[SECURITY] [DLA 3840-1] linux security update
- Debian LTS Advisory DLA-3840-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 25, 2024 https://wiki.debian.org/LTS - Package: linux Version: 4.19.316-1 CVE ID : CVE-2021-33630 CVE-2022-48627 CVE-2023-0386 CVE-2023-6040 CVE-2023-6270 CVE-2023-7042 CVE-2023-46838 CVE-2023-47233 CVE-2023-52340 CVE-2023-52429 CVE-2023-52436 CVE-2023-52439 CVE-2023-52443 CVE-2023-52444 CVE-2023-52445 CVE-2023-52449 CVE-2023-52464 CVE-2023-52469 CVE-2023-52470 CVE-2023-52486 CVE-2023-52583 CVE-2023-52587 CVE-2023-52594 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52609 CVE-2023-52612 CVE-2023-52615 CVE-2023-52619 CVE-2023-52620 CVE-2023-52622 CVE-2023-52623 CVE-2023-52628 CVE-2023-52644 CVE-2023-52650 CVE-2023-52670 CVE-2023-52679 CVE-2023-52683 CVE-2023-52691 CVE-2023-52693 CVE-2023-52698 CVE-2023-52699 CVE-2023-52880 CVE-2024-0340 CVE-2024-0607 CVE-2024-1086 CVE-2024-22099 CVE-2024-23849 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-24861 CVE-2024-25739 CVE-2024-26597 CVE-2024-26600 CVE-2024-26602 CVE-2024-26606 CVE-2024-26615 CVE-2024-26625 CVE-2024-26633 CVE-2024-26635 CVE-2024-26636 CVE-2024-26642 CVE-2024-26645 CVE-2024-26651 CVE-2024-26663 CVE-2024-26664 CVE-2024-26671 CVE-2024-26675 CVE-2024-26679 CVE-2024-26685 CVE-2024-26696 CVE-2024-26697 CVE-2024-26704 CVE-2024-26720 CVE-2024-26722 CVE-2024-26735 CVE-2024-26744 CVE-2024-26752 CVE-2024-26754 CVE-2024-26763 CVE-2024-26764 CVE-2024-26766 CVE-2024-26772 CVE-2024-26773 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26791 CVE-2024-26793 CVE-2024-26801 CVE-2024-26805 CVE-2024-26816 CVE-2024-26817 CVE-2024-26820 CVE-2024-26825 CVE-2024-26839 CVE-2024-26840 CVE-2024-26845 CVE-2024-26851 CVE-2024-26852 CVE-2024-26857 CVE-2024-26859 CVE-2024-26863 CVE-2024-26874 CVE-2024-26875 CVE-2024-26878 CVE-2024-26880 CVE-2024-26883 CVE-2024-26884 CVE-2024-26889 CVE-2024-26894 CVE-2024-26898 CVE-2024-26901 CVE-2024-26903 CVE-2024-26917 CVE-2024-26922 CVE-2024-26923 CVE-2024-26931 CVE-2024-26934 CVE-2024-26955 CVE-2024-26956 CVE-2024-26965 CVE-2024-26966 CVE-2024-26969 CVE-2024-26973 CVE-2024-26974 CVE-2024-26976 CVE-2024-26981 CVE-2024-26984 CVE-2024-26993 CVE-2024-26994 CVE-2024-26997 CVE-2024-27001 CVE-2024-27008 CVE-2024-27013 CVE-2024-27020 CVE-2024-27024 CVE-2024-27028 CVE-2024-27043 CVE-2024-27046 CVE-2024-27059 CVE-2024-27074 CVE-2024-27075 CVE-2024-27077 CVE-2024-27078 CVE-2024-27388 CVE-2024-27395 CVE-2024-27396 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-27405 CVE-2024-27410 CVE-2024-27412 CVE-2024-27413 CVE-2024-27416 CVE-2024-27419 CVE-2024-27436 CVE-2024-31076 CVE-2024-33621 CVE-2024-35789 CVE-2024-35806 CVE-2024-35807 CVE-2024-35809 CVE-2024-35811 CVE-2024-35815 CVE-2024-35819 CVE-2024-35821 CVE-2024-35822 CVE-2024-35823 CVE-2024-35825 CVE-2024-35828 CVE-2024-35830 CVE-2024-35835 CVE-2024-35847 CVE-2024-35849 CVE-2024-35877 CVE-2024-35886 CVE-2024-35888 CVE-2024-35893 CVE-2024-35898 CVE-2024-35902 CVE-2024-35910 CVE-2024-35915 CVE-2024-35922 CVE-2024-35925 CVE-2024-35930 CVE-2024-35933 CVE-2024-35935 CVE-2024-35936 CVE-2024-35944 CVE-2024-35947 CVE-2024-35955 CVE-2024-35960 CVE-2024-35969 CVE-2024-35973 CVE-2024-35978 CVE-2024-35982 CVE-2024-35984 CVE-2024-35997 CVE-2024-36004 CVE-2024-36014 CVE-2024-36015 CVE-2024-36016 CVE-2024-36017 CVE-2024-36020 CVE-2024-36286 CVE-2024-36288 CVE-2024-36883 CVE-2024-36886 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36919 CVE-2024-36933 CVE-2024-36934 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36954 CVE-2024-36959 CVE-2024-36960 CVE-2024-36964 CVE-2024-36971 CVE-2024-37353 CVE-2024-37356 CVE-2024-38381 CVE-2024-38549 CVE-2024-38552 CVE-2024-38558 CVE-2024-38559 CVE-2024
[SECURITY] [DLA 3843-1] linux-5.10 security update
- Debian LTS Advisory DLA-3843-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 27, 2024 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.218-1~deb10u1 CVE ID : CVE-2022-48655 CVE-2023-52585 CVE-2023-52882 CVE-2024-26900 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-35848 CVE-2024-35947 CVE-2024-36017 CVE-2024-36031 CVE-2024-36883 CVE-2024-36886 CVE-2024-36889 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36916 CVE-2024-36919 CVE-2024-36929 CVE-2024-36933 CVE-2024-36934 CVE-2024-36939 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36953 CVE-2024-36954 CVE-2024-36957 CVE-2024-36959 CVE-2024-36960 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For Debian 10 buster, these problems have been fixed in version 5.10.218-1~deb10u1. This additionally includes many more bug fixes from stable updates 5.10.217-5.10.218 inclusive. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3842-1] linux-5.10 security update
- Debian LTS Advisory DLA-3842-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 25, 2024 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.216-1~deb10u1 CVE ID : CVE-2022-38096 CVE-2023-6270 CVE-2023-7042 CVE-2023-28746 CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435 CVE-2023-52447 CVE-2023-52458 CVE-2023-52482 CVE-2023-52486 CVE-2023-52488 CVE-2023-52489 CVE-2023-52491 CVE-2023-52492 CVE-2023-52493 CVE-2023-52497 CVE-2023-52498 CVE-2023-52583 CVE-2023-52587 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52606 CVE-2023-52607 CVE-2023-52614 CVE-2023-52615 CVE-2023-52616 CVE-2023-52617 CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52622 CVE-2023-52623 CVE-2023-52627 CVE-2023-52635 CVE-2023-52637 CVE-2023-52642 CVE-2023-52644 CVE-2023-52650 CVE-2023-52656 CVE-2023-52669 CVE-2023-52670 CVE-2023-52672 CVE-2023-52699 CVE-2023-52880 CVE-2024-0340 CVE-2024-0565 CVE-2024-0607 CVE-2024-0841 CVE-2024-1151 CVE-2024-22099 CVE-2024-23849 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-24861 CVE-2024-25739 CVE-2024-26581 CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602 CVE-2024-26606 CVE-2024-26610 CVE-2024-26614 CVE-2024-26615 CVE-2024-26622 CVE-2024-26625 CVE-2024-26627 CVE-2024-26635 CVE-2024-26636 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642 CVE-2024-26643 CVE-2024-26644 CVE-2024-26645 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26679 CVE-2024-26684 CVE-2024-26685 CVE-2024-26687 CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696 CVE-2024-26697 CVE-2024-26698 CVE-2024-26702 CVE-2024-26704 CVE-2024-26707 CVE-2024-26712 CVE-2024-26720 CVE-2024-26722 CVE-2024-26727 CVE-2024-26733 CVE-2024-26735 CVE-2024-26736 CVE-2024-26743 CVE-2024-26744 CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754 CVE-2024-26763 CVE-2024-26764 CVE-2024-26766 CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26781 CVE-2024-26782 CVE-2024-26787 CVE-2024-26788 CVE-2024-26790 CVE-2024-26791 CVE-2024-26793 CVE-2024-26795 CVE-2024-26801 CVE-2024-26804 CVE-2024-26805 CVE-2024-26808 CVE-2024-26809 CVE-2024-26810 CVE-2024-26812 CVE-2024-26813 CVE-2024-26814 CVE-2024-26816 CVE-2024-26817 CVE-2024-26820 CVE-2024-26825 CVE-2024-26833 CVE-2024-26835 CVE-2024-26839 CVE-2024-26840 CVE-2024-26843 CVE-2024-26845 CVE-2024-26846 CVE-2024-26848 CVE-2024-26851 CVE-2024-26852 CVE-2024-26855 CVE-2024-26857 CVE-2024-26859 CVE-2024-26861 CVE-2024-26862 CVE-2024-26863 CVE-2024-26870 CVE-2024-26872 CVE-2024-26874 CVE-2024-26875 CVE-2024-26877 CVE-2024-26878 CVE-2024-26880 CVE-2024-26882 CVE-2024-26883 CVE-2024-26884 CVE-2024-26885 CVE-2024-26889 CVE-2024-26891 CVE-2024-26894 CVE-2024-26895 CVE-2024-26897 CVE-2024-26898 CVE-2024-26901 CVE-2024-26903 CVE-2024-26906 CVE-2024-26907 CVE-2024-26910 CVE-2024-26917 CVE-2024-26922 CVE-2024-26923 CVE-2024-26924 CVE-2024-26925 CVE-2024-26926 CVE-2024-26931 CVE-2024-26934 CVE-2024-26935 CVE-2024-26937 CVE-2024-26950 CVE-2024-26951 CVE-2024-26955 CVE-2024-26956 CVE-2024-26957 CVE-2024-26958 CVE-2024-26960 CVE-2024-26961 CVE-2024-26965 CVE-2024-26966 CVE-2024-26969 CVE-2024-26970 CVE-2024-26973 CVE-2024-26974 CVE-2024-26976 CVE-2024-26978 CVE-2024-26981 CVE-2024-26984 CVE-2024-26988 CVE-2024-26993 CVE-2024-26994 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27004 CVE-2024-27008 CVE-2024-27013 CVE-2024-27020 CVE-2024-27024 CVE-2024-27025 CVE-2024-27028 CVE-2024
[SECURITY] [DLA 3841-1] linux-5.10 security update
- Debian LTS Advisory DLA-3841-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 25, 2024 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.209-2~deb10u1 CVE ID : CVE-2023-6040 CVE-2023-6356 CVE-2023-6535 CVE-2023-6536 CVE-2023-6606 CVE-2023-6915 CVE-2023-39198 CVE-2023-46838 CVE-2023-51779 CVE-2023-52340 CVE-2023-52436 CVE-2023-52438 CVE-2023-52439 CVE-2023-52443 CVE-2023-52444 CVE-2023-52445 CVE-2023-52448 CVE-2023-52449 CVE-2023-52451 CVE-2023-52454 CVE-2023-52456 CVE-2023-52457 CVE-2023-52462 CVE-2023-52463 CVE-2023-52464 CVE-2023-52467 CVE-2023-52469 CVE-2023-52470 CVE-2023-52609 CVE-2023-52612 CVE-2023-52675 CVE-2023-52679 CVE-2023-52683 CVE-2023-52686 CVE-2023-52690 CVE-2023-52691 CVE-2023-52693 CVE-2023-52694 CVE-2023-52696 CVE-2023-52698 CVE-2024-0646 CVE-2024-1086 CVE-2024-24860 CVE-2024-26586 CVE-2024-26597 CVE-2024-26598 CVE-2024-26633 Several vulnerabilities were discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For Debian 10 buster, these problems were fixed earlier in version 5.10.209-2~deb10u1. This update additionally included many more bug fixes from stable updates 5.10.206-5.10.209 inclusive. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3711-1] linux-5.10 security update
- Debian LTS Advisory DLA-3711-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings January 11, 2024 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.205-2~deb10u1 CVE ID : CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717 CVE-2023-6121 CVE-2023-6531 CVE-2023-6817 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 CVE-2023-34324 CVE-2023-35827 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 Debian Bug : 1032104 1035587 1052304 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-44879 Wenqing Liu reported a NULL pointer dereference in the f2fs implementation. An attacker able to mount a specially crafted image can take advantage of this flaw for denial of service. CVE-2023-5178 Alon Zahavi reported a use-after-free flaw in the NVMe-oF/TCP subsystem in the queue initialization setup, which may result in denial of service or privilege escalation. CVE-2023-5197 Kevin Rich discovered a use-after-free flaw in the netfilter subsystem which may result in denial of service or privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-5717 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system caused by improper handling of event groups, which may result in denial of service or privilege escalation. The default settings in Debian prevent exploitation unless more permissive settings have been applied in the kernel.perf_event_paranoid sysctl. CVE-2023-6121 Alon Zahavi reported an out-of-bounds read vulnerability in the NVMe-oF/TCP which may result in an information leak. CVE-2023-6531 Jann Horn discovered a use-after-free flaw due to a race condition when the unix garbage collector's deletion of a SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6817 Xingyuan Mo discovered that a use-after-free in Netfilter's implementation of PIPAPO (PIle PAcket POlicies) may result in denial of service or potential local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-6931 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system which may result in denial of service or privilege escalation. The default settings in Debian prevent exploitation unless more permissive settings have been applied in the kernel.perf_event_paranoid sysctl. CVE-2023-6932 A use-after-free vulnerability in the IPv4 IGMP implementation may result in denial of service or privilege escalation. CVE-2023-25775 Ivan D Barrera, Christopher Bednarz, Mustafa Ismail and Shiraz Saleem discovered that improper access control in the Intel Ethernet Controller RDMA driver may result in privilege escalation. CVE-2023-34324 Marek Marczykowski-Gorecki reported a possible deadlock in the Xen guests event channel code which may allow a malicious guest administrator to cause a denial of service. CVE-2023-35827 Zheng Wang reported a use-after-free flaw in the Renesas Ethernet AVB support driver. CVE-2023-45863 A race condition in library routines for handling generic kernel objects may result in an out-of-bounds write in the fill_kobj_path() function. CVE-2023-46813 Tom Dohrmann reported that a race condition in the Secure Encrypted Virtualization (SEV) implementation when accessing MMIO registers may allow a local attacker in a SEV guest VM to cause a denial of service or potentially execute arbitrary code. CVE-2023-46862 It was discovered that a race condition in the io_uring subsystem may result in a NULL pointer dereference, causing a denial of service. CVE-2023-51780 It was discovered that a race condition in the ATM (Asynchronous Transfer Mode) subsystem may lead to a use-after-free. CVE-2023-51781 It was discovered that a race condition in the Appletalk subsystem may lead to a use-after-free. CVE-2023-51782 It was discovered that a race condition in the Amateur Radio X.25 PLP (Rose) support may lead to a use-after-free. This module is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. For Debian 10 buster, these problems have been fixed in version 5.10.205-2~deb10u1. This update additionally fixes
