Bug 45244 - linux: Multiple security issues (ES 3.2)
Summary: linux: Multiple security issues (ES 3.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 3.2
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 3.2-ES
Assignee: Philipp Hahn
QA Contact: Arvid Requate
URL:
Keywords:
Depends on: 43602
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-22 15:22 CEST by Arvid Requate
Modified: 2017-09-28 17:17 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID: 01997_IN8
Max CVSS v3 score:

Attachments
Advisories (45.50 KB, patch)
2017-09-18 15:47 CEST, Philipp Hahn 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-22 15:22:48 CEST 
Upstream Kernel version v3.10.107 fixes a couple of security issues compared to v3.10.105 (Bug #43602):

git log v3.10.105..v3.10.106
CVE-2017-6074: 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
CVE-2017-1000363: 3e21f4af170bebf47c187c1ff8bf155583c9f3b1
CVE-2017-8890: 657831ffc38e30092a2d5f03d385d710eb88b09a
CVE-2017-2636: 82f2341c94d270421f383641b7cd670e474db56b
CVE-2017-6353: dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
CVE-2017-5986: 2dcab598484185dea7ec22219c76dcdd59e3cb90
CVE-2016-7913: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
CVE-2017-2671: 43a6684519ab0a6c52024b5e25322476cabad893
CVE-2017-8069: 7926aff5c57b577ab0f43364ff0c59d968f6a414
CVE-2017-8068: 5593523f968bc86d42a035c6df47d5e0979b5ace
CVE-2017-8924: 654b404f2a222f918af9b0cd18ad469d0c941a8e
CVE-2016-2188: b7321e81fc369abe353cf094d4f0dc2fe11ab95f
CVE-2017-8925: 30572418b445d85fcfe6c8fe84c947d2606767d8
CVE-2017-6346: d199fab63c11998a602205f7ee7ff7c05c97164b
CVE-2017-5897: 7892032cfe67f4bde6fc2ee967e45a8fbaf33756
CVE-2017-5970: 34b2cef20f19c87999fff3da4071e66937db9644
CVE-2017-5549: 146cc8a17a3b4996f6805ee5c080e7101277c410
CVE-2017-7495: 06bd3c36a733ac27962fea7d6f47168841376824
CVE-2017-7472: c9f838d104fed6f2f61d68164712e3204bf5271b
CVE-2017-6951: c1644fe041ebaf6519f6809146a77c3ead9193af
CVE-2016-9604: ee8f844e3c5a73b999edf733df1c529d6503ec2f
CVE-2017-7184: f843ee6dd019bcece3e74e76ad9df0155655d0df
CVE-2017-7184: 677e806da4d916052585301785d847c3b3e6186a
CVE-2017-6214: ccf7abb93af09ad0868ae9033d1ca8108bdaec82
CVE-2017-2618: 0c461cb727d146c9ef2d3e86214f498b78b7d125
CVE-2016-8405: 2dc705a9930b4806250fbf5a76e55266e59389f2
CVE-2017-5551: 497de07d89c1410d76a15bec2bb41f24a2a89f31
CVE-2016-7097: 073931017b49d9458aa351605b43a7e34598caef
CVE-2017-2584: 129a72a0d3c8e139a04512325384fe5ac119e74d
CVE-2017-2583: 33ab91103b3415e12457e3104f0e4517ce12d0f3
CVE-2016-2085: 613317bd212c585c20796c10afe5daaa95d4b0a1
CVE-2016-8655: 84ac7260236a49c79eede91617700174c2c19b0c
git log v3.10.106..v3.10.107
CVE-2017-1000364: 1be7107fbe18eed3e319a6c3e83c78254b693acb
CVE-2016-3672: 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
CVE-2016-9588: ef85b67385436ddc1998f45f1d6a210f935b3388
CVE-2017-7645: e6838a29ecb484c97e4efef9429643b9851fba6e
CVE-2017-7308: bcc5364bdcfe131e6379363f089e7b4108d35b70
CVE-2017-7308: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
CVE-2017-8070: 2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478
CVE-2017-8067: c4baad50297d84bde1a7ad45e50c73adae4a2192
CVE-2017-7889: a4866aa812518ed1a37d8ea0c881dc946409de94
CVE-2017-7308: 2b6867c2ce76c596676bec7d2d525af525fdc6e2
CVE-2017-7616: cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
CVE-2017-7294: e7e11f99564222d82f0ce84bd521e57d78a6b678
CVE-2017-7261: 36274ab8c596f1240c606bb514da329add2a1bcd
CVE-2017-5669: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8
CVE-2017-6348: 4c03b862b12f980456f9de92db6d508a4999b788
CVE-2015-8962: f3951a3709ff50990bf3e188c27d346792103432
CVE-2016-9083: 05692d7005a364add85c6e25a6c4447ce08f913a
CVE-2017-7273: 1ebb71143758f45dc0fa76e2f48429e13b16d110
CVE-2016-10088: 128394eff343fc6d2f32172f03e24829539c5835
CVE-2016-7911: 8ba8682107ee2ca3347354e018865d8e1967c5f4
CVE-2016-10208: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
Comment 1 Arvid Requate univentionstaff 2017-08-22 15:27:03 CEST 
Discussed with project TAM: We should ship this, rather than just Bug #43602.
Comment 2 Philipp Hahn univentionstaff 2017-09-08 13:26:48 CEST 
r17664 | Bug #45244: linux-3.10.107

