-2021-3752) * hugetlbfs: flush TLBs correctly after `huge_pmd_unshare()` (CVE-2021-4002) * fget: check that the fd still exists after getting a ref to it (CVE-2021-4083) * xfs: map unwritten blocks in `XFS_IOC_{ALLOC,FREE}SP` just like `fallocate()` (CVE-2021-4155) * NFC: reorganize the functions in `nci_request()` (CVE-2021-4202) * NFC: add `NCI_UNREG` flag to eliminate the race (CVE-2021-4202) * xen/blkfront: harden `blkfront` against event channel storms (CVE-2021-28711) * xen/netfront: harden `netfront` against event channel storms (CVE-2021-28712) * xen/console: harden `hvc_xen` against event channel storms (CVE-2021-28713) * xen/netback: fix rx queue stall detection (CVE-2021-28714) * xen/netback: don't queue unlimited number of packages (CVE-2021-28715) * gianfar: fix jumbo packets+napi+rx overrun crash (CVE-2021-29264) * cipso,calipso: resolve a number of problems with the DOI reference counts (CVE-2021-33033) * USB: gadget: detect too-big endpoint 0 requests (CVE-2021-39685) * USB: gadget: zero allocate endpoint 0 buffers (CVE-2021-39685) * mwifiex: Fix `skb_over_panic` in `mwifiex_usb_recv()` (CVE-2021-43976) * phonet: refcount leak in `pep_sock_accep` (CVE-2021-45095) * Mitigate Spectre v2-type Branch History Buffer attacks (CVE-2022-0001, CVE-2022-0002) * [x86] drm/i915: Flush TLBs before releasing backing store (CVE-2022-0330) * tipc: improve size validations for received domain records (CVE-2022-0435) * moxart: fix potential use-after-free on remove path (CVE-2022-0487) * cgroup-v1: Require capabilities to set release_agent (CVE-2022-0492) * udf: Restore `i_lenAlloc` when inode expansion fails (CVE-2022-0617) * udf: Fix NULL pointer de-reference when converting from inline format (CVE-2022-0617) * NFSv4: Handle case where the lookup of a directory fails (CVE-2022-24448) * USB: gadget: validate interface OS descriptor requests (CVE-2022-25258) * usb: gadget: rndis: check size of `RNDIS_MSG_SET` command (CVE-2022-25375)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/univention-kernel-image_12.0.0-9A~4.4.0.202112211012.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/univention-kernel-image_12.0.0-10A~4.4.0.202203091957.dsc @@ -1,6 +1,10 @@ -12.0.0-9A~4.4.0.202112211012 [Tue, 21 Dec 2021 10:12:35 +0100] Univention builddaemon <buildd@univention.de>: +12.0.0-10A~4.4.0.202203091957 [Wed, 09 Mar 2022 19:57:17 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.0-10 [Wed, 09 Mar 2022 18:44:06 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #54529: Update to linux-4.9.303-1 (linux-image-4.9.0-18) 12.0.0-9 [Tue, 21 Dec 2021 09:47:45 +0100] Philipp Hahn <hahn@univention.de>: <http://piuparts.knut.univention.de/4.4-8/#5411118007789847117>
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/linux-latest_80+deb9u15.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/linux-latest_80+deb9u16.dsc @@ -1,3 +1,8 @@ +80+deb9u16 [Mon, 07 Mar 2022 22:38:56 +0100] Ben Hutchings <benh@debian.org>: + + * Update to 4.9.0-18 + * linux-image: Add NEWS for unprivileged eBPF change + 80+deb9u15 [Wed, 15 Dec 2021 23:32:39 +0100] Ben Hutchings <benh@debian.org>: * Update to 4.9.0-17 <http://piuparts.knut.univention.de/4.4-8/#5411118007789847117>
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/univention-kernel-image-signed_5.0.0-19A~4.4.0.202112211004.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/univention-kernel-image-signed_5.0.0-20A~4.4.0.202203091848.dsc @@ -1,6 +1,10 @@ -5.0.0-19A~4.4.0.202112211004 [Tue, 21 Dec 2021 10:04:00 +0100] Univention builddaemon <buildd@univention.de>: +5.0.0-20A~4.4.0.202203091848 [Wed, 09 Mar 2022 18:48:20 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.0-20 [Wed, 09 Mar 2022 18:40:32 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #54529: Update to linux-4.9.303-1 5.0.0-19 [Tue, 21 Dec 2021 09:58:51 +0100] Philipp Hahn <hahn@univention.de>: <http://piuparts.knut.univention.de/4.4-8/#5411118007789847117>
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/linux_4.9.290-1.