[SECURITY] [DLA 3710-1] linux security update
- Debian LTS Advisory DLA-3710-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings January 10, 2024 https://wiki.debian.org/LTS - Package: linux Version: 4.19.304-1 CVE ID : CVE-2021-44879 CVE-2023-0590 CVE-2023-1077 CVE-2023-1206 CVE-2023-1989 CVE-2023-3212 CVE-2023-3390 CVE-2023-3609 CVE-2023-3611 CVE-2023-3772 CVE-2023-3776 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-4244 CVE-2023-4622 CVE-2023-4623 CVE-2023-4921 CVE-2023-5717 CVE-2023-6606 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 CVE-2023-34319 CVE-2023-34324 CVE-2023-35001 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-40283 CVE-2023-42753 CVE-2023-42754 CVE-2023-42755 CVE-2023-45863 CVE-2023-45871 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-44879 Wenqing Liu reported a NULL pointer dereference in the f2fs implementation. An attacker able to mount a specially crafted image can take advantage of this flaw for denial of service. CVE-2023-0590 Dmitry Vyukov discovered a race condition in the network scheduler core that that can lead to a use-after-free. A local user with the CAP_NET_ADMIN capability in any user or network namespace could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2023-1077 Pietro Borrello reported a type confusion flaw in the task scheduler. A local user might be able to exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2023-1206 It was discovered that the networking stack permits attackers to force hash collisions in the IPv6 connection lookup table, which may result in denial of service (significant increase in the cost of lookups, increased CPU utilization). CVE-2023-1989 Zheng Wang reported a race condition in the btsdio Bluetooth adapter driver that can lead to a use-after-free. An attacker able to insert and remove SDIO devices can use this to cause a denial of service (crash or memory corruption) or possibly to run arbitrary code in the kernel. CVE-2023-3212 Yang Lan discovered that missing validation in the GFS2 filesystem could result in denial of service via a NULL pointer dereference when mounting a malformed GFS2 filesystem. CVE-2023-3390 A use-after-free flaw in the netfilter subsystem caused by incorrect error path handling may result in denial of service or privilege escalation. CVE-2023-3609, CVE-2023-3776, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 It was discovered that a use-after-free in the cls_fw, cls_u32, cls_route and network classifiers may result in denial of service or potential local privilege escalation. CVE-2023-3611 It was discovered that an out-of-bounds write in the traffic control subsystem for the Quick Fair Queueing scheduler (QFQ) may result in denial of service or privilege escalation. CVE-2023-3772 Lin Ma discovered a NULL pointer dereference flaw in the XFRM subsystem which may result in denial of service. CVE-2023-4244 A race condition was found in the nftables subsystem that could lead to a use-after-free. A local user could exploit this to cause a denial of service (crash), information leak, or possibly for privilege escalation. CVE-2023-4622 Bing-Jhong Billy Jheng discovered a use-after-free within the Unix domain sockets component, which may result in local privilege escalation. CVE-2023-4623 Budimir Markovic reported a missing configuration check in the sch_hfsc network scheduler that could lead to a use-after-free or other problems. A local user with the CAP_NET_ADMIN capability in any user or network namespace could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2023-4921 "valis" reported flaws in the sch_qfq network scheduler that could lead to a use-after-free. A local user with the CAP_NET_ADMIN capability in any user or network namespace could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2023-5717 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system caused by improper handling of event groups,
Re: Policy queue in buster-security
On Tue, 2023-11-28 at 09:57 +, Emilio Pozuelo Monfort wrote: > Hi, > > We're in the process of setting up a policy queue for buster-security. That > means that uploads to buster-security will end up in the policy queue, and > get > built there. Once things are ready (builds have happened, tests have been > done, > etc) the update can be released to buster-security and the DLA can be sent > out. [...] Please ensure when you do this that uploads that hit the policy queue will be included in the appropriate requests file for the signing service. It looks this is controlled by the External-Signature-Requests::Default-Suites key in dak.conf. Ben. -- Ben Hutchings It is easier to write an incorrect program than to understand a correct one. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 3623-1] linux-5.10 security update
On Fri, 2023-10-20 at 00:10 +0200, Andreas Ziegler wrote: > Ben Hutchings wrote on 19.10.23 23:24: > > - > > Debian LTS Advisory DLA-3623-1debian-lts@lists.debian.org > > https://www.debian.org/lts/security/ Ben Hutchings > > October 19, 2023 https://wiki.debian.org/LTS > > - > > > > Package: linux-5.10 > > Version: 5.10.197-1~deb10u1 > > > Hello, > > was it intentional that this new build still has a build date of > 2023-08-08 > the same date as the previous kernel package > linux-image-5.10.0-0.deb10.24-amd64 ? No, that was the result of a mis-merge of debian/changelog. Ben. > > Best Regards > Andreas > > P.S.: > i'm not on the list, please CC an answer, thanks! -- Ben Hutchings I haven't lost my mind; it's backed up on tape somewhere. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3623-1] linux-5.10 security update
- Debian LTS Advisory DLA-3623-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 19, 2023 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.197-1~deb10u1 CVE ID : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3141 CVE-2023-3212 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194 CVE-2023-4244 CVE-2023-4273 CVE-2023-4622 CVE-2023-4623 CVE-2023-4921 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400 CVE-2023-31084 CVE-2023-34256 CVE-2023-34319 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-40283 CVE-2023-42753 CVE-2023-42755 CVE-2023-42756 Debian Bug : 871216 1035359 1036543 1044518 1050622 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2022-4269 William Zhao discovered that a flaw in the Traffic Control (TC) subsystem when using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred"), may allow a local unprivileged user to cause a denial of service (triggering a CPU soft lockup). CVE-2022-39189 Jann Horn discovered that TLB flush operations are mishandled in the KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may allow an unprivileged guest user to compromise the guest kernel. CVE-2023-1206 It was discovered that the networking stack permits attackers to force hash collisions in the IPv6 connection lookup table, which may result in denial of service (significant increase in the cost of lookups, increased CPU utilization). CVE-2023-1380 Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi driver. On systems using this driver, a local user could exploit this to read sensitive information or to cause a denial of service. CVE-2023-2002 Ruiahn Li reported an incorrect permissions check in the Bluetooth subsystem. A local user could exploit this to reconfigure local Bluetooth interfaces, resulting in information leaks, spoofing, or denial of service (loss of connection). CVE-2023-2007 Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-use flaw in the dpt_i2o SCSI controller driver. A local user with access to a SCSI device using this driver could exploit this for privilege escalation. This flaw has been mitigated by removing support for the I2OUSRCMD operation. CVE-2023-2124 Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing metadata validation may result in denial of service or potential privilege escalation if a corrupted XFS disk image is mounted. CVE-2023-2269 Zheng Zhang reported that improper handling of locking in the device mapper implementation may result in denial of service. CVE-2023-2898 It was discovered that missing sanitising in the f2fs file system may result in denial of service if a malformed file system is accessed. CVE-2023-3090 It was discovered that missing initialization in ipvlan networking may lead to an out-of-bounds write vulnerability, resulting in denial of service or potentially the execution of arbitrary code. CVE-2023-3111 The TOTE Robot tool found a flaw in the Btrfs filesystem driver that can lead to a use-after-free. It's unclear whether an unprivileged user can exploit this. CVE-2023-3141 A flaw was discovered in the r592 memstick driver that could lead to a use-after-free after the driver is removed or unbound from a device. The security impact of this is unclear. CVE-2023-3212 Yang Lan discovered that missing validation in the GFS2 filesystem could result in denial of service via a NULL pointer dereference when mounting a malformed GFS2 filesystem. CVE-2023-3268 It was discovered that an out-of-bounds memory access in relayfs could result in denial of service or an information leak. CVE-2023-3338 Davide Ornaghi discovered a flaw in the DECnet protocol implementation which could lead to a null pointer dereference or use-after-free. A local user can exploit this to cause a denial of service (crash or memory corruption) and probably for privilege escalation. This flaw has been mitigated b
[SECURITY] [DLA 3525-1] linux-5.10 security update
- Debian LTS Advisory DLA-3525-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings August 11, 2023 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.179-5~deb10u1 CVE ID : CVE-2022-40982 CVE-2023-20569 CVE-2022-40982 Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers. This mitigation requires updated CPU microcode provided in the intel-microcode package. For details please refer to <https://downfall.page/> and <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>. CVE-2023-20569 Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered INCEPTION, also known as Speculative Return Stack Overflow (SRSO), a transient execution attack that leaks arbitrary data on all AMD Zen CPUs. An attacker can mis-train the CPU BTB to predict non- architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel. For details please refer to <https://comsec.ethz.ch/research/microarch/inception/> and <https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005>. For Debian 10 buster, these problems have been fixed in version 5.10.179-5~deb10u1. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3524-1] linux security update
