Univention Bugzilla – Bug 50870
linux: Multiple issues (4.4)
Last modified: 2020-03-11 14:42:00 CET
New Debian linux 4.9.210-1 fixes: This update addresses the following issues: * NULL pointer dereference in lookup_slow function (CVE-2018-13093) * NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094) * use-after-free in fs/xfs/xfs_super.c (CVE-2018-20976) * use-after-free can be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (CVE-2018-21008) * Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136) * A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095 (CVE-2019-2215) * CIFS: Relative paths injection in directory entry lists (CVE-2019-10220) * null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c causing denial of service (CVE-2019-12614) * Intel graphics card information leak. (CVE-2019-14615) * heap overflow in mwifiex_set_uap_rates() function of Marvell Wifi Driver leading to DoS (CVE-2019-14814) * heap-overflow in mwifiex_set_wmm_params() function of Marvell WiFi driver leading to DoS (CVE-2019-14815) * heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816) * heap-based buffer overflow in mwifiex_process_country_ie() function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c (CVE-2019-14895) * heap-based buffer overflow in lbs_ibss_join_existing function in drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14896) * stack-based buffer overflow in add_ie_rates function in drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14897) * heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901) * powerpc: local user can read vector registers of other users' processes via a Facility Unavailable exception (CVE-2019-15030) * a NULL pointer dereference in drivers/net/wireless/ath/ath6kl/usb.c leads to a crash (CVE-2019-15098) * null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217) * Null pointer dereference in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c (CVE-2019-15291) * out of bounds read in drivers/media/usb/dvb-usb/technisat-usb2.c (CVE-2019-15505) * use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917) * buffer-overflow hardening in WiFi beacon validation code. (CVE-2019-16746) * unprivileged users able to create RAW sockets in the the AF_AX25 network protocol. (CVE-2019-17052) * unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol. (CVE-2019-17053) * privilege escalation in atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module (CVE-2019-17054) * unprivileged users able to create RAW sockets in AF_ISDN network protocol. (CVE-2019-17055) * unprivileged access to llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC socket type. (CVE-2019-17056) * denial of service in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c (CVE-2019-17075) * buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c (CVE-2019-17133) * rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (CVE-2019-17666) * The flow_dissector feature allows device tracking (CVE-2019-18282) * (powerpc) incomplete Spectre-RSB mitigation leads to information exposure (CVE-2019-18660) * race condition in vivid_stop_generating_vid_cap(),vivid_stop_generating_vid_out(), sdr_cap_stop_streaming() (CVE-2019-18683) * memory leak in ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c (CVE-2019-18806) * memory leak in af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c (CVE-2019-18809) * null-pointer dereference in ext4_empty_dir in fs/ext4/namei.c (CVE-2019-19037) * dos in unittest_data_add() function in drivers/of/unittest.c (CVE-2019-19049) * dos in i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c (CVE-2019-19051) * dos in gs_can_open() function in drivers/net/can/usb/gs_usb.c (CVE-2019-19052) * A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c allows to cause DoS (CVE-2019-19056) * Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c allows for a DoS (CVE-2019-19057) * A memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for a DoS (CVE-2019-19062) * Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS (CVE-2019-19063) * A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c allows for a DoS (CVE-2019-19066) * A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows for a DoS (CVE-2019-19068) * In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122. (CVE-2019-19227) * kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332) * mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447) * use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523) * a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524) * malicious USB device leads to use-after-free in the drivers/net/ieee802154/atusb.c driver (CVE-2019-19525) * use-after-free caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (CVE-2019-19527) * use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (CVE-2019-19530) * use-after-free bug caused by a malicious USB device in the drivers/usb/misc/yurex.c driver leads to denial of service (CVE-2019-19531) * malicious USB devices can lead to multiple out-of-bounds write (CVE-2019-19532) * information leak bug caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c (CVE-2019-19533) * information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534) * information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.cdriver (CVE-2019-19535) * information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (CVE-2019-19536) * race condition caused by a malicious USB device in the USB character device driver layer (CVE-2019-19537) * use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c (CVE-2019-19767) * uninitialized memory allocation in drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c leading to information leak (CVE-2019-19947) * NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery (CVE-2019-19965) * memory leak in __feat_register_sp() in net/dccp/feat.c (CVE-2019-20096) * linux (CVE-2020-0030)
--- mirror/ftp/4.4/unmaintained/4.4-2/source/univention-kernel-image_12.0.0-3A~4.4.0.201909101016.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/univention-kernel-image_12.0.0-4A~4.4.0.202002271621.dsc @@ -1,6 +1,10 @@ -12.0.0-3A~4.4.0.201909101016 [Tue, 10 Sep 2019 10:16:05 +0200] Univention builddaemon <buildd@univention.de>: +12.0.0-4A~4.4.0.202002271621 [Thu, 27 Feb 2020 16:21:28 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +12.0.0-4 [Thu, 27 Feb 2020 16:20:13 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #50870: Update to linux-4.9.0-12 12.0.0-3 [Tue, 10 Sep 2019 10:15:23 +0200] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-3/#283297696686799683>
--- mirror/ftp/4.4/unmaintained/4.4-3/source/univention-kernel-image-signed_5.0.0-9A~4.4.0.201911131005.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/univention-kernel-image-signed_5.0.0-10A~4.4.0.202002271558.dsc @@ -1,6 +1,10 @@ -5.0.0-9A~4.4.0.201911131005 [Wed, 13 Nov 2019 10:05:01 +0100] Univention builddaemon <buildd@univention.de>: +5.0.0-10A~4.4.0.202002271558 [Thu, 27 Feb 2020 15:58:40 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.0-10 [Thu, 27 Feb 2020 15:51:49 +0100] Philipp Hahn <hahn@univention.de>: + + * Bug #50870: Update to linux-4.9.210-1 5.0.0-9 [Wed, 13 Nov 2019 10:00:43 +0100] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-3/#283297696686799683>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts OK: apt install -t apt univention-kernel-image OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: amd64 @ xen1 OK: i386 @ kvm OK: uname -rv OK: dmesg' [4.4-3] 3aa243c359 Bug #50870: linux 4.9.210-1 doc/errata/staging/linux.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) [4.4-3] 97a30ec0ba Bug #50870: univention-kernel-image-signed 5.0.0-10A~4.4.0.202002271558 doc/errata/staging/linux.yaml | 104 ++++++++++++++++++++++-------------------- 1 file changed, 54 insertions(+), 50 deletions(-) [4.4-3] b51d2ab19c Bug #50870: linux 4.9.210-1 doc/errata/staging/linux.yaml | 212 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 212 insertions(+)
<http://errata.software-univention.de/ucs/4.4/480.html> <http://errata.software-univention.de/ucs/4.4/481.html> <http://errata.software-univention.de/ucs/4.4/482.html>