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/linux_4.9.303-1.dsc @@ -1,3 +1,598 @@ +4.9.303-1 [Mon, 07 Mar 2022 22:15:53 +0100] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.291 + - xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good + delay + - Input: elantench - fix misreporting trackpoint coordinates + - [x86] Input: i8042 - Add quirk for Fujitsu Lifebook T725 + - ocfs2: fix data corruption on truncate + - [arm64,armhf] mmc: dw_mmc: Dont wait for DRTO on Write RSP error + - [x86] media: ite-cir: IR receiver stop working after receive overflow + - ALSA: ua101: fix division by zero at probe + - ALSA: 6fire: fix control and bulk message timeouts + - ALSA: line6: fix control and interrupt message timeouts + - [x86] ALSA: synth: missing check for possible NULL after the call to + kstrdup + - ALSA: timer: Fix use-after-free problem + - ALSA: timer: Unconditionally unlink slave instances, too + - [x86] irq: Ensure PI wakeup handler is unregistered before module unload + - sfc: Don't use netif_info before net_device setup + - bpf: Prevent increasing bpf_jit_limit above max + - xen/netfront: stop tx queues during live migration + - [armhf] spi: spl022: fix Microwire full duplex mode + - [armhf] watchdog: Fix OMAP watchdog early handling + - [x86] vmxnet3: do not stop tx queues after netif_device_detach() + - btrfs: fix lost error handling when replaying directory deletes + - [armhf] regulator: s5m8767: do not use reset value as DVS voltage if GPIO + DVS is disabled + - [amd64] EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell + - mwifiex: fix division by zero in fw download path + - ath6kl: fix division by zero in send path + - ath6kl: fix control-message timeout + - PCI: Mark Atheros QCA6174 to avoid bus reset + - rtl8187: fix control-message timeouts + - [arm64] wcn36xx: Fix HT40 capability for 2Ghz band + - mwifiex: Read a PCI register after writing the TX ring write pointer + - [arm64] wcn36xx: handle connection loss indication + - RDMA/qedr: Fix NULL deref for query_qp on the GSI QP + - signal: Remove the bogus sigkill_pending in ptrace_stop + - ALSA: mixer: oss: Fix racy access to slots + - ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume + - [arm64] PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG + - quota: check block number when reading the block in quota file + - quota: correct error number in free_dqentry() + - USB: serial: keyspan: fix memleak on probe errors + - USB: iowarrior: fix control-message timeouts + - Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() + (CVE-2021-3640) + - Bluetooth: fix use-after-free error in lock_sock_nested() (CVE-2021-3752) + - [x86] platform/x86: wmi: do not fail if disabling fails + - [amd64] Increase exception stack sizes + - media: netup_unidvb: handle interrupt properly according to the firmware + - media: uvcvideo: Set capability in s_param + - media: mceusb: return without resubmitting URB in case of -EPROTO error. + - ACPICA: Avoid evaluating methods too early during system resume + - media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() + - tracefs: Have tracefs directories not set OTH permission bits by default + - ath: dfs_pattern_detector: Fix possible null-pointer dereference in + channel_detector_create() + - [x86] ACPI: battery: Accept charges over the design capacity as full + - memstick: r592: Fix a UAF bug when removing the driver + - lib/xz: Avoid overlapping memcpy() with invalid input with in-place + decompression + - lib/xz: Validate the value before assigning it to an enum variable + - mwl8k: Fix use-after-free in mwl8k_fw_state_machine() + - PM: hibernate: Get block device exclusively in swsusp_check() + - iwlwifi: mvm: disable RX-diversity in powersave + - cgroup: Make rebind_subsystems() disable v2 controllers all at once + - media: dvb-usb: fix ununit-value in az6027_rc_query + - media: si470x: Avoid card name truncation + - cpuidle: Fix kobject memory leaks in error paths + - ath9k: Fix potential interrupt storm on queue reset + - [x86] crypto: qat - detect PFVF collision after ACK + - [x86] crypto: qat - disregard spurious PFVF interrupts + - b43legacy: fix a lower bounds test + - b43: fix a lower bounds test + - memstick: avoid out-of-range warning + - memstick: jmb38x_ms: use appropriate free function in + jmb38x_ms_alloc_host() + - hwmon: Fix possible memleak in __hwmon_device_register() + - ath10k: fix max antenna gain unit + - [arm64] drm/msm: uninitialized variable in msm_gem_import() + - net: stream: don't purge sk_error_queue in sk_stream_kill_queues() + - mwifiex: Send DELBA requests according to spec + - phy: micrel: ksz8041nl: do not use power down mode + - libertas_tf: Fix possible memory leak in probe and disconnect + - libertas: Fix possible memory leak in probe and disconnect + - crypto: pcrypt - Delay write to padata->info + - RDMA/rxe: Fix wrong port_cap_flags + - [x86] scsi: dc395: Fix error case unwinding + - JFS: fix memleak in jfs_mount + - [armhf] dts: omap3-gta04a4: accelerometer irq fix + - [arm64,armhf] soc/tegra: Fix an error handling path in + tegra_powergate_power_up() + - serial: 8250_dw: Drop wrong use of ACPI_PTR() + - usb: gadget: hid: fix error code in do_config() + - scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() + - RDMA/mlx4: Return missed an error if device doesn't support