- Debian LTS Advisory DLA-3524-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings August 10, 2023 https://wiki.debian.org/LTS - Package: linux Version: 4.19.289-2 CVE ID : CVE-2022-40982 Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers. This mitigation requires updated CPU microcode provided in the intel-microcode package. For details please refer to <https://downfall.page/> and <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>. For Debian 10 buster, this problem has been fixed in version 4.19.289-2. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3512-1] linux-5.10 security update
- Debian LTS Advisory DLA-3512-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings August 2, 2023https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.179-3~deb10u1 CVE ID : CVE-2023-2156 CVE-2023-3390 CVE-2023-3610 CVE-2023-20593 CVE-2023-31248 CVE-2023-35001 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2023-2156 It was discovered that a flaw in the handling of the RPL protocol may allow an unauthenticated remote attacker to cause a denial of service if RPL is enabled (not by default in Debian). CVE-2023-3390 A use-after-free flaw in the netfilter subsystem caused by incorrect error path handling may result in denial of service or privilege escalation. CVE-2023-3610 A use-after-free flaw in the netfilter subsystem caused by incorrect refcount handling on the table and chain destroy path may result in denial of service or privilege escalation. CVE-2023-20593 Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests. For details please refer to <https://lock.cmpxchg8b.com/zenbleed.html> and <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>. This issue can also be mitigated by a microcode update through the amd64-microcode package or a system firmware (BIOS/UEFI) update. However, the initial microcode release by AMD only provides updates for second generation EPYC CPUs. Various Ryzen CPUs are also affected, but no updates are available yet. CVE-2023-31248 Mingi Cho discovered a use-after-free flaw in the Netfilter nf_tables implementation when using nft_chain_lookup_byid, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-35001 Tanguy DUBROCA discovered an out-of-bounds reads and write flaw in the Netfilter nf_tables implementation when processing an nft_byteorder expression, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. For Debian 10 buster, these problems have been fixed in version 5.10.179-3~deb10u1. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3508-1] linux security update
- Debian LTS Advisory DLA-3508-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings July 27, 2023 https://wiki.debian.org/LTS - Package: linux Version: 4.19.289-1 CVE ID : CVE-2023-1380 CVE-2023-2002 CVE-2023-2007 CVE-2023-2269 CVE-2023-3090 CVE-2023-3111 CVE-2023-3141 CVE-2023-3268 CVE-2023-3338 CVE-2023-20593 CVE-2023-31084 CVE-2023-32233 CVE-2023-34256 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-35828 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2023-1380 Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi driver. On systems using this driver, a local user could exploit this to read sensitive information or to cause a denial of service (crash). CVE-2023-2002 Ruiahn Li reported an incorrect permissions check in the Bluetooth subsystem. A local user could exploit this to reconfigure local Bluetooth interfaces, resulting in information leaks, spoofing, or denial of service (loss of connection). CVE-2023-2007 Lucas Leong (@_wmliang_) and Reno Robert of Trend Micro Zero Day Initiative discovered a time-of-check-to-time-of-use flaw in the dpt_i2o SCSI controller driver. A local user with access to a SCSI device using this driver could exploit this for privilege escalation. This flaw has been mitigated by removing support for the I2OUSRCMD operation. CVE-2023-2269 Zheng Zhang reported that improper handling of locking in the device mapper implementation may result in denial of service. CVE-2023-3090 It was discovered that missing initialization in ipvlan networking may lead to an out-of-bounds write vulnerability, resulting in denial of service or potentially the execution of arbitrary code. CVE-2023-3111 The TOTE Robot tool found a flaw in the Btrfs filesystem driver that can lead to a use-after-free. It's unclear whether an unprivileged user can exploit this. CVE-2023-3141 A flaw was discovered in the r592 memstick driver that could lead to a use-after-free after the driver is removed or unbound from a device. The security impact of this is unclear. CVE-2023-3268 It was discovered that an out-of-bounds memory access in relayfs could result in denial of service or an information leak. CVE-2023-3338 Ornaghi Davide discovered a flaw in the DECnet protocol implementation which could lead to a null pointer dereference or use-after-free. A local user can exploit this to cause a denial of service (crash or memory corruption) and probably for privilege escalation. This flaw has been mitigated by removing the DECnet protocol implementation. CVE-2023-20593 Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests. For details please refer to <https://lock.cmpxchg8b.com/zenbleed.html> and <https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>. This issue can also be mitigated by a microcode update through the amd64-microcode package or a system firmware (BIOS/UEFI) update. However, the initial microcode release by AMD only provides updates for second generation EPYC CPUs. Various Ryzen CPUs are also affected, but no updates are available yet. CVE-2023-31084 It was discovered that the DVB Core driver does not properly handle locking of certain events, allowing a local user to cause a denial of service. CVE-2023-32233 Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw in the Netfilter nf_tables implementation when processing batch requests, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-34256 The syzbot tool found a time-of-check-to-time-of-use flaw in the ext4 filesystem driver. An attacker able to mount a disk image or device that they can also write to directly could exploit this to cause an out-of-bounds read, possibly resulting in a leak of sensitive information or denial of service (crash). CVE-2023-35788 Hangyu Hua discovered an out-of-bounds write vulnerability in the Flower classifier which may result in denial of service or the execution of arbitrary code. CVE-2023-35823
Re: CVE-2023-2884[0-2]: impact for debian user
On Thu, 2023-06-22 at 10:37 +, Bastien Roucariès wrote: > Hi, > > I want to discuss about CVE-2023-2884[0-2]. > > In order to be vulnerable host kernel need to disable the xt_u32 module. > > Moreover upstream drop for newer version support of xt_u32 see > https://github.com/moby/moby/commit/4d04068184cf34af7be43272db1687143327cdf7 > Do we support only xt_bpf in buster ? > > I believe it is not a problem for debian system (at least for buster), for > default kernel. > > What is your advice on these bugs ? I think you are right for -28840 and -28841, but the description of - 28842 at <https://security-tracker.debian.org/tracker/CVE-2023-28842> does not say having xt_u32 available everywhere is a mitigation. Ben. > > BTW the upstream fix is: > https://github.com/moby/moby/commit/878ee341d6fad3c0a28f9bd5471eb56736579010 > and seems inclomplete without: > https://github.com/moby/moby/commit/1e195acee45ac69a2f7d8d4f2c9ea05ff6b0af2c > And for completeness again auser config: > https://github.com/moby/moby/commit/9a692a38028f4914a3a914c9a229e61bb3fbaf66 > > Bastien -- Ben Hutchings All the simple programs have been written, and all the good names taken signature.asc Description: This is a digitally signed message part
Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
On Mon, 2023-06-19 at 11:02 +, roucaries bastien wrote: > Le dim. 18 juin 2023 à 19:16, Ola Lundqvist a écrit : > [adding security team] [...] > > > You mention rebuild all reverse dependencies. Well I do not find any > > within Debian. > > This makes it even less important to fix it. > > Yes, but for firefox it is embeded (code duplication not nice). May be > (so copy security team) deemded it and link to the lib. Less work So we can expect Firefox upstream to update their copy. > > ola@buster-lts:~/build$ apt-rdepends -r libusrsctp1 > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > libusrsctp1 > > Reverse Depends: libusrsctp-dev (= 0.9.3.0+20190127-2) > > Reverse Depends: libusrsctp-examples (= 0.9.3.0+20190127-2) > > libusrsctp-dev > > libusrsctp-examples > > ola@buster-lts:~/build$ apt-rdepends -r libusrsctp-dev > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > libusrsctp-dev > > No it is incomplete: > grep-dctrl -FBuild-Depends libusrsctp-dev -w -sPackage > /var/lib/apt/lists/*Sources > give me: > - janus on o-o-stable-backport > > Do not know what to do with it. buster-backports is not supported at all, so we don't need to care about that. I think we can mark this package us unsupported. Ben. -- Ben Hutchings Experience is directly proportional to the value of equipment destroyed - Carolyn Scheppner signature.asc Description: This is a digitally signed message part
Re: Request for suggestions/opinion about triaging decision for renderdoc
On Sat, 2023-06-17 at 16:14 -0400, Roberto C. Sánchez wrote: > Hi Ola, > > The renderdoc situation certainly seems out of the norm for what we see. > > On Fri, Jun 16, 2023 at 11:34:25PM +0200, Ola Lundqvist wrote: > > Hi > > > > I'm triaging the package "renderdoc" and it has three open CVEs. More > > information about the CVEs are available here with a good description. > > https://www.openwall.com/lists/oss-security/2023/06/06/3 > > > > One of them is clearly a minor issue, but two of them describe the > > possibility to execute arbitrate code for a remote attacker as the > > user running the software. So that is rather severe. It is only during > > the time the person in question run this software and since it is a > > debugger it is likely not that common. > > > Based on the description in that post, the exploitation is rather > complex. However, it appears that there is no way for the user to > configure the software to stop the bad behavior, so the options for a > workaround are very limited to non-existent. [...] This could be mitigated by a local firewall. It's unfortunate that we still don't enable that by default in desktop installations. If we can't fix the code then maybe we could issue a DLA recommending blocking this port. Ben. -- Ben Hutchings Experience is directly proportional to the value of equipment destroyed - Carolyn Scheppner signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3446-1] linux-5.10 security update
- Debian LTS Advisory DLA-3446-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 05, 2023 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.179-1~deb10u1 CVE ID : CVE-2023-0386 CVE-2023-31436 CVE-2023-32233 Debian Bug : 1035779 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2023-0386 It was discovered that under certain conditions the overlayfs filesystem implementation did not properly handle copy up operations. A local user permitted to mount overlay mounts in user namespaces can take advantage of this flaw for local privilege escalation. CVE-2023-31436 Gwangun Jung reported a a flaw causing heap out-of-bounds read/write errors in the traffic control subsystem for the Quick Fair Queueing scheduler (QFQ) which may result in information leak, denial of service or privilege escalation. CVE-2023-32233 Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw in the Netfilter nf_tables implementation when processing batch requests, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. For Debian 10 buster, these problems have been fixed in version 5.10.179-1~deb10u1. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3403-1] linux security update