Package: linux
Version: 3.10.104-0.1.228.201709081326
Branch: ucs_3.2-0
Scope: extsec3.2
Comment 3 Philipp Hahn univentionstaff 2017-09-13 11:42:20 CEST 
Package: univention-kernel-image
Version: 7.0.0-28.127.201709111629
Branch: ucs_3.2-0
Scope: extsec3.2

6b79e484fa
 linux.yaml
 univention-kernel-image.yaml
Comment 4 Philipp Hahn univentionstaff 2017-09-13 12:10:43 CEST 
OK: zless /usr/share/doc/linux-image-3.10.0-ucs228-686-pae/changelog.Debian.gz
OK: diff <(~/bin/linux-dmesg-upgrade /tmp/3.10.0-ucs175-amd64) <(~/bin/linux-dmesg-upgrade /tmp/3.10.0-ucs228-amd64)
253a254
> 1     amd_nb: Cannot enumerate AMD northbridges
329d329
< 1     pci 0000:00:01.3: BAR 13: [io  0xb000-0xb03f] has bogus alignment
331c331
< 1     pci 0000:00:01.3: address space collision: [io  0xb000-0xb03f] conflicts with ACPI PM1a_EVT_BLK [??? 0x0000b000-0x0000b003 flags 0x80000000]
---
> 1     pci 0000:00:01.3: quirk: [io  0xb000-0xb03f] claimed by PIIX4 ACPI
OK: amd64@kvm i386@kvm
Comment 5 Arvid Requate univentionstaff 2017-09-18 13:06:59 CEST 
Ok, patches are identical to upstream:

* https://www.kernel.org/pub/linux/kernel/v3.x/incr/patch-3.10.105-106.xz
* https://www.kernel.org/pub/linux/kernel/v3.x/incr/patch-3.10.106-107.xz

Commited intpo svn/patches 2017-09-08 13:25:38 +0200, built as 3.10.104-0.1.228.201709081326 and changelog reflects this.

Meta-Package univention-kernel-image now depends on linux-image-3.10.0-ucs228-amd64 and both update fine. Reboot ok (amd64), dmesg seems ok.

Now we need some kind of advisory for this.
Comment 6 Arvid Requate univentionstaff 2017-09-18 13:16:07 CEST 
https://git.knut.univention.de/arequate/extsec3.2
Comment 7 Philipp Hahn univentionstaff 2017-09-18 15:46:58 CEST 
announce_errata can handle extsec3.2 since Bug #43369, so maybe <https://hutten.knut.univention.de/mediawiki/index.php/Extended-Security-Support#UCS_3.2> is out-of-date:

PYTHONPATH=~/misc/repo-ng/src ~/misc/repo-ng/announce/announce_errata -n univention-kernel-image.yaml
PYTHONPATH=~/misc/repo-ng/src ~/misc/repo-ng/announce/announce_errata -n linux.yaml

FYI: I think it was decided to name them "extended maintenance updates".
Comment 8 Philipp Hahn univentionstaff 2017-09-18 15:47:30 CEST 
Created attachment 9217 [details]
Advisories

as I can't push to your private repository.
Comment 9 Arvid Requate univentionstaff 2017-09-18 18:36:04 CEST 
Hmm, it's not private, I created it as "internal" and the gitlab sharing permissions are set to "everyone with access". Anyway, I've applied and pushed your patch.