steering + - [arm64] serial: xilinx_uartps: Fix race condition causing stuck TX + - [arm64,armhf] power: supply: bq27xxx: Fix kernel crash on IRQ handler + register error + - pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds + - drm/plane-helper: fix uninitialized variable reference + - [arm64] PCI: aardvark: Don't spam about PIO Response Status + - [arm64] mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() + - netfilter: nfnetlink_queue: fix OOB when mac header was cleared + - dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` + - [x86] watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT + - scsi: qla2xxx: Turn off target reset during issue_lip + - xen-pciback: Fix return in pm_ctrl_init() + - [armhf] net: davinci_emac: Fix interrupt pacing disable + - bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed + - mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and + zs_unregister_migration() + - llc: fix out-of-bound array index in llc_sk_dev_hash() + - nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails + - vsock: prevent unnecessary refcnt inc for nonblocking connect + - [arm64,armhf] USB: chipidea: fix interrupt deadlock + - mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks + - mm, oom: do not trigger out_of_memory from the #PF + - PCI/MSI: Destroy sysfs before freeing entries + - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() + - [armhf] usb: musb: tusb6010: check return value after calling + platform_get_resource() + - scsi: advansys: Fix kernel pointer leak + - [armhf] dts: omap: fix gpmc,mux-add-data type + - tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc + - scsi: target: Fix ordered tag handling + - scsi: target: Fix alua_tg_pt_gps_count tracking + - [i386] ALSA: gus: fix null pointer dereference on pointer block + - sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() + - net: bnx2x: fix variable dereferenced before check + - iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset + - [x86] platform/x86: hp_accel: Fix an error handling path in + 'lis3lv02d_probe()' + - NFC: reorganize the functions in nci_request (CVE-2021-4202) + - NFC: reorder the logic in nfc_{un,}register_device + - [x86] perf/x86/intel/uncore: Fix filter_tid mask for CHA events on + Skylake Server + - [x86] perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server + - tun: fix bonding active backup with arp monitoring + - btrfs: fix memory ordering between normal and ordered work functions + - cfg80211: call cfg80211_stop_ap when switch from P2P_GO type + - drm/udl: fix control-message timeout + - drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga + and dvi connectors + - batman-adv: Keep fragments equally sized + - batman-adv: Fix own OGM check in aggregated OGMs + - batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN + - batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh + - batman-adv: Consider fragmentation for needed_headroom + - batman-adv: Reserve needed_*room for fragments + - batman-adv: Don't always reallocate the fragmentation skb head + - ASoC: DAPM: Cover regression by kctl change notification fix + - [arm64,armhf] soc/tegra: pmc: Fix imbalanced clock disabling in error + code path + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.292 + - USB: serial: option: add Telit LE910S1 0x9200 composition + - USB: serial: option: add Fibocom FM101-GL variants + - usb: hub: Fix usb enumeration issue due to address0 race + - usb: hub: Fix locking issues with address0_mutex + - ALSA: ctxfi: Fix out-of-range access + - [x86] staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() + - fuse: fix page stealing + - xen: don't continue xenstore initialization in case of errors + - xen: detect uninitialized xenbus in xenbus_init + - tracing: Fix pid filtering when triggers are attached + - ASoC: topology: Add missing rwsem around snd_ctl_remove() calls + - net: ieee802154: handle iftypes as u32 + - NFSv42: Don't fail clone() unless the OP_CLONE operation failed + - [armhf] socfpga: Fix crash with CONFIG_FORTIRY_SOURCE + - scsi: mpt3sas: Fix kernel panic during drive powercycle test + - [arm64,armhf]] drm/vc4: fix error code in vc4_create_object() + - PM: hibernate: use correct mode for swsusp_close() + - tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited + flows + - tracing: Check pid filtering when creating events + - hugetlbfs: flush TLBs correctly after huge_pmd_unshare (CVE-2021-4002) + - vhost/vsock: fix incorrect used length reported to the guest + - proc/vmcore: fix clearing user buffer by properly using clear_user() + - NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202) + - fuse: release pipe buf