- Debian LTS Advisory DLA-3403-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings May 3, 2023 https://wiki.debian.org/LTS - Package: linux Version: 4.19.282-1 CVE ID : CVE-2022-2873 CVE-2022-3424 CVE-2022-3545 CVE-2022-3707 CVE-2022-4744 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934 CVE-2022-47929 CVE-2023-0045 CVE-2023-0266 CVE-2023-0394 CVE-2023-0458 CVE-2023-0459 CVE-2023-0461 CVE-2023-1073 CVE-2023-1074 CVE-2023-1078 CVE-2023-1079 CVE-2023-1118 CVE-2023-1281 CVE-2023-1513 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-1998 CVE-2023-2162 CVE-2023-2194 CVE-2023-23454 CVE-2023-23455 CVE-2023-23559 CVE-2023-26545 CVE-2023-28328 CVE-2023-30456 CVE-2023-30772 Debian Bug : 825141 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2022-2873 Zheyu Ma discovered that an out-of-bounds memory access flaw in the Intel iSMT SMBus 2.0 host controller driver may result in denial of service (system crash). CVE-2022-3424 Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver which could lead to a use-after-free. On systems where this driver is used, a local user can explit this for denial of service (crash or memory corruption) or possibly for privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2022-3545 It was discovered that the Netronome Flow Processor (NFP) driver contained a use-after-free flaw in area_cache_get(), which may result in denial of service or the execution of arbitrary code. CVE-2022-3707 Zheng Wang reported a flaw in the i915 graphics driver's virtualisation (GVT-g) support that could lead to a double-free. On systems where this feature is used, a guest can exploit this for denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-4744 The syzkaller tool found a flaw in the TUN/TAP network driver, which can lead to a double-free. A local user can exploit this for denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-36280 An out-of-bounds memory write vulnerability was discovered in the vmwgfx driver, which may allow a local unprivileged user to cause a denial of service (system crash). CVE-2022-41218 Hyunwoo Kim reported a use-after-free flaw in the Media DVB core subsystem caused by refcount races, which may allow a local user to cause a denial of service or escalate privileges. CVE-2022-45934 An integer overflow in l2cap_config_req() in the Bluetooth subsystem was discovered, which may allow a physically proximate attacker to cause a denial of service (system crash). CVE-2022-47929 Frederick Lawler reported a NULL pointer dereference in the traffic control subsystem allowing an unprivileged user to cause a denial of service by setting up a specially crafted traffic control configuration. CVE-2023-0045 Rodrigo Branco and Rafael Correa De Ysasi reported that when a user-space task told the kernel to enable Spectre v2 mitigation for it, the mitigation was not enabled until the task was next rescheduled. This might be exploitable by a local or remote attacker to leak sensitive information from such an application. CVE-2023-0266 A use-after-free flaw in the sound subsystem due to missing locking may result in denial of service or privilege escalation. CVE-2023-0394 Kyle Zeng discovered a NULL pointer dereference flaw in rawv6_push_pending_frames() in the network subsystem allowing a local user to cause a denial of service (system crash). CVE-2023-0458 Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and related system calls were vulnerable to speculative execution attacks such as Spectre v1. A local user could explot this to leak sensitive information from the kernel. CVE-2023-0459 Jordy Zimmer and Alexandra Sandulescu found a regression in Spectre v1 mitigation in the user-copy functions for the amd64 (64-bit PC) architecture. Where the CPUs do not implement SMAP or it is disabled, a local user could exploit this to leak sensitive information from the kernel. Other architectures may also be affected. CVE-2023-0461 "slipper" reported a flaw in the kernel's support for ULPs (Upper Layer Protocols) on top of TCP that can lead to a d
[SECURITY] [DLA 3404-1] linux-5.10 security update
- Debian LTS Advisory DLA-3404-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings May 3, 2023 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.178-3~deb10u1 CVE ID : CVE-2022-2196 CVE-2022-3424 CVE-2022-3707 CVE-2022-4129 CVE-2022-4379 CVE-2023-0045 CVE-2023-0458 CVE-2023-0459 CVE-2023-0461 CVE-2023-1073 CVE-2023-1074 CVE-2023-1076 CVE-2023-1077 CVE-2023-1078 CVE-2023-1079 CVE-2023-1118 CVE-2023-1281 CVE-2023-1513 CVE-2023-1611 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1872 CVE-2023-1989 CVE-2023-1990 CVE-2023-1998 CVE-2023-2162 CVE-2023-2194 CVE-2023-22998 CVE-2023-23004 CVE-2023-23559 CVE-2023-25012 CVE-2023-26545 CVE-2023-28328 CVE-2023-28466 CVE-2023-30456 Debian Bug : 989705 993612 1022126 1031753 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2022-2196 A regression was discovered the KVM implementation for Intel CPUs, affecting Spectre v2 mitigation for nested virtualisation. When KVM was used as the L0 hypervisor, an L2 guest could exploit this to leak sensitive information from its L1 hypervisor. CVE-2022-3424 Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver which could lead to a use-after-free. On systems where this driver is used, a local user can explit this for denial of service (crash or memory corruption) or possibly for privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2022-3707 Zheng Wang reported a flaw in the i915 graphics driver's virtualisation (GVT-g) support that could lead to a double-free. On systems where this feature is used, a guest can exploit this for denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-4129 Haowei Yan reported a race condition in the L2TP protocol implementation which could lead to a null pointer dereference. A local user could exploit this for denial of service (crash). CVE-2022-4379 Xingyuan Mo reported a flaw in the NFSv4.2 inter server to server copy implementation which could lead to a use-after-free. This feature is not enabled in Debian's official kernel configurations. CVE-2023-0045 Rodrigo Branco and Rafael Correa De Ysasi reported that when a user-space task told the kernel to enable Spectre v2 mitigation for it, the mitigation was not enabled until the task was next rescheduled. This might be exploitable by a local or remote attacker to leak sensitive information from such an application. CVE-2023-0458 Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and related system calls were vulnerable to speculative execution attacks such as Spectre v1. A local user could explot this to leak sensitive information from the kernel. CVE-2023-0459 Jordy Zimmer and Alexandra Sandulescu found a regression in Spectre v1 mitigation in the user-copy functions for the amd64 (64-bit PC) architecture. Where the CPUs do not implement SMAP or it is disabled, a local user could exploit this to leak sensitive information from the kernel. Other architectures may also be affected. CVE-2023-0461 "slipper" reported a flaw in the kernel's support for ULPs (Upper Layer Protocols) on top of TCP that can lead to a double-free when using kernel TLS sockets. A local user can exploit this for denial of service (crash or memory corruption) or possibly for privilege escalation. Kernel TLS is not enabled in Debian's official kernel configurations. CVE-2023-1073 Pietro Borrello reported a type confusion flaw in the HID (Human Interface Device) subsystem. An attacker able to insert and remove USB devices might be able to use this to cause a denial of service (crash or memory corruption) or possibly to run arbitrary code in the kernel. CVE-2023-1074 Pietro Borrello reported a type confusion flaw in the SCTP protocol implementation which can lead to a memory leak. A local user could exploit this to cause a denial of service (resource exhaustion). CVE-2023-1076 Pietro Borrello reported a type confusion flaw in the TUN/TAP network driver, which results in all TUN/TAP sockets being marked as belonging to user ID 0 (root). This may allow local users to evade local firewall rules based on user ID. CVE-2023-1077 Pietro Borrello reported a type conf
[SECURITY] [DLA 3349-1] linux-5.10 security update
- Debian LTS Advisory DLA-3349-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 02, 2023https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.162-1~deb10u1 CVE ID : CVE-2022-2873 CVE-2022-3545 CVE-2022-3623 CVE-2022-4696 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934 CVE-2022-47929 CVE-2023-0179 CVE-2023-0240 CVE-2023-0266 CVE-2023-0394 CVE-2023-23454 CVE-2023-23455 CVE-2023-23586 Debian Bug : 825141 1008501 1027430 1027483 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2022-2873 Zheyu Ma discovered that an out-of-bounds memory access flaw in the Intel iSMT SMBus 2.0 host controller driver may result in denial of service (system crash). CVE-2022-3545 It was discovered that the Netronome Flow Processor (NFP) driver contained a use-after-free flaw in area_cache_get(), which may result in denial of service or the execution of arbitrary code. CVE-2022-3623 A race condition when looking up a CONT-PTE/PMD size hugetlb page may result in denial of service or an information leak. CVE-2022-4696 A use-after-free vulnerability was discovered in the io_uring subsystem. CVE-2022-36280 An out-of-bounds memory write vulnerability was discovered in the vmwgfx driver, which may allow a local unprivileged user to cause a denial of service (system crash). CVE-2022-41218 Hyunwoo Kim reported a use-after-free flaw in the Media DVB core subsystem caused by refcount races, which may allow a local user to cause a denial of service or escalate privileges. CVE-2022-45934 An integer overflow in l2cap_config_req() in the Bluetooth subsystem was discovered, which may allow a physically proximate attacker to cause a denial of service (system crash). CVE-2022-47929 Frederick Lawler reported a NULL pointer dereference in the traffic control subsystem allowing an unprivileged user to cause a denial of service by setting up a specially crafted traffic control configuration. CVE-2023-0179 Davide Ornaghi discovered incorrect arithmetics when fetching VLAN header bits in the netfilter subsystem, allowing a local user to leak stack and heap addresses or potentially local privilege escalation to root. CVE-2023-0240 A flaw was discovered in the io_uring subsystem that could lead to a use-after-free. A local user could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2023-0266 A use-after-free flaw in the sound subsystem due to missing locking may result in denial of service or privilege escalation. CVE-2023-0394 Kyle Zeng discovered a NULL pointer dereference flaw in rawv6_push_pending_frames() in the network subsystem allowing a local user to cause a denial of service (system crash). CVE-2023-23454 Kyle Zeng reported that the Class Based Queueing (CBQ) network scheduler was prone to denial of service due to interpreting classification results before checking the classification return code. CVE-2023-23455 Kyle Zeng reported that the ATM Virtual Circuits (ATM) network scheduler was prone to a denial of service due to interpreting classification results before checking the classification return code. CVE-2023-23586 A flaw was discovered in the io_uring subsystem that could lead to an information leak. A local user could exploit this to obtain sensitive information from the kernel or other users. For Debian 10 buster, these problems have been fixed in version 5.10.162-1~deb10u1. This update also fixes Debian bugs #825141, #1008501, #1027430, and #1027483, and includes many more bug fixes from stable updates 5.10.159-5.10.162 inclusive. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3245-1] linux security update
