Univention Bugzilla – Bug 51490
linux: Multiple issues (4.4)
Last modified: 2020-06-17 15:39:30 CEST
New Debian linux 4.9.210-1+deb9u1 fixes: This update addresses the following issues: * possible execution path in MMU code leads to local escalation of privilege (CVE-2019-2182) * triggering AP to send IAPP location updates for stations before the required authentication process has completed can lead to DoS (CVE-2019-5108) * out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c (CVE-2019-19319) * NULL pointer dereference in relay_open in kernel/relay.c (CVE-2019-19462) * use-after-free in __blk_add_trace in kernel/trace/blktrace.c (CVE-2019-19768) * NULL pointer dereference in tw5864_handle_frame function in drivers/media/pci/tw5864/tw5864-video.c (CVE-2019-20806) * An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c. (CVE-2019-20811) * Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543) * kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732) * use-after-free in fs/namei.c (CVE-2020-8428) * out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647) * use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c (CVE-2020-8648) * invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c (CVE-2020-8649) * out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383) * NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic (CVE-2020-10711) * uninitialized kernel data leak in userspace coredumps (CVE-2020-10732) * SELinux netlink permission check bypass (CVE-2020-10751) * kernel: DAX hugepages not considered during mremap (CVE-2020-10757) * vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942) * transmission of uninitialized data allows attackers to read sensitive information (CVE-2020-11494) * out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565) * NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in drivers/media/usb/gspca/ov519.c (CVE-2020-11608) * NULL pointer dereference due to incorrect handling of invalid descriptors in stv06xx subsystem (CVE-2020-11609) * mishandles invalid descriptors in drivers/media/usb/gspca/xirlink_cit.c (CVE-2020-11668) * A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114) * use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464) * race condition in __mptctl_ioctl function in drivers/message/fusion/mptctl.c allows local users to hold an incorrect lock during the ioctl operation (CVE-2020-12652) * buffer overflow in mwifiex_cmd_append_vsie_tlv function in drivers/net/wireless/marvell/mwifiex/scan.c (CVE-2020-12653) * heap-based buffer overflow in mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c (CVE-2020-12654) * sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770) * gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4. (CVE-2020-13143)
--- mirror/ftp/4.4/unmaintained/4.4-4/source/linux_4.9.210-1.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/linux_4.9.210-1+deb9u1.dsc @@ -1,3 +1,116 @@ +4.9.210-1+deb9u1 [Sun, 07 Jun 2020 22:34:10 +0100] Ben Hutchings <benh@debian.org>: + + [ Salvatore Bonaccorso ] + * selinux: properly handle multiple messages in selinux_netlink_send() + (CVE-2020-10751) + * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) + * USB: core: Fix free-while-in-use bug in the USB S-Glibrary + (CVE-2020-12464) + * scsi: sg: add sg_remove_request in sg_common_write + * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) + * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) + * netlabel: cope with NULL catmap (CVE-2020-10711) + * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() + (CVE-2020-10732) + * kernel/relay.c: handle alloc_percpu returning NULL in relay_open + (CVE-2019-19462) + * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757) + + [ Ben Hutchings ] + * [arm64] Enforce BBM for huge IO/VMAP mappings (CVE-2019-2182): + - arm64: mm: BUG on unsupported manipulations of live kernel mappings + - arm64: don't open code page table entry creation + - arm64: mm: Change page table pointer name in p[md]_set_huge() + - arm64: Enforce BBM for huge IO/VMAP mappings + - arm64: Make sure permission updates happen for pmd/pud + * cfg80211/mac80211: make ieee80211_send_layer2_update a public function + * mac80211: Do not send Layer 2 Update frame before authorization + (CVE-2019-5108) + * ext4: Fix various bugs: + - ext4: Make checks for metadata_csum feature safer + - ext4: avoid declaring fs inconsistent due to invalid file handles + - ext4: protect journal inode's blocks using block_validity + (CVE-2019-19319) + - ext4: unsigned int compared against zero + - ext4: fix block validity checks for journal inodes using indirect blocks + - ext4: don't perform block validity checks on