Bug 49677 – linux: Multiple issues (4.3)

Bug 49677 - linux: Multiple issues (4.3)


Summary:	linux: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-4-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-06-18 12:42 CEST by Quality Assurance
Modified:	2019-06-19 17:40 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2019-06-18 12:42:06 CEST

New Debian linux 4.9.168-1+deb9u3 fixes:
This update addresses the following issues:
* Heap overflow in mwifiex_update_bss_desc_with_ie function in  marvell/mwifiex/scan.c (CVE-2019-3846)
* page cache side channel attacks (CVE-2019-5489)
* brcmfmac heap buffer overflow in brcmf_wowl_nd_results (CVE-2019-9500)
* brcmfmac frame validation bypass (CVE-2019-9503)
* Heap Overflow in mwifiex_uap_parse_tail_ies function in  drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126)
* tcp: integer overflow while processing SACK blocks allows remote denial of  service (CVE-2019-11477)
* tcp: excessive resource consumption while processing SACK blocks allows  remote denial of service (CVE-2019-11478)
* tcp: excessive resource consumption for TCP connections with low MSS allows  remote denial of service (CVE-2019-11479)
* multiple race conditions in Siemens R3964 line discipline driver in  drivers/tty/n_r3964.c leading to denial of service (CVE-2019-11486)
* fix race condition between mmget_not_zero()/get_task_mm() and core dumping  (CVE-2019-11599)
* race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to  use-after-free (CVE-2019-11815)
* fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)
* sensitive information disclosure from kernel stack memory via HIDPCONNADD  command (CVE-2019-11884)

Comment 1 Quality Assurance

2019-06-18 13:02:08 CEST

--- mirror/ftp/4.3/unmaintained/component/4.3-4-errata/source/linux_4.9.168-1+deb9u2.dsc
+++ apt/ucs_4.3-0-errata4.3-4/source/linux_4.9.168-1+deb9u3.dsc
@@ -1,3 +1,33 @@
+4.9.168-1+deb9u3 [Sun, 16 Jun 2019 15:38:39 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Salvatore Bonaccorso ]
+  * tcp: limit payload size of sacked skbs (CVE-2019-11477)
+  * tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478)
+  * tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479)
+  * tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
+  * tcp: fix fack_count accounting on tcp_shift_skb_data()
+
+  [ Ben Hutchings ]
+  * tcp: Avoid ABI change for DoS fixes
+  * mm/mincore.c: make mincore() more conservative (CVE-2019-5489)
+  * brcmfmac: add length checks in scheduled scan result handler
+  * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
+  * brcmfmac: add subtype check for event handling in data path (CVE-2019-9503)
+  * tty: mark Siemens R3964 line discipline as BROKEN (CVE-2019-11486)
+  * coredump: fix race condition between mmget_not_zero()/get_task_mm() and
+    core dumping (CVE-2019-11599)
+  * net: rds: force to destroy connection if t_sock is NULL in
+    rds_tcp_kill_sock(). (CVE-2019-11815) (Closes: #928989)
+  * ext4: zero out the unused memory region in the extent tree block
+    (CVE-2019-11833)
+  * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
+  * mwifiex: Fix possible buffer overflows at parsing bss descriptor
+    (CVE-2019-3846)
+  * mwifiex: Abort at too short BSS descriptor element
+  * mwifiex: Don't abort on small, spec-compliant vendor IEs
+  * mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
+    (CVE-2019-10126)
+
 4.9.168-1+deb9u2 [Mon, 13 May 2019 21:59:18 +0100] Ben Hutchings <ben@decadent.org.uk>:
 
   [ Salvatore Bonaccorso ]

<http://10.200.17.11/4.3-4/#51094133489667651>

Comment 2 Philipp Hahn

2019-06-18 15:12:40 CEST

[4.3-4] ebde00797a Bug #49677: Update to linux-4.9.168-1+deb9u3
 .../debian/changelog                               |   6 ++++++
 .../univention-kernel-image-signed/debian/control  |   4 ++--
 .../vmlinuz-4.9.0-9-amd64.efi.signed               | Bin 4253296 -> 4249200 bytes
 3 files changed, 8 insertions(+), 2 deletions(-)

Package: univention-kernel-image-signed
Version: 4.0.0-14A~4.3.0.201906181332
Branch: ucs_4.3-0
Scope: errata4.3-4

[4.3-4] 6f97002eed Bug #49677: univention-kernel-image-signed 4.0.0-14A~4.3.0.201906181332
 doc/errata/staging/linux.yaml                      |  1 +
 .../staging/univention-kernel-image-signed.yaml    | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)

OK: piupararts
OK: amd64 @ kvm OVMF + SB
OK: amd64 @ kvm SeaBIOS
OK: amd64 @ lynx
OK: i386 @ kvm
OK: dmesg
OK: uname -r

Comment 3 Arvid Requate

2019-06-19 17:40:52 CEST

<http://errata.software-univention.de/ucs/4.3/534.html>
<http://errata.software-univention.de/ucs/4.3/535.html>