- Debian LTS Advisory DLA-3245-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings December 21, 2022 https://wiki.debian.org/LTS - Package: linux Version: 4.19.269-1 CVE ID : CVE-2022-2978 CVE-2022-3521 CVE-2022-3524 CVE-2022-3564 CVE-2022-3565 CVE-2022-3594 CVE-2022-3621 CVE-2022-3628 CVE-2022-3640 CVE-2022-3643 CVE-2022-3646 CVE-2022-3649 CVE-2022-4378 CVE-2022-20369 CVE-2022-29901 CVE-2022-40768 CVE-2022-41849 CVE-2022-41850 CVE-2022-42328 CVE-2022-42329 CVE-2022-42895 CVE-2022-42896 CVE-2022-43750 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2022-2978 "butt3rflyh4ck", Hao Sun, and Jiacheng Xu reported a flaw in the nilfs2 filesystem driver which can lead to a use-after-free. A local use might be able to exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3521 The syzbot tool found a race condition in the KCM subsystem which could lead to a crash. This subsystem is not enabled in Debian's official kernel configurations. CVE-2022-3524 The syzbot tool found a race condition in the IPv6 stack which could lead to a memory leak. A local user could exploit this to cause a denial of service (memory exhaustion). CVE-2022-3564 A flaw was discovered in the Bluetooh L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3565 A flaw was discovered in the mISDN driver which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3594 Andrew Gaul reported that the r8152 Ethernet driver would log excessive numbers of messages in response to network errors. A remote attacker could possibly exploit this to cause a denial of service (resource exhaustion). CVE-2022-3621, CVE-2022-3646 The syzbot tool found flaws in the nilfs2 filesystem driver which can lead to a null pointer dereference or memory leak. A user permitted to mount arbitrary filesystem images could use these to cause a denial of service (crash or resource exhaustion). CVE-2022-3628 Dokyung Song, Jisoo Jang, and Minsuk Kang reported a potential heap-based buffer overflow in the brcmfmac Wi-Fi driver. A user able to connect a malicious USB device could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3640 A flaw was discovered in the Bluetooh L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3643 (XSA-423) A flaw was discovered in the Xen network backend driver that would result in it generating malformed packet buffers. If these packets were forwarded to certain other network devices, a Xen guest could exploit this to cause a denial of service (crash or device reset). CVE-2022-3649 The syzbot tool found flaws in the nilfs2 filesystem driver which can lead to a use-after-free. A user permitted to mount arbitrary filesystem images could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-4378 Kyle Zeng found a flaw in procfs that would cause a stack-based buffer overflow. A local user permitted to write to a sysctl could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-20369 A flaw was found in the v4l2-mem2mem media driver that would lead to an out-of-bounds write. A local user with access to such a device could exploit this for privilege escalation. CVE-2022-29901 Johannes Wikner and Kaveh Razavi reported that for Intel processors (Intel Core generation 6, 7 and 8), protections against speculative branch target injection attacks were insufficient in some circumstances, which may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. More information can be found at https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html CVE-2022-40768 "hdthky" re
[SECURITY] [DLA 3244-1] linux-5.10 security update
- Debian LTS Advisory DLA-3244-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings December 20, 2022 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.158-2~deb10u1 CVE ID : CVE-2021-3759 CVE-2022-3169 CVE-2022-3435 CVE-2022-3521 CVE-2022-3524 CVE-2022-3564 CVE-2022-3565 CVE-2022-3594 CVE-2022-3628 CVE-2022-3640 CVE-2022-3643 CVE-2022-4139 CVE-2022-4378 CVE-2022-41849 CVE-2022-41850 CVE-2022-42328 CVE-2022-42329 CVE-2022-42895 CVE-2022-42896 CVE-2022-47518 CVE-2022-47519 CVE-2022-47520 CVE-2022-47521 Debian Bug : 1022806 1024697 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-3759 It was discovered that the memory cgroup controller did not account for kernel memory allocated for IPC objects. A local user could use this for denial of service (memory exhaustion). CVE-2022-3169 It was discovered that the NVMe host driver did not prevent a concurrent reset and subsystem reset. A local user with access to an NVMe device could use this to cause a denial of service (device disconnect or crash). CVE-2022-3435 Gwangun Jung reported a flaw in the IPv4 forwarding subsystem which would lead to an out-of-bounds read. A local user with CAP_NET_ADMIN capability in any user namespace could possibly exploit this to cause a denial of service (crash). CVE-2022-3521 The syzbot tool found a race condition in the KCM subsystem which could lead to a crash. This subsystem is not enabled in Debian's official kernel configurations. CVE-2022-3524 The syzbot tool found a race condition in the IPv6 stack which could lead to a memory leak. A local user could exploit this to cause a denial of service (memory exhaustion). CVE-2022-3564 A flaw was discovered in the Bluetooh L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3565 A flaw was discovered in the mISDN driver which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3594 Andrew Gaul reported that the r8152 Ethernet driver would log excessive numbers of messages in response to network errors. A remote attacker could possibly exploit this to cause a denial of service (resource exhaustion). CVE-2022-3628 Dokyung Song, Jisoo Jang, and Minsuk Kang reported a potential heap-based buffer overflow in the brcmfmac Wi-Fi driver. A user able to connect a malicious USB device could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3640 A flaw was discovered in the Bluetooh L2CAP subsystem which would lead to a use-after-free. This might be exploitable to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-3643 (XSA-423) A flaw was discovered in the Xen network backend driver that would result in it generating malformed packet buffers. If these packets were forwarded to certain other network devices, a Xen guest could exploit this to cause a denial of service (crash or device reset). CVE-2022-4139 A flaw was discovered in the i915 graphics driver. On gen12 "Xe" GPUs it failed to flush TLBs when necessary, resulting in GPU programs retaining access to freed memory. A local user with access to the GPU could exploit this to leak sensitive information, cause a denial of service (crash or memory corruption) or likely for privilege escalation. CVE-2022-4378 Kyle Zeng found a flaw in procfs that would cause a stack-based buffer overflow. A local user permitted to write to a sysctl could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-41849 A race condition was discovered in the smscufx graphics driver, which could lead to a use-after-free. A user able to remove the physical device while also accessing its device node could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-41850 A race condition was discovered in the hid-roccat input driver, which could lead to a use-after-free. A local user able to access such a device could exploit thi
[SECURITY] [DLA 3173-1] linux-5.10 security update
- Debian LTS Advisory DLA-3173-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings November 1, 2022 https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.149-2~deb10u1 CVE ID : CVE-2021-4037 CVE-2022-0171 CVE-2022-1184 CVE-2022-1679 CVE-2022-2153 CVE-2022-2602 CVE-2022-2663 CVE-2022-2905 CVE-2022-3028 CVE-2022-3061 CVE-2022-3176 CVE-2022-3303 CVE-2022-3586 CVE-2022-3621 CVE-2022-3625 CVE-2022-3629 CVE-2022-3633 CVE-2022-3635 CVE-2022-3646 CVE-2022-3649 CVE-2022-20421 CVE-2022-20422 CVE-2022-39188 CVE-2022-39190 CVE-2022-39842 CVE-2022-40307 CVE-2022-41222 CVE-2022-41674 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43750 Debian Bug : 1017425 1019248 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-4037 Christian Brauner reported that the inode_init_owner function for the XFS filesystem in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID. CVE-2022-0171 Mingwei Zhang reported that a cache incoherence issue in the SEV API in the KVM subsystem may result in denial of service. CVE-2022-1184 A flaw was discovered in the ext4 filesystem driver which can lead to a use-after-free. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-1679 The syzbot tool found a race condition in the ath9k_htc driver which can lead to a use-after-free. This might be exploitable to cause a denial service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-2153 "kangel" reported a flaw in the KVM implementation for x86 processors which could lead to a null pointer dereference. A local user permitted to access /dev/kvm could exploit this to cause a denial of service (crash). CVE-2022-2602 A race between handling an io_uring request and the Unix socket garbage collector was discovered. An attacker can take advantage of this flaw for local privilege escalation. CVE-2022-2663 David Leadbeater reported flaws in the nf_conntrack_irc connection-tracking protocol module. When this module is enabled on a firewall, an external user on the same IRC network as an internal user could exploit its lax parsing to open arbitrary TCP ports in the firewall, to reveal their public IP address, or to block their IRC connection at the firewall. CVE-2022-2905 Hsin-Wei Hung reported a flaw in the eBPF verifier which can lead to an out-of-bounds read. If unprivileged use of eBPF is enabled, this could leak sensitive information. This was already disabled by default, which would fully mitigate the vulnerability. CVE-2022-3028 Abhishek Shah reported a race condition in the AF_KEY subsystem, which could lead to an out-of-bounds write or read. A local user could exploit this to cause a denial of service (crash or memory corruption), to obtain sensitive information, or possibly for privilege escalation. CVE-2022-3061 A flaw was discovered in the i740 driver which may result in denial of service. This driver is not enabled in Debian's official kernel configurations. CVE-2022-3176 A use-after-free flaw was discovered in the io_uring subsystem which may result in local privilege escalation to root. CVE-2022-3303 A race condition in the snd_pcm_oss_sync function in the sound subsystem in the Linux kernel due to improper locking may result in denial of service. CVE-2022-3586 (ZDI-22-1452) The Zero Day Initiative reported a flaw in the sch_sfb network scheduler, which may lead to a use-after-free and leak of sensitive information from the kernel. CVE-2022-3621, CVE-2022-3646 The syzbot tool found flaws in the nilfs2 filesystem driver which can lead to a null pointer dereference or memory leak. A user permitted to mount arbitrary filesystem images could use these to cause a denial of service (crash or resource exhaustion). CVE-2022-3625 A flaw was discovered in the devlink subsystem which can lead to a use-after-free. The security impact of this is unclear. CVE-2022-3629 The syzbot tool found a memory leak in the Virtual Socket Protocol implementation. A local user could exploit this to caus
[SECURITY] [DLA 3131-1] linux security update
