Univention Bugzilla – Bug 36969
linux: Multiple security issues (4.0)
Last modified: 2017-10-26 13:54:48 CEST
The following vulnerabilities affect the 3.16.5 kernel in UCS 4.0: Denial of service in handling on MSR registers in KVM (CVE-2014-3610) Race condition in the PIT handler in KVM (CVE-2014-3611) Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in VMX handling in KVM (CVE-2014-3645, CVE-2014-3646) Three denial of service vulnerabilities in SCTP (CVE-2014-3673, CVE-2014-3687, CVE-2014-3688) Denial of service in the VMX handling in KVM (CVE-2014-3690) Denial of service in the dcache in the fs layer (CVE-2014-8559) Local denial of service in syscall perf profiling (CVE-2014-7825) Privilege escalation in ftrace syscall tracing (CVE-2014-7826) Denial of service in SCTP (CVE-2014-7841) Denial of service in KVM (CVE-2014-7842) Denial of service in VFS and user namespaces (CVE-2014-7970) Denial of service in umount() and user namespaces (CVE-2014-7975) Race condition in ext4 permission handling (CVE-2014-8086) Buffer overflow in ttusb-dec (CVE-2014-8884) User namespaces can bypass group-based restrictions (CVE-2014-8989) Denial of service in the dcache in the fs layer (CVE-2014-8559) UCS 3.2.x is not affected by CVE-2014-7970, CVE-2014-7975 and CVE-2014-8989; user name spaces are only usable starting with Linux 3.12
Denial of service in amd64 register handling (CVE-2014-9090)
(In reply to Moritz Muehlenhoff from comment #1) > Denial of service in amd64 register handling (CVE-2014-9090) A different code path in fault handling allows privilege escalation (CVE-2014-9322)
For now we will add the 3.16.x stable kernel updates instead of updating to a more recent version of the "linux" source package in Debian. The later versions contain some packaging changes like a rename of the 486 flavour and most of the other changes are not relevant for UCS: - Many changes only affect armhf, ppc64, mips, hppa or arm64 - Backports/bugfixes with desktop focus (e.g. Apple Thunderbolt backport, iwlwifi, DRM) - Xen Netback changes were backported (UCS 4.0 no longer supports Xen Dom0) - Backport r8723au (only a staging driver)
Three issues remain unfixed, they have been moved to Bug 37385
The kernel has been updated to 3.16.7-ckt2 with additional fixes for CVE-2014-9090/CVE-2014-9322. The new kernel has been signed by Janek. Tests on hardware (installing a basesystem in KVM) and as a KVM guest were successful. YAML files: 2014-12-18-linux.yaml and 2014-12-18-univention-kernel-image.yaml
Tests (KVM, UEFI, SecureBoot): OK Advisories: 2014-12-18-linux.yaml: OK 2014-12-18-univention-kernel-image.yaml: OK 2014-12-18-univention-kernel-image-signed.yaml: OK
http://errata.univention.de/ucs/4.0/14.html http://errata.univention.de/ucs/4.0/15.html http://errata.univention.de/ucs/4.0/16.html