the journal inode + - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992) + * blktrace: Fix various locking issues: + - blktrace: Fix potential deadlock between delete & sysfs ops + - blktrace: fix unlocked access to init/start-stop/teardown + - blktrace: fix trace mutex deadlock + - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768) + - blktrace: fix dereference after null check + * media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame + (CVE-2019-20806) + * [x86] KVM: nVMX: Fix incorrect instruction emulation (CVE-2020-2732): + - KVM: x86: emulate RDPID + - KVM: nVMX: Don't emulate instructions in guest mode + - KVM: nVMX: Refactor IO bitmap checks into helper function + - KVM: nVMX: Check IO instruction VM-exit conditions + * vfs: do_last(): fetch directory ->i_mode and ->i_uid before it's too late + (CVE-2020-8428) + * vfs: fix do_last() regression + * vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649) + * locking/atomic, kref: Add kref_read() + * vt: Fix various bugs: + - vt: selection, handle pending signals in paste_selection + - VT_RESIZEX: get rid of field-by-field copyin + - vt: vt_ioctl: fix race in VT_RESIZEX + - vt: selection, close sel_buffer race (CVE-2020-8648) + - vt: selection, push console lock down + - vt: selection, push sel_lock up + - vt: selection, introduce vc_is_sel + - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines + - vt: switch vt_dont_switch to bool + - vt: vt_ioctl: remove unnecessary console allocation checks + - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual + - vt: vt_ioctl: fix use-after-free in vt_in_use() + * floppy: check FDC index for errors before assigning it (CVE-2020-9383) + * vhost: Check docket sk_family instead of call getname (CVE-2020-10942) + * slip, slcan: Fix various bugs: + - can, slip: Protect tty->disc_data in write_wakeup and close + - slcan: not call free_netdev before rtnl_unlock in slcan_open + - slcan: Fix double-free on slcan_open() error path + - slcan: Don't transmit uninitialized stack data in padding + (CVE-2020-11494) + - slip: stop double free sl->dev in slip_open + - slip: not call free_netdev before rtnl_unlock in slip_open + - slip: make slhc_compress() more robust against malicious + * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED + (CVE-2020-11565) + * media: usb: Fix several descriptor checks: + - media: ov519: add missing endpoint sanity checks (CVE-2020-11608) + - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609) + - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668) + * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652) + * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() + (CVE-2020-12653) + * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() + (CVE-2020-12654) + * macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() + (Closes: #952660) + * block: Avoid ABI change for blktrace locking + * net-sysfs: Fix reference counting bugs: + - net: don't decrement kobj reference count on init failure + - net-sysfs: call dev_hold if kobject_init_and_add success + (CVE-2019-20811) + - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject + - net-sysfs: fix netdev_queue_add_kobject() breakage + - net-sysfs: Call dev_hold always in netdev_queue_add_kobject + - net-sysfs: Call dev_hold always in rx_queue_add_kobject + * propagate_one(): mnt_set_mountpoint() needs mount_lock + * [x86] Add support for mitigation of Special Register Buffer Data Sampling + (SRBDS) (CVE-2020-0543): + - x86/cpu: Add 'table' argument to cpu_matches() + - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) + mitigation + - x86/speculation: Add SRBDS vulnerability and mitigation documentation + - x86/speculation: Add Ivy Bridge to affected list + * [x86] speculation: Do not match steppings, to avoid an ABI change + * random: always use batched entropy for get_random_u{32,64} + * [rt] Refresh "random: avoid preempt_disable()ed section" + 4.9.210-1 [Mon, 20 Jan 2020 18:38:08 +0000] Ben Hutchings <ben@decadent.org.uk>: * New upstream stable update: <http://10.200.17.11/4.4-4/#6220744327999091175>
dvd install tests fail now, they are unable to install univention-kernel-image E: Unable to correct problems, you have held broken packages. Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: univention-kernel-image : Depends: linux-image-4.9.0-12-amd64-signed but it is not going to be installed Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: linux-image-4.9.0-12-amd64-signed : Depends: linux-image-4.9.0-12-amd64 (= 4.9.210-1) but 4.9.210-1+deb9u1 is to be installed
univention-kernel-image[-signed] needs to be updates (after the singing, which is scheduled for tomorrow.)