- Debian LTS Advisory DLA-3131-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 01, 2022 https://wiki.debian.org/LTS - Package: linux Version: 4.19.260-1 CVE ID : CVE-2021-4159 CVE-2021-33655 CVE-2021-33656 CVE-2022-1462 CVE-2022-1679 CVE-2022-2153 CVE-2022-2318 CVE-2022-2586 CVE-2022-2588 CVE-2022-2663 CVE-2022-3028 CVE-2022-26365 CVE-2022-26373 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 CVE-2022-33744 CVE-2022-36879 CVE-2022-36946 CVE-2022-39188 CVE-2022-39842 CVE-2022-40307 Debian Bug : 1018752 Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2021-4159 A flaw was found in the eBPF verifier which could lead to an out-of-bounds read. If unprivileged use of eBPF is enabled, this could leak sensitive information. This was already disabled by default, which would fully mitigate the vulnerability. CVE-2021-33655 A user with access to a framebuffer console device could cause a memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl. CVE-2021-33656 A user with access to a framebuffer console device could cause a memory out-of-bounds write via some font setting ioctls. These obsolete ioctls have been removed. CVE-2022-1462 一只狗 reported a race condition in the pty (pseudo-terminal) subsystem that can lead to a slab out-of-bounds write. A local user could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-1679 The syzbot tool found a race condition in the ath9k_htc driver which can lead to a use-after-free. This might be exploitable to cause a denial service (crash or memory corruption) or possibly for privilege escalation. CVE-2022-2153 "kangel" reported a flaw in the KVM implementation for x86 processors which could lead to a null pointer dereference. A local user permitted to access /dev/kvm could exploit this to cause a denial of service (crash). CVE-2022-2318 A use-after-free in the Amateur Radio X.25 PLP (Rose) support may result in denial of service. CVE-2022-2586 A use-after-free in the Netfilter subsystem may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2022-2588 Zhenpeng Lin discovered a use-after-free flaw in the cls_route filter implementation which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2022-2663 David Leadbeater reported flaws in the nf_conntrack_irc connection-tracking protocol module. When this module is enabled on a firewall, an external user on the same IRC network as an internal user could exploit its lax parsing to open arbitrary TCP ports in the firewall, to reveal their public IP address, or to block their IRC connection at the firewall. CVE-2022-3028 Abhishek Shah reported a race condition in the AF_KEY subsystem, which could lead to an out-of-bounds write or read. A local user could exploit this to cause a denial of service (crash or memory corruption), to obtain sensitive information, or possibly for privilege escalation. CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742 Roger Pau Monne discovered that Xen block and network PV device frontends don't zero out memory regions before sharing them with the backend, which may result in information disclosure. Additionally it was discovered that the granularity of the grant table doesn't permit sharing less than a 4k page, which may also result in information disclosure. CVE-2022-26373 It was discovered that on certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities there are exceptions to the documented properties in some situations, which may result in information disclosure. Intel's explanation of the issue can be found at https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html CVE-2022-33744 Oleksandr Tyshchenko discovered that ARM Xen guests can cause a denial of service to the Dom0 via paravirtual devices. CVE-2022-36879 A flaw was discovered in xfrm_expand_policies in the xfrm subsystem which can cause a reference count to be dropped twice. CVE-2022-36946 Domingo Dirutigliano and Nicola Guerrera reporte
Re: Proposal: Rebuilding 4.19 from Upstream LTS kernel
On Wed, 2022-08-31 at 13:10 +0200, Leon Gehling wrote: > Hello everybody. > > It seems like the newest side-channel Attacks regarding speculative code > executing https://www.debian.org/security/2022/dsa-5207 arent fixed yet > in the current Buster kernel. The are fixies in the upstream 4.19 LTS > Kernel > > I am no Maintainer or anything, can somebody initiate this ? > I will update the 4.19 package soon, and will include a fix for the PBRSB (CVE-2022-26373) issue. However, RETbleed (CVE-2022-29900 and CVE-2022-29901) has not been fixed for 4.19 and probably never will be. If you are hosting untrusted VMs then I strongly encourage you to use Linux 5.10 or later. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3102-1] linux-5.10 new package
- Debian LTS Advisory DLA-3102-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings September 11, 2022https://wiki.debian.org/LTS - Package: linux-5.10 Version: 5.10.136-1~deb10u3 CVE ID : CVE-2022-2585 CVE-2022-2586 CVE-2022-2588 CVE-2022-26373 CVE-2022-29900 CVE-2022-29901 CVE-2022-36879 CVE-2022-36946 Linux 5.10 has been packaged for Debian 10 as linux-5.10. This provides a supported upgrade path for systems that currently use kernel packages from the "buster-backports" suite. There is no need to upgrade systems using Linux 4.19, as that kernel version will also continue to be supported in the LTS period. The "apt full-upgrade" command will *not* automatically install the updated kernel packages. You should explicitly install one of the following metapackages first, as appropriate for your system: linux-image-5.10-686 linux-image-5.10-686-pae linux-image-5.10-amd64 linux-image-5.10-arm64 linux-image-5.10-armmp linux-image-5.10-armmp-lpae linux-image-5.10-cloud-amd64 linux-image-5.10-cloud-arm64 linux-image-5.10-rt-686-pae linux-image-5.10-rt-amd64 linux-image-5.10-rt-arm64 linux-image-5.10-rt-armmp For example, if the command "uname -r" currently shows "5.10.0-0.deb10.16-amd64", you should install linux-image-5.10-amd64. This backport does not include the following binary packages: bpftool hyperv-daemons libcpupower-dev libcpupower1 linux-compiler-gcc-8-arm linux-compiler-gcc-8-x86 linux-cpupower linux-libc-dev usbip Older versions of most of those are built from the linux source package in Debian 10. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2022-2585 A use-after-free flaw in the implementation of POSIX CPU timers may result in denial of service or in local privilege escalation. CVE-2022-2586 A use-after-free in the Netfilter subsystem may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2022-2588 Zhenpeng Lin discovered a use-after-free flaw in the cls_route filter implementation which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2022-26373 It was discovered that on certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities there are exceptions to the documented properties in some situations, which may result in information disclosure. Intel's explanation of the issue can be found at https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html CVE-2022-29900 Johannes Wikner and Kaveh Razavi reported that for AMD/Hygon processors, mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. A list of affected AMD CPU types can be found at https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 CVE-2022-29901 Johannes Wikner and Kaveh Razavi reported that for Intel processors (Intel Core generation 6, 7 and 8), protections against speculative branch target injection attacks were insufficient in some circumstances, which may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. More information can be found at https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html CVE-2022-36879 A flaw was discovered in xfrm_expand_policies in the xfrm subsystem which can cause a reference count to be dropped twice. CVE-2022-36946 Domingo Dirutigliano and Nicola Guerrera reported a memory corruption flaw in the Netfilter subsystem which may result in denial of service. For Debian 10 buster, these problems have been fixed in version 5.10.136-1~deb10u3. This update additionally includes many more bug fixes from stable updates 5.10.128-5.10.136 inclusive. We recommend that you upgrade your linux-5.10 packages. For the detailed security status of linux-5.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-5.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
linux-5.10 code signing in buster
Hello FTP team, As in previous releases maintained by the LTS team, I plan to add a second kernel package to buster-security as an upgrade path for users of the kernel package in buster-backports. As code signing is enabled in buster suites, I think this requires a change to the configuration of the code signing service. The new source package will be: linux-5.10 The new signed template binary packages will be: - linux-image-5.10-amd64-signed-template - linux-image-5.10-arm64-signed-template - linux-image-5.10-i386-signed-template Please let me know if you need any further information, or when any configuration change has been done. Thanks, Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3065-1] linux security update
- Debian LTS Advisory DLA-3065-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 30, 2022 https://wiki.debian.org/LTS - Package: linux Version: 4.9.320-2 CVE ID : CVE-2018-1108 CVE-2021-4149 CVE-2021-39713 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1353 CVE-2022-1516 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-23960 CVE-2022-24958 CVE-2022-26490 CVE-2022-26966 CVE-2022-27223 CVE-2022-28356 CVE-2022-28390 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981 Debian Bug : 922204 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This update is unfortunately not available for the armel architecture. CVE-2018-1108 It was discovered that the random driver could generate random bytes through /dev/random and the getrandom() system call before gathering enough entropy that these would be unpredictable. This could compromise the confidentiality and integrity of encrypted communications. The original fix for this issue had to be reverted because it caused the boot process to hang on many systems. In this version, the random driver has been updated, making it more effective in gathering entropy without needing a hardware RNG. CVE-2021-4149 Hao Sun reported a flaw in the Btrfs fileysstem driver. There is a potential lock imbalance in an error path. A local user might be able to exploit this for denial of service. CVE-2021-39713 The syzbot tool found a race condition in the network scheduling subsystem which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-0494 The scsi_ioctl() was susceptible to an information leak only exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO capabilities. CVE-2022-0812 It was discovered that the RDMA transport for NFS (xprtrdma) miscalculated the size of message headers, which could lead to a leak of sensitive information between NFS servers and clients. CVE-2022-0854 Ali Haider discovered a potential information leak in the DMA subsystem. On systems where the swiotlb feature is needed, this might allow a local user to read sensitive information. CVE-2022-1011 Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space) implementation. A local user permitted to mount FUSE filesystems could exploit this to cause a use-after-free and read sensitive information. CVE-2022-1012, CVE-2022-32296 Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness in randomisation of TCP source port selection. CVE-2022-1016 David Bouman discovered a flaw in the netfilter subsystem where the nft_do_chain function did not initialize register data that nf_tables expressions can read from and write to. A local attacker can take advantage of this to read sensitive information. CVE-2022-1198 Duoming Zhou discovered a race condition in the 6pack hamradio driver, which could lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-1199 Duoming Zhou discovered race conditions in the AX.25 hamradio protocol, which could lead to a use-after-free or null pointer dereference. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2022-1353 The TCS Robot tool found an information leak in the PF_KEY subsystem. A local user can receive a netlink message when an IPsec daemon registers with the kernel, and this could include sensitive information. CVE-2022-1516 A NULL pointer dereference flaw in the implementation of the X.25 set of standardized network protocols, which can result in denial of service. This driver is not enabled in Debian's official kernel configurations. CVE-2022-1729 Norbert Slusarek discovered a race condition in the perf subsystem which could result in local privilege escalation to root. The default settings in Debian prevent exploitation unless more
[SECURITY] [DLA 2941-1] linux-4.19 security update