after last use + - xen: sync include/xen/interface/io/ring.h with Xen's newest version + - xen/blkfront: read response from backend only once + - xen/blkfront: don't take local copy of a request from the ring page + - xen/blkfront: don't trust the backend response data blindly + - xen/netfront: read response from backend only once + - xen/netfront: don't read data from request on the ring page + - xen/netfront: disentangle tx_skb_freelist + - xen/netfront: don't trust the backend response data blindly + - tty: hvc: replace BUG_ON() with negative return value + - shm: extend forced shm destroy to support objects from several IPC nses + - NFSv42: Fix pagecache invalidation after COPY/CLONE + - hugetlb: take PMD sharing into account when flushing tlb/caches + - net: return correct error code + - [x86] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after + S3 deep + - thermal: core: Reset previous low and high trip during thermal zone init + - scsi: iscsi: Unblock session then wake up error handler + - [arm64] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array + overflow in hns_dsaf_ge_srst_by_port() + - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit + - kprobes: Limit max data_size of the kretprobe instances + - fs: add fget_many() and fput_many() + - fget: check that the fd still exists after getting a ref to it + (CVE-2021-4083) + - net: qlogic: qlcnic: Fix a NULL pointer dereference in + qlcnic_83xx_add_rings() + - [armel,armhf] siphash: use _unaligned version by default + - net/rds: correct socket tunable error in rds_tcp_tune() + - [x86] vgacon: Propagate console boot parameters before calling `vc_resize' + - [arm64] tty: serial: msm_serial: Deactivate RX DMA for polling support + - [arm64] serial: pl011: Add ACPI SBSA UART match id + - serial: core: fix transmit-buffer reset and memleak + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.293 + - HID: wacom: fix problems when device is not a valid USB device + - HID: check for valid USB device for many HID drivers + - [x86] can: sja1000: fix use after free in ems_pcmcia_add_card() + - nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done + - [amd64] IB/hfi1: Correct guard on eager buffer deallocation + - mm: bdi: initialize bdi_min_ratio when bdi is unregistered + - ALSA: ctl: Fix copy of updated id with element read/write + - ALSA: pcm: oss: Fix negative period/buffer sizes + - ALSA: pcm: oss: Limit the period size to 16MB + - ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() + - tracefs: Have new files inherit the ownership of their parent + - [i386] can: pch_can: pch_can_rx_normal: fix use after free + - libata: add horkage for ASMedia 1092 + - wait: add wake_up_pollfree() + - signalfd: use wake_up_pollfree() + - tracefs: Set all files to the same group ownership as the mount option + - block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) + - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero + - [armhf] net: fec: only clear interrupt of handling queue in + fec_enet_rx_queue() + - net, neigh: clear whole pneigh_entry at alloc time + - net/qla3xxx: fix an error code in ql_adapter_up() + - USB: gadget: detect too-big endpoint 0 requests (CVE-2021-39685) + - USB: gadget: zero allocate endpoint 0 buffers (CVE-2021-39685) + - usb: core: config: fix validation of wMaxPacketValue entries + - usb: core: config: using bit mask instead of individual bits + - [armhf] iio: mma8452: Fix trigger reference couting + - [x86] iio: accel: kxcjk-1013: Fix possible memory leak in probe and + remove + - [armhf] irqchip/armada-370-xp: Fix return value of + armada_370_xp_msi_alloc() + - [armhf] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts + - [arm64] irqchip/irq-gic-v3-its.c: Force synchronisation when issuing + INVALL + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.294 + - nfc: fix segfault in nfc_genl_dump_devices_done + - net/mlx4_en: Update reported link modes for 1/10G + - [armhf] i2c: rk3x: Handle a spurious start completion interrupt flag + - net: netlink: af_netlink: Prevent empty skb by adding a check on len. + - tracing: Fix a kmemleak false positive in tracing_map + - [x86] hwmon: (dell-smm) Fix warning on /proc/i8k creation error + - mac80211: send ADDBA requests using the tid/queue of the aggregation + session + - dm btree remove: fix use after free in rebalance_children() + - nfsd: fix use-after-free due to delegation race + - [arm64,armhf] soc/tegra: fuse: Fix bitwise vs. logical OR warning + - igbvf: fix double free in `igbvf_probe` + - ixgbe: set X550 MDIO speed before talking to PHY + - USB: gadget: bRequestType is a bitfield, not a enum + - PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error + - USB: serial: option: add Telit FN990 compositions + - timekeeping: Really make sure wall_to_monotonic isn't positive + - fuse: annotate lock in fuse_reverse_inval_entry() + - scsi: scsi_debug: Sanity check block descriptor length in + resp_mode_select() + - net: lan78xx: Avoid unnecessary self assignment + - [armel] 8805/2: remove unneeded naked function usage + - xen/blkfront: harden blkfront against event channel storms + (CVE-2021-28711) + - xen/netfront: harden netfront against event channel storms + (CVE-2021-28712) + - xen/console: harden hvc_xen against event channel storms (CVE-2021-28713) + - xen/netback: fix rx queue stall detection (CVE-2021-28714) + - xen/netback: don't queue unlimited number of packages (CVE-2021-28715) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.295 + - net: usb: lan78xx: add Allied Telesis AT29M2-AF + - can: kvaser_usb: get CAN clock frequency from device + - HID: holtek: fix mouse probing + - [amd64,arm64] IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() + - qlcnic: potential dereference null pointer of rx_queue->page_ring + - bonding: fix ad_actor_system option setting to default + - [amd64] fjes: Check for error irq + - [armhf] drivers: net: smc911x: Check for error irq + - [x86] hwmon: (lm90) Fix usage of CONFIG2 register in detect function + - ALSA: jack: Check the return value of kstrdup() + - ALSA: drivers: opl3: Fix incorrect use of vp->state + - [amd64] pkey: Fix undefined behaviour with PKRU_WD_BIT + - [armel,armhf] 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling + - [x86] hwmon: (lm90) Do not report 'busy' status bit as alarm + - ax25: NPD bug when detaching AX25 device + - hamradio: defer ax25 kfree after unregister_netdev + - hamradio: improve the incomplete fix to avoid NPD + - phonet/pep: refuse to enable an unbound pipe + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.296 + - [x86] platform/x86: apple-gmux: use resource_size() with res + - selinux: initialize proto variable in selinux_ip_postroute_compat() + - nfc: uapi: use kernel size_t to fix user-space builds + - uapi: fix linux/nfc.h userspace compilation errors + - xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. + - usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. + - [x86] scsi: vmw_pvscsi: Set residual data length conditionally + - Input: appletouch - initialize work before device registration + - Input: spaceball - fix parsing of movement data packets + - net: fix use-after-free in tw_timer_handler + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.297 + - Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models + - tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() + - tracing: Tag trace_percpu_buffer as a percpu pointer + - virtio_pci: Support surprise removal of virtio pci device + - ieee802154: atusb: fix uninit value in atusb_set_extended_addr + - mac80211: initialize variable have_higher_than_11mbit + - i40e: Fix incorrect netdev's real number of RX/TX queues + - sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc + - xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate + (CVE-2021-4155) + - rndis_host: support Hytera digital radios + - [arm64] reduce el2_setup branching + - [arm64] move !VHE work to end of el2_setup + - [arm64] sysreg: Move to use definitions for all the SCTLR bits + - phonet: refcount leak in pep_sock_accep (CVE-2021-45095) + - scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() + - ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate + - net: udp: fix alignment problem in udp4_seq_show() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.298 + - Bluetooth: bfusb: fix division by zero in send path + - USB: core: Fix bug in resuming hub's handling of wakeup requests + - USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status + - [x86] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() + - can: gs_usb: fix use of uninitialized variable, detach device on + reception of invalid USB data + - can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} + - random: fix data race on crng_node_pool + - random: fix data race on crng init time + - media: uvcvideo: fix division by zero at stream start + - rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with + interrupts enabled + - HID: uhid: Fix worker destroying device without any protection + - HID: wacom: Avoid using stale array indicies to read contact count + - nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed + bind() + - rtc: cmos: take rtc_lock while reading from CMOS + - media: flexcop-usb: fix control-message timeouts + - media: mceusb: fix control-message timeouts + - media: em28xx: fix control-message timeouts + - media: cpia2: fix control-message timeouts + - media: s2255: fix control-message timeouts + - media: dib0700: fix undefined behavior in tuner shutdown + - media: redrat3: fix control-message timeouts + - media: pvrusb2: fix control-message timeouts + - media: stk1160: fix control-message timeouts + - [x86] can: softing_cs: softingcs_probe(): fix memleak on registration + failure + - PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller + - shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode + - Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails + - [arm64] wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND + - Bluetooth: stop proccessing malicious adv data + - media: dmxdev: fix UAF when dvb_register_device() fails + - [arm64] crypto: qce - fix uaf on qce_ahash_register_one + - netfilter: bridge: add support for pppoe filtering + - [arm64] dts: qcom: msm8916: fix MMC controller aliases + - drm/amdgpu: Fix a NULL pointer dereference in + amdgpu_connector_lcd_native_mode() + - drm/radeon/radeon_kms: Fix a NULL pointer dereference in + radeon_driver_open_kms() + - [arm64,armhf] serial: amba-pl011: do not request memory region twice + - [x86] floppy: Fix hang in watchdog when disk is ejected + - media: dib8000: Fix a memleak in dib8000_init() + - media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() + - media: si2157: Fix "warm" tuner state detection + - media: msi001: fix possible null-ptr-deref in msi001_probe() + - usb: ftdi-elan: fix memory leak on device disconnect + - [x86] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + __nonstatic_find_io_region() + - [x86] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + nonstatic_find_mem_region() + - ppp: ensure minimum packet size in ppp_write() + - [arm64] spi: spi-meson-spifc: Add missing pm_runtime_disable() in + meson_spifc_probe + - can: softing: softing_startstop(): fix set but not used variable warning + - [x86] pcmcia: fix setting of kthread task states + - net: mcs7830: handle usb read errors properly + - ext4: avoid trim error on fs with small groups + - ALSA: jack: Add missing rwsem around snd_ctl_remove() calls + - ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls + - ALSA: hda: Add missing rwsem around snd_ctl_remove() calls + - ALSA: oss: fix compile error when OSS_DEBUG is enabled + - [x86] char/mwave: Adjust io port register size + - scsi: ufs: Fix race conditions related to driver data + - RDMA/core: Let ib_find_gid() continue search even after empty entry + - RDMA/cxgb4: Set queue pair state when being queried + - Bluetooth: Fix debugfs entry leak in hci_register_dev() + - fs: dlm: filter user dlm messages for kernel locks + - ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply + - usb: gadget: f_fs: Use stream_open() for endpoint files + - HID: apple: Do not reset quirks when the Fn key is not found + - media: b2c2: Add missing check in flexcop_pci_isr: + - gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use + - HSI: core: Fix return freed object in hsi_new_client + - mwifiex: Fix skb_over_panic in mwifiex_usb_recv() (CVE-2021-43976) + - [x86] floppy: Add max size check for user space request + - media: saa7146: hexium_orion: Fix a NULL pointer dereference in + hexium_attach() + - media: m920x: don't use stack on USB reads + - iwlwifi: mvm: synchronize with FW after multicast commands + - ath10k: Fix tx hanging + - media: igorplugusb: receiver overflow should be reported + - media: saa7146: hexium_gemini: Fix a NULL pointer dereference in + hexium_attach() + - usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 + - ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream + - jffs2: GC deadlock reading a page that is used in jffs2_write_begin() + - ACPICA: Utilities: Avoid deleting the same object twice in a row + - ACPICA: Executer: Fix the REFCLASS_REFOF case in + acpi_ex_opcode_1A_0T_1R() + - btrfs: remove BUG_ON() in find_parent_nodes() + - btrfs: remove BUG_ON(!eie) in find_parent_nodes + - net: mdio: Demote probed message to debug print + - dm btree: add a defensive bounds check to insert_at() + - dm space map common: add bounds check to sm_ll_lookup_bitmap() + - [arm64,armhf] serial: pl010: Drop CR register reset on set_termios + - serial: core: Keep mctrl register state and cached copy in sync + - [x86] i2c: i801: Don't silently correct invalid transfer size + - ALSA: seq: Set upper limit of processed events + - [x86] i2c: designware-pci: Fix to change data types of hcnt and lcnt + parameters + - scsi: sr: Don't use GFP_DMA + - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write + buffers + - iwlwifi: mvm: Increase the