[4.4-4] 89ff093cce Bug #51490: univention-kernel-image-signed 5.0.0-11A~4.4.0.202006171143 doc/errata/staging/linux.yaml | 4 +- .../staging/univention-kernel-image-signed.yaml | 107 +++++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) [4.4-4] 357f1a32ed Bug #51490: Update to linux-4.9.210-1+deb9u1 .../debian/changelog | 6 ++++++ .../univention-kernel-image-signed/debian/control | 4 ++-- .../debian/control.in | 9 ++++++--- .../vmlinuz-4.9.0-12-amd64.efi.signed | Bin 4265584 -> 4265584 bytes 4 files changed, 14 insertions(+), 5 deletions(-) (END)
--- mirror/ftp/4.4/unmaintained/4.4-4/source/univention-kernel-image-signed_5.0.0-10A~4.4.0.202002271558.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/univention-kernel-image-signed_5.0.0-11A~4.4.0.202006171143.dsc @@ -1,6 +1,10 @@ -5.0.0-10A~4.4.0.202002271558 [Thu, 27 Feb 2020 15:58:40 +0100] Univention builddaemon <buildd@univention.de>: +5.0.0-11A~4.4.0.202006171143 [Wed, 17 Jun 2020 11:43:04 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.0-11 [Wed, 17 Jun 2020 11:30:09 +0200] Philipp Hahn <hahn@univention.de>: + + * Bug #51490: Update to linux-4.9.210-1+deb9u1 5.0.0-10 [Thu, 27 Feb 2020 15:51:49 +0100] Philipp Hahn <hahn@univention.de>: <http://10.200.17.11/4.4-4/#3918145900921532894>
--- mirror/ftp/4.4/unmaintained/4.4-4/source/linux_4.9.210-1.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/linux_4.9.210-1+deb9u1.dsc @@ -1,3 +1,116 @@ +4.9.210-1+deb9u1 [Sun, 07 Jun 2020 22:34:10 +0100] Ben Hutchings <benh@debian.org>: + + [ Salvatore Bonaccorso ] + * selinux: properly handle multiple messages in selinux_netlink_send() + (CVE-2020-10751) + * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) + * USB: core: Fix free-while-in-use bug in the USB S-Glibrary + (CVE-2020-12464) + * scsi: sg: add sg_remove_request in sg_common_write + * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) + * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) + * netlabel: cope with NULL catmap (CVE-2020-10711) + * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() + (CVE-2020-10732) + * kernel/relay.c: handle alloc_percpu returning NULL in relay_open + (CVE-2019-19462) + * mm: Fix mremap not considering huge pmd devmap (CVE-2020-10757) + + [ Ben Hutchings ] + * [arm64] Enforce BBM for huge IO/VMAP mappings (CVE-2019-2182): + - arm64: mm: BUG on unsupported manipulations of live kernel mappings + - arm64: don't open code page table entry creation + - arm64: mm: Change page table pointer name in p[md]_set_huge() + - arm64: Enforce BBM for huge IO/VMAP mappings + - arm64: Make sure permission updates happen for pmd/pud + * cfg80211/mac80211: make ieee80211_send_layer2_update a public function + * mac80211: Do not send Layer 2 Update frame before authorization + (CVE-2019-5108) + * ext4: Fix various bugs: + - ext4: Make checks for metadata_csum feature safer + - ext4: avoid declaring fs inconsistent due to invalid file handles + - ext4: protect journal inode's blocks using block_validity + (CVE-2019-19319) + - ext4: unsigned int compared against zero + - ext4: fix block validity checks for journal inodes using indirect blocks + - ext4: don't perform block validity checks on the journal inode + - ext4: add cond_resched() to ext4_protect_reserved_inode (CVE-2020-8992) + * blktrace: Fix various locking issues: + - blktrace: Fix potential deadlock between delete & sysfs ops + - blktrace: fix unlocked access to init/start-stop/teardown + - blktrace: fix trace mutex deadlock + - blktrace: Protect q->blk_trace with RCU (CVE-2019-19768) + - blktrace: fix dereference after null check + * media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame + (CVE-2019-20806) + * [x86] KVM: nVMX: Fix incorrect instruction emulation (CVE-2020-2732): + - KVM: x86: emulate RDPID + - KVM: nVMX: Don't emulate instructions in guest mode + - KVM: nVMX: Refactor IO bitmap checks into helper function + - KVM: nVMX: Check IO instruction VM-exit conditions + * vfs: do_last(): fetch directory ->i_mode and ->i_uid before it's too late + (CVE-2020-8428) + * vfs: fix do_last() regression + * vgacon: Fix a UAF in vgacon_invert_region (CVE-2020-8647, CVE-2020-8649) + * locking/atomic, kref: Add kref_read() + * vt: Fix various bugs: + - vt: selection, handle pending signals in paste_selection + - VT_RESIZEX: get rid of field-by-field copyin + - vt: vt_ioctl: fix race in VT_RESIZEX + - vt: selection, close sel_buffer race (CVE-2020-8648) + - vt: selection, push console lock down + - vt: selection, push sel_lock up + - vt: selection, introduce vc_is_sel + - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines + - vt: switch vt_dont_switch to bool + - vt: vt_ioctl: remove unnecessary console allocation checks + - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual + - vt: vt_ioctl: fix use-after-free in vt_in_use() + * floppy: check FDC index for errors before assigning it (CVE-2020-9383) + * vhost: Check docket sk_family instead of call getname (CVE-2020-10942) + * slip, slcan: Fix various bugs: + - can, slip: Protect tty->disc_data in write_wakeup and close + - slcan: not call free_netdev before rtnl_unlock in slcan_open + - slcan: Fix double-free on slcan_open() error path + - slcan: Don't transmit uninitialized stack data in padding + (CVE-2020-11494) + - slip: stop double free sl->dev in slip_open + - slip: not call free_netdev before rtnl_unlock in slip_open + - slip: make slhc_compress() more robust against malicious + * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED + (CVE-2020-11565) + * media: usb: Fix several descriptor checks: + - media: ov519: add missing endpoint sanity checks (CVE-2020-11608) + - media: stv06xx: add missing descriptor sanity checks (CVE-2020-11609) + - media: xirlink_cit: add missing descriptor sanity checks (CVE-2020-11668) + * scsi: mptfusion: Fix double fetch bug in ioctl (CVE-2020-12652) + * mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() + (CVE-2020-12653) + * mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() + (CVE-2020-12654) + * macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() + (Closes: #952660) + * block: Avoid ABI change for blktrace locking + * net-sysfs: Fix reference counting bugs: + - net: don't decrement kobj reference count on init failure + - net-sysfs: call dev_hold if kobject_init_and_add success + (CVE-2019-20811) + - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject + - net-sysfs: fix netdev_queue_add_kobject() breakage + - net-sysfs: Call dev_hold always in netdev_queue_add_kobject + - net-sysfs: Call dev_hold always in rx_queue_add_kobject + * propagate_one(): mnt_set_mountpoint() needs mount_lock + * [x86] Add support for mitigation of Special Register Buffer Data Sampling + (SRBDS) (CVE-2020-0543): + - x86/cpu: Add 'table' argument to cpu_matches() + - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) + mitigation + - x86/speculation: Add SRBDS vulnerability and mitigation documentation + - x86/speculation: Add Ivy Bridge to affected list + * [x86] speculation: Do not match steppings, to avoid an ABI change + * random: always use batched entropy for get_random_u{32,64} + * [rt] Refresh "random: avoid preempt_disable()ed section" + 4.9.210-1 [Mon, 20 Jan 2020 18:38:08 +0000] Ben Hutchings <ben@decadent.org.uk>: * New upstream stable update: <http://10.200.17.11/4.4-4/#3918145900921532894>
Package: univention-kernel-image-signed Version: 5.0.0-11A~4.4.0.202006171143 Branch: ucs_4.4-0 Scope: errata4.4-4 OK: apt install -t apt linux-image-4.9.0-12-amd64 linux-image-4.9.0-12-amd64-signed intel-microcode OK: uname -rv # 4.9.210-1+deb9u1 OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: amd64 @ xen1 OK: apt install -t apt linux-image-4.9.0-12-686-pae OK: i386 @ kvm OK: dmesg -H OK: YAML OK: errata-announce -V --only linux.yaml OK: errata-announce -V --only univention-kernel-image-signed.yaml
<http://errata.software-univention.de/ucs/4.4/627.html> <http://errata.software-univention.de/ucs/4.4/628.html>