- Debian LTS Advisory DLA-2941-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 09, 2022https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.232-1~deb9u1 CVE ID : CVE-2020-29374 CVE-2020-36322 CVE-2021-3640 CVE-2021-3744 CVE-2021-3752 CVE-2021-3760 CVE-2021-3764 CVE-2021-3772 CVE-2021-4002 CVE-2021-4083 CVE-2021-4135 CVE-2021-4155 CVE-2021-4203 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322 CVE-2021-22600 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-28950 CVE-2021-38300 CVE-2021-39685 CVE-2021-39686 CVE-2021-39698 CVE-2021-39713 CVE-2021-41864 CVE-2021-42739 CVE-2021-43389 CVE-2021-43975 CVE-2021-43976 CVE-2021-44733 CVE-2021-45095 CVE-2021-45469 CVE-2021-45480 CVE-2022-0001 CVE-2022-0002 CVE-2022-0322 CVE-2022-0330 CVE-2022-0435 CVE-2022-0487 CVE-2022-0492 CVE-2022-0617 CVE-2022-0644 CVE-2022-22942 CVE-2022-24448 CVE-2022-24959 CVE-2022-25258 CVE-2022-25375 Debian Bug : 988044 989285 990411 994050 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-29374 Jann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption. This issue was already fixed for most architectures, but not on MIPS and System z. This update corrects that. CVE-2020-36322, CVE-2021-28950 The syzbot tool found that the FUSE (filesystem-in-user-space) implementation did not correctly handle a FUSE server returning invalid attributes for a file. A local user permitted to run a FUSE server could use this to cause a denial of service (crash). The original fix for this introduced a different potential denial of service (infinite loop in kernel space), which has also been fixed. CVE-2021-3640 Lin Ma discovered a race condiiton in the Bluetooth protocol implementation that can lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-3744, CVE-2021-3764 minihanshen reported bugs in the ccp driver for AMD Cryptographic Coprocessors that could lead to a resource leak. On systems using this driver, a local user could exploit this to cause a denial of service. CVE-2021-3752 Likang Luo of NSFOCUS Security Team discovered a flaw in the Bluetooth L2CAP implementation that can lead to a user-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-3760, CVE-2021-4202 Lin Ma discovered race conditions in the NCI (NFC Controller Interface) driver, which could lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2021-3772 A flaw was found in the SCTP protocol implementation, which would allow a networked attacker to break an SCTP association. The attacker would only need to know or guess the IP addresses and ports for the association. CVE-2021-4002 It was discovered that hugetlbfs, the virtual filesystem used by applications to allocate huge pages in RAM, did not flush the CPU's TLB in one case where it was necessary. In some circumstances a local user would be able to read and write huge pages after they are freed and reallocated to a different process. This could lead to privilege escalation, denial of service or information leaks. CVE-2021-4083 Jann Horn reported a race condition in the local (Unix) sockets garbage collector, that can lead to use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-4135 A flaw was found in the netdevsim driver which would lead
[SECURITY] [DLA 2940-1] linux security update
- Debian LTS Advisory DLA-2940-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 09, 2022https://wiki.debian.org/LTS - Package: linux Version: 4.9.303-1 CVE ID : CVE-2021-3640 CVE-2021-3752 CVE-2021-4002 CVE-2021-4083 CVE-2021-4155 CVE-2021-4202 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-29264 CVE-2021-33033 CVE-2021-39685 CVE-2021-39686 CVE-2021-39698 CVE-2021-39714 CVE-2021-43976 CVE-2021-45095 CVE-2022-0001 CVE-2022-0002 CVE-2022-0330 CVE-2022-0435 CVE-2022-0487 CVE-2022-0492 CVE-2022-0617 CVE-2022-24448 CVE-2022-25258 CVE-2022-25375 Debian Bug : 990411 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-3640 LinMa of BlockSec Team discovered a race condition in the Bluetooth SCO implementation that can lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-3752 Likang Luo of NSFOCUS Security Team discovered a flaw in the Bluetooth L2CAP implementation that can lead to a user-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-4002 It was discovered that hugetlbfs, the virtual filesystem used by applications to allocate huge pages in RAM, did not flush the CPU's TLB in one case where it was necessary. In some circumstances a local user would be able to read and write huge pages after they are freed and reallocated to a different process. This could lead to privilege escalation, denial of service or information leaks. CVE-2021-4083 Jann Horn reported a race condition in the local (Unix) sockets garbage collector, that can lead to use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2021-4155 Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for a size increase of files with unaligned size. A local attacker can take advantage of this flaw to leak data on the XFS filesystem. CVE-2021-4202 Lin Ma discovered a race condition in the NCI (NFC Controller Interface) driver, which could lead to a use-after-free. A local user could exploit this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. This protocol is not enabled in Debian's official kernel configurations. CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391) Juergen Gross reported that malicious PV backends can cause a denial of service to guests being serviced by those backends via high frequency events, even if those backends are running in a less privileged environment. CVE-2021-28714, CVE-2021-28715 (XSA-392) Juergen Gross discovered that Xen guests can force the Linux netback driver to hog large amounts of kernel memory, resulting in denial of service. CVE-2021-29264 It was discovered that the "gianfar" Ethernet driver used with some Freescale SoCs did not correctly handle a Rx queue overrun when jumbo packets were enabled. On systems using this driver and jumbo packets, an attacker on the network could exploit this to cause a denial of service (crash). This driver is not enabled in Debian's official kernel configurations. CVE-2021-33033 The syzbot tool found a reference counting bug in the CIPSO implementation that can lead to a use-after-free. This protocol is not enabled in Debian's official kernel configurations. CVE-2021-39685 Szymon Heidrich discovered a buffer overflow vulnerability in the USB gadget subsystem, resulting in information disclosure, denial of service or privilege escalation. CVE-2021-39686 A race condition was discovered in the Android binder driver, that could lead to incorrect security checks. On systems where the binder driver is loaded, a local user could exploit this for privilege escalation. This driver is not enabled in Debian's official kernel configurations. CVE-2021-39698 Linus Torvalds reported a flaw in the file polling implementation, which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-
[SECURITY] [DLA 2843-1] linux security update
- Debian LTS Advisory DLA-2843-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings December 16, 2021 https://wiki.debian.org/LTS - Package: linux Version: 4.9.290-1 CVE ID : CVE-2020-3702 CVE-2020-16119 CVE-2021-0920 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3679 CVE-2021-3732 CVE-2021-3753 CVE-2021-3760 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322 CVE-2021-22543 CVE-2021-37159 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490 CVE-2021-41864 CVE-2021-42008 CVE-2021-42739 CVE-2021-43389 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leaks. CVE-2020-3702 A flaw was found in the driver for Atheros IEEE 802.11n family of chipsets (ath9k) allowing information disclosure. CVE-2020-16119 Hadar Manor reported a use-after-free in the DCCP protocol implementation in the Linux kernel. A local attacker can take advantage of this flaw to cause a denial of service or potentially to execute arbitrary code. CVE-2021-0920 A race condition was discovered in the local sockets (AF_UNIX) subsystem, which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash), or possibly for privilege escalation. CVE-2021-3612 Murray McAllister reported a flaw in the joystick input subsystem. A local user permitted to access a joystick device could exploit this to read and write out-of-bounds in the kernel, which could be used for privilege escalation. CVE-2021-3653 Maxim Levitsky discovered a vulnerability in the KVM hypervisor implementation for AMD processors in the Linux kernel: Missing validation of the `int_ctl` VMCB field could allow a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The L2 guest can take advantage of this flaw to write to a limited but still relatively large subset of the host physical memory. CVE-2021-3655 Ilja Van Sprundel and Marcelo Ricardo Leitner found multiple flaws in the SCTP implementation, where missing validation could lead to an out-of-bounds read. On a system using SCTP, a networked attacker could exploit these to cause a denial of service (crash). CVE-2021-3679 A flaw in the Linux kernel tracing module functionality could allow a privileged local user (with CAP_SYS_ADMIN capability) to cause a denial of service (resource starvation). CVE-2021-3732 Alois Wohlschlager reported a flaw in the implementation of the overlayfs subsystem, allowing a local attacker with privileges to mount a filesystem to reveal files hidden in the original mount. CVE-2021-3753 Minh Yuan reported a race condition in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read in vt. CVE-2021-3760 Lin Horse reported a flaw in the NCI (NFC Controller Interface) driver, which could lead to a use-after-free. However, this driver is not included in the binary packages provided by Debian. CVE-2021-20317 It was discovered that the timer queue structure could become corrupt, leading to waiting tasks never being woken up. A local user with certain privileges could exploit this to cause a denial of service (system hang). CVE-2021-20321 A race condition was discovered in the overlayfs filesystem driver. A local user with access to an overlayfs mount and to its underlying upper directory could exploit this for privilege escalation. CVE-2021-20322 An information leak was discovered in the IPv4 implementation. A remote attacker could exploit this to quickly discover which UDP ports a system is using, making it easier for them to carry out a DNS poisoning attack against that system. CVE-2021-22543 David Stevens discovered a flaw in how the KVM hypervisor maps host memory into a guest. A local user permitted to access /dev/kvm could use this to cause certain pages to be freed when they should not, leading to a use-after-free. This could be used to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2021-37159 A flaw was discovered in the hso driver for Option mobile broadband modems. An error during initialisation could lead to a double-free or use-after-free. An attacker able to plug in USB devices could use this to cause a denial of service (crash or memory corruption) or possibly to run
[SECURITY] [DLA 2785-1] linux-4.19 security update
- Debian LTS Advisory DLA-2785-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 15, 2021 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.208-1~deb9u1 CVE ID : CVE-2020-3702 CVE-2020-16119 CVE-2021-3444 CVE-2021-3600 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3679 CVE-2021-3732 CVE-2021-3743 CVE-2021-3753 CVE-2021-22543 CVE-2021-33624 CVE-2021-34556 CVE-2021-35039 CVE-2021-35477 CVE-2021-37159 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38205 CVE-2021-40490 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-3702 A flaw was found in the driver for Atheros IEEE 802.11n family of chipsets (ath9k) allowing information disclosure. CVE-2020-16119 Hadar Manor reported a use-after-free in the DCCP protocol implementation in the Linux kernel. A local attacker can take advantage of this flaw to cause a denial of service or potentially to execute arbitrary code. CVE-2021-3444, CVE-2021-3600 Two flaws were discovered in the Extended BPF (eBPF) verifier. A local user could exploit these to read and write arbitrary memory in the kernel, which could be used for privilege escalation. This can be mitigated by setting sysctl kernel.unprivileged_bpf_disabled=1, which disables eBPF use by unprivileged users. CVE-2021-3612 Murray McAllister reported a flaw in the joystick input subsystem. A local user permitted to access a joystick device could exploit this to read and write out-of-bounds in the kernel, which could be used for privilege escalation. CVE-2021-3653 Maxim Levitsky discovered a vulnerability in the KVM hypervisor implementation for AMD processors in the Linux kernel: Missing validation of the `int_ctl` VMCB field could allow a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The L2 guest can take advantage of this flaw to write to a limited but still relatively large subset of the host physical memory. CVE-2021-3655 Ilja Van Sprundel and Marcelo Ricardo Leitner found multiple flaws in the SCTP implementation, where