scan timeout guard to 30 seconds + - ext4: set csum seed in tmp inode while migrating to extents + - ext4: Fix BUG_ON in ext4_bread when write quota data + - ext4: don't use the orphan list when migrating an inode + - drm/radeon: fix error handling in radeon_driver_open_kms + - RDMA/rxe: Fix a typo in opcode name + - af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress + - netns: add schedule point in ops_exit_list() + - libcxgb: Don't accidentally set RTO_ONLINK in cxgb_find_route() + - net_sched: restore "mpu xxx" handling + - gianfar: simplify FCS handling and fix memory leak + - gianfar: fix jumbo packets+napi+rx overrun crash (CVE-2021-29264) + - cipso,calipso: resolve a number of problems with the DOI refcounts + (CVE-2021-33033) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.299 + - [x86] drm/i915: Flush TLBs before releasing backing store + (CVE-2022-0330) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.300 + - can: bcm: fix UAF of bcm op + - Bluetooth: refactor malicious adv data check + - udf: Restore i_lenAlloc when inode expansion fails (CVE-2022-0617) + - udf: Fix NULL ptr deref when converting from inline format + (CVE-2022-0617) + - PM: wakeup: simplify the output logic of pm_show_wakelocks() + - tty: n_gsm: fix SW flow control encoding/handling + - tty: Add support for Brainboxes UC cards. + - usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge + - usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS + - USB: core: Fix hang in usb_kill_urb by adding memory barriers + - scsi: bnx2fc: Flush destroy_work queue before calling + bnx2fc_interface_put() + - ipv6_tunnel: Rate limit warning messages + - net: fix information leakage in /proc/net/ptype + - ipv4: avoid using shared IP generator for connected sockets + - NFSv4: Handle case where the lookup of a directory fails (CVE-2022-24448) + - NFSv4: nfs_atomic_open() can race when looking up a non-regular file + - net-procfs: show net devices bound packet types + - [arm64] drm/msm: Fix wrong size calculation + - [x86] hwmon: (lm90) Reduce maximum conversion rate for G781 + - ipv4: raw: lock the socket in raw_bind() + - ipv4: tcp: send zero IPID in SYNACK messages + - netfilter: nat: remove l4 protocol port rovers + - netfilter: nat: limit port clash resolution attempts + - ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback + - [arm64] net: amd-xgbe: ensure to reset the tx_timer_active flag + - [arm64] net: amd-xgbe: Fix skb data length underflow + - rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() + - af_packet: fix data-race in packet_setsockopt / packet_setsockopt + - ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() + - ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() + - ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() + - drm/nouveau: fix off by one in BIOS boundary checking + - [amd64] iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() + - net: ieee802154: Return meaningful error codes from the netlink helpers + - net: macsec: Verify that send_sci is on when setting Tx sci explicitly + - [armhf] ASoC: fsl: Add missing error handling in pcm030_fabric_probe + - scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe + - nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client. + - rtc: cmos: Evaluate century appropriate + - [arm64] EDAC/xgene: Fix deferred probing + - ext4: fix error handling in ext4_restore_inline_data() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.301 + - cgroup-v1: Require capabilities to set release_agent (CVE-2022-0492) + - moxart: fix potential use-after-free on remove path (CVE-2022-0487) + - tipc: improve size validations for received domain records + (CVE-2022-0435) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.302 + - integrity: check the return value of audit_log_start() + - ima: Remove ima_policy file before directory + - NFS: Fix initialisation of nfs_client cl_flags field + - NFSD: Clamp WRITE offsets + - [x86] Input: i8042 - Fix misplaced backport of "add ASUS Zenbook Flip to + noselftest list" + - ALSA: line6: Fix misplaced backport of "Fix wrong altsetting for + LINE6_PODHD500_1" + - Revert "net: axienet: Wait for PhyRstCmplt after core reset" + - NFSv4 only print the label when its queried + - nfs: nfs4clinet: check the return value of kstrdup() + - NFSv4 remove zero number of fs_locations entries error check + - scsi: target: iscsi: Make sure the np under each tpg is unique + - [arm64,armhf] usb: dwc2: gadget: don't try to disable ep0 in + dwc2_hsotg_suspend + - [armhf] dts: imx6qdl-udoo: Properly describe the SD card detect + - bonding: pair enable_port with slave_arr_updates + - ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure + path + - net: do not keep the dst cache when uncloning an skb dst and its metadata + - net: fix a memleak when uncloning an skb dst and its metadata + - tipc: rate limit warning for received illegal binding update + - vt_ioctl: fix array_index_nospec in vt_setactivate + - vt_ioctl: add array_index_nospec to VT_ACTIVATE + - bpf: Add kconfig knob for disabling unpriv bpf by default + - n_tty: wake up poll(POLLRDNORM) on receiving data + - [arm64,armhf] usb: dwc3: gadget: Prevent core from processing stale TRBs + - USB: gadget: validate interface OS descriptor requests (CVE-2022-25258) + - usb: gadget: rndis: check size of RNDIS_MSG_SET command (CVE-2022-25375) + - USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 + - USB: serial: option: add ZTE MF286D modem + - USB: serial: ch341: add support for GW Instek USB2.0-Serial devices + - USB: serial: cp210x: add NCR Retail IO box id + - USB: serial: cp210x: add CPI Bulk Coin Recycler id + - [x86] hwmon: (dell-smm) Speed up setting of fan speed + - HID: wacom: add USB_HID dependency + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.303 + - net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup + - btrfs: send: in case of IO error log it + - net: ieee802154: at86rf230: Stop leaking skb's + - ax25: improve the incomplete fix to avoid UAF and NPD bugs + - vfs: make freeze_super abort when sync_filesystem returns error + - quota: make dquot_quota_sync return errors from ->sync_fs + - drm/radeon: Fix backlight control on iMac 12,1 + - xfrm: Don't accidentally set RTO_ONLINK in decode_session4() + - taskstats: Cleanup the use of task->exit_code + - vsock: correct removal of socket from the list + - vsock: remove vsock from connected table when connect is interrupted by a + signal + - iwlwifi: pcie: fix locking when "HW not ready" + - drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + - libsubcmd: Fix use-after-free for realloc(..., 0) + - ALSA: hda: Fix regression on forced probe mask option + - ALSA: hda: Fix missing codec probe on Shenker Dock 15 + - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() + - ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() + - NFS: LOOKUP_DIRECTORY is also ok with symlinks + - EDAC: Fix calculation of returned address and next offset in + edac_align_ptr() + - lib/iov_iter: initialize "flags" in new pipe_buffer + - [x86] KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW + - NFS: Do not report writeback errors in nfs_getattr() + - ata: libata-core: Disable TRIM on M88V29 + - tracing: Fix tp_printk option related with tp_printk_stop_on_boot + - net: usb: qmi_wwan: Add support for Dell DW5829e + + [ Ben Hutchings ] + * [rt] Update to 4.9.297-rt191 + * Bump ABI to 18 + * bpf: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411) + * [x86] Update retpoline implementation: + - x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC + variant + - x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support + - x86/retpoline: Remove minimal retpoline support + * Add Spectre documentation: + - Documentation: Add section about CPU vulnerabilities for Spectre + - Documentation: Add swapgs description to the Spectre v1 documentation + - Documentation: refer to config RANDOMIZE_BASE for kernel address-space + randomization + * Mitigate Spectre v2-type Branch History Buffer attacks (CVE-2022-0001, + CVE-2022-0002) + - [x86] speculation: Merge one test in spectre_v2_user_select_mitigation() + - [x86] bugs: Unconditionally allow spectre_v2=retpoline,amd + - [x86] speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE + - [x86] speculation: Add eIBRS + Retpoline options + - Documentation/hw-vuln: Update spectre doc + - [x86] speculation: Include unprivileged eBPF status in Spectre v2 + mitigation reporting + - [x86] speculation: Use generic retpoline by default on AMD + - [x86] speculation: Update link to AMD speculation whitepaper + - [x86] speculation: Warn about Spectre v2 LFENCE mitigation + - [x86] speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT + 4.9.290-1 [Sun, 12 Dec 2021 22:40:16 +0100] Ben Hutchings <benh@debian.org>: * New upstream stable update: <http://piuparts.knut.univention.de/4.4-8/#5411118007789847117>
OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: amd64 @ xenX OK: i386 @ kvm OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: YAML OK: announce-errata -V OK: Rebuild latest ISO with new D-I
<https://errata.software-univention.de/#/?erratum=4.4x1198> <https://errata.software-univention.de/#/?erratum=4.4x1199> <https://errata.software-univention.de/#/?erratum=4.4x1200> <https://errata.software-univention.de/#/?erratum=4.4x1201>