missing validation could lead to an out-of-bounds read. On a system using SCTP, a networked attacker could exploit these to cause a denial of service (crash). CVE-2021-3656 Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM hypervisor implementation for AMD processors in the Linux kernel. Missing validation of the `virt_ext` VMCB field could allow a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances, the L2 guest is able to run VMLOAD/VMSAVE unintercepted and thus read/write portions of the host's physical memory. CVE-2021-3679 A flaw in the Linux kernel tracing module functionality could allow a privileged local user (with CAP_SYS_ADMIN capability) to cause a denial of service (resource starvation). CVE-2021-3732 Alois Wohlschlager reported a flaw in the implementation of the overlayfs subsystem, allowing a local attacker with privileges to mount a filesystem to reveal files hidden in the original mount. CVE-2021-3743 An out-of-bounds memory read was discovered in the Qualcomm IPC router protocol implementation, allowing to cause a denial of service or information leak. CVE-2021-3753 Minh Yuan reported a race condition in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read in vt. CVE-2021-22543 David Stevens discovered a flaw in how the KVM hypervisor maps host memory into a guest. A local user permitted to access /dev/kvm could use this to cause certain pages to be freed when they should not, leading to a use-after-free. This could be used to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2021-33624, CVE-2021-34556, CVE-2021-35477 Multiple researchers discovered flaws in the Extended BPF (eBPF) verifier's protections against information leaks through speculation execution. A local user could exploit these to read sensitive information. This can be mitigated by setting sysctl kernel.unprivileged_bpf_disabled=1, which disables eBPF use by unprivileged users. CVE-2021-35039 A flaw was discovered in module signature enforcement. A custom kernel with IMA enabled might have allowed loading unsigned kernel
[SECURITY] [DLA 2713-2] linux security update
- Debian LTS Advisory DLA-2713-2debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings July 20, 2021 https://wiki.debian.org/LTS - Package: linux Version: 4.9.272-2 CVE ID : CVE-2021-3609 CVE-2021-21781 CVE-2021-33909 CVE-2021-34693 Debian Bug : 990072 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This updated advisory text fills in information omitted in the original advisory. CVE-2021-3609 Norbert Slusarek reported a race condition vulnerability in the CAN BCM networking protocol, allowing a local attacker to escalate privileges. CVE-2021-21781 "Lilith >_>" of Cisco Talos discovered that the Arm initialisation code does not fully initialise the "sigpage" that is mapped into user-space processes to support signal handling. This could result in leaking sensitive information, particularly when the system is rebooted. CVE-2021-33909 The Qualys Research Labs discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer. An unprivileged local attacker able to create, mount, and then delete a deep directory structure whose total path length exceeds 1GB, can take advantage of this flaw for privilege escalation. Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt CVE-2021-34693 Norbert Slusarek discovered an information leak in the CAN BCM networking protocol. A local attacker can take advantage of this flaw to obtain sensitive information from kernel stack memory. For Debian 9 stretch, these problems have been fixed in version 4.9.272-2. This additionally fixes a regression in the previous update (#990072) that affected LXC. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: PGP signature
[SECURITY] [DLA 2714-1] linux-4.19 security update
- Debian LTS Advisory DLA-2714-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings July 20, 2021 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.194-3~deb9u1 CVE ID : CVE-2020-36311 CVE-2021-3609 CVE-2021-33909 CVE-2021-34693 Debian Bug : 990072 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This update is not yet available for the armhf (ARM EABI hard-float) architecture. CVE-2020-36311 A flaw was discovered in the KVM subsystem for AMD CPUs, allowing an attacker to cause a denial of service by triggering destruction of a large SEV VM. CVE-2021-3609 Norbert Slusarek reported a race condition vulnerability in the CAN BCM networking protocol, allowing a local attacker to escalate privileges. CVE-2021-33909 The Qualys Research Labs discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer. An unprivileged local attacker able to create, mount, and then delete a deep directory structure whose total path length exceeds 1GB, can take advantage of this flaw for privilege escalation. Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt CVE-2021-34693 Norbert Slusarek discovered an information leak in the CAN BCM networking protocol. A local attacker can take advantage of this flaw to obtain sensitive information from kernel stack memory. For Debian 9 stretch, these problems have been fixed in version 4.19.194-3~deb9u1. This additionally fixes a regression in the previous update (#990072) that affected LXC. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: PGP signature
[SECURITY] [DLA 2713-1] linux security update
- Debian LTS Advisory DLA-2713-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings July 20, 2021 https://wiki.debian.org/LTS - Package: linux Version: 4.9.272-2 CVE ID : CVE-2021-3609 CVE-2021-21781 CVE-2021-33909 CVE-2021-34693 Debian Bug : 990072 Brief introduction CVE-2021-3609 Norbert Slusarek reported a race condition vulnerability in the CAN BCM networking protocol, allowing a local attacker to escalate privileges. CVE-2021-21781 "Lilith >_>" of Cisco Talos discovered that the Arm initialisation code does not fully initialise the "sigpage" that is mapped into user-space processes to support signal handling. This could result in leaking sensitive information, particularly when the system is rebooted. CVE-2021-33909 The Qualys Research Labs discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer. An unprivileged local attacker able to create, mount, and then delete a deep directory structure whose total path length exceeds 1GB, can take advantage of this flaw for privilege escalation. Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt CVE-2021-34693 Norbert Slusarek discovered an information leak in the CAN BCM networking protocol. A local attacker can take advantage of this flaw to obtain sensitive information from kernel stack memory. For Debian 9 stretch, these problems have been fixed in version 4.9.272-2. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: PGP signature
[SECURITY] [DLA 2695-1] klibc security update
- Debian LTS Advisory DLA-2695-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 28, 2021 https://wiki.debian.org/LTS - Package: klibc Version: 2.0.4-9+deb9u1 CVE ID : CVE-2021-31870 CVE-2021-31871 CVE-2021-31872 CVE-2021-31873 Debian Bug : 989505 Several vulnerabilities have been discovered in klibc. Depending on how klibc is used, these could lead to the execution of arbitrary code, privilege escalation, or denial of service. Thanks to Microsoft Vulnerability Research for reporting the heap bugs and going some of the way to identifying the cpio bugs. CVE-2021-31870 Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow. CVE-2021-31871 An integer overflow in the cpio command may result in a NULL pointer dereference. CVE-2021-31872 Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact. CVE-2021-31873 Additions in malloc() function may result in integer overflow and subsequent heap buffer overflow. For Debian 9 stretch, these problems have been fixed in version 2.0.4-9+deb9u1. We recommend that you upgrade your klibc packages. For the detailed security status of klibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/klibc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: PGP signature
[SECURITY] [DLA 2689-1] linux security update
- Debian LTS Advisory DLA-2689-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 22, 2021 https://wiki.debian.org/LTS - Package: linux Version: 4.9.272-1 CVE ID : CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-26139 CVE-2020-26147 CVE-2020-26558 CVE-2020-29374 CVE-2020-36322 CVE-2021-0129 CVE-2021-3428 CVE-2021-3483 CVE-2021-3564 CVE-2021-3573 CVE-2021-3587 CVE-2021-20292 CVE-2021-23133 CVE-2021-23134 CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28964 CVE-2021-28971 CVE-2021-29154 CVE-2021-29265 CVE-2021-29647 CVE-2021-29650 CVE-2021-30002 CVE-2021-31916 CVE-2021-32399 CVE-2021-33034 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks. This update is not yet available for the armel (ARM EABI soft-float) architecture. CVE-2020-24586, CVE-2020-24587, CVE-2020-26147 Mathy Vanhoef discovered that many Wi-Fi implementations, including Linux's mac80211, did not correctly implement reassembly of fragmented packets. In some circumstances, an attacker within range of a network could exploit these flaws to forge arbitrary packets and/or to access sensitive data on that network. CVE-2020-24588 Mathy Vanhoef discovered that most Wi-Fi implementations, including Linux's mac80211, did not authenticate the "is aggregated" packet header flag. An attacker within range of a network could exploit this to forge arbitrary packets on that network. CVE-2020-25670, CVE-2020-25671, CVE-2021-23134 kiyin (尹亮) of TenCent discovered several reference counting bugs in the NFC LLCP implementation which could lead to use-after-free. A local user could exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation. Nadav Markus and Or Cohen of Palo Alto Networks discovered that the original fixes for these introduced a new bug that could result in use-after-free and double-free. This has also been fixed. CVE-2020-25672 kiyin (尹亮) of TenCent discovered a memory leak in the NFC LLCP implementation. A local user could exploit this for denial of service (memory exhaustion). CVE-2020-26139 Mathy Vanhoef discovered that a bug in some Wi-Fi implementations, including Linux's mac80211. When operating in AP mode, they would forward EAPOL frames from one client to another while the sender was not yet authenticated. An attacker within range of a network could use this for denial of service or as an aid to exploiting other vulnerabilities. CVE-2020-26558, CVE-2021-0129 Researchers at ANSSI discovered vulnerabilities in the Bluetooth Passkey authentication method, and in Linux's implementation of it. An attacker within range of two Bluetooth devices while they pair using Passkey authentication could exploit this to obtain the shared secret (Passkey) and then impersonate either of the devices to each other. CVE-2020-29374 Jann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption. CVE-2020-36322, CVE-2021-28950 The syzbot tool found that the FUSE (filesystem-in-user-space) implementation did not correctly handle a FUSE server returning invalid attributes for a file. A local user permitted to run a FUSE server could use this to cause a denial of service (crash). The original fix for this introduced a different potential denial of service (infinite loop in kernel space), which has also been fixed. CVE-2021-3428 Wolfgang Frisch reported a potential integer overflow in the ext4 filesystem driver. A user permitted to mount arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2021-3483 马哲宇 (Zheyu Ma) reported a bug in the "nosy" driver for TI PCILynx FireWire controllers, which could lead to list corruption and a use-after-free. On a system that uses this dri
[SECURITY] [DLA 2690-1] linux-4.19 security update
- Debian LTS Advisory DLA-2690-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 22, 2021 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.194-1~deb9u1 CVE ID : CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-26139 CVE-2020-26147 CVE-2020-26558 CVE-2020-29374 CVE-2021-0129 CVE-2021-3483 CVE-2021-3506 CVE-2021-3564 CVE-2021-3573 CVE-2021-3587 CVE-2021-23133 CVE-2021-23134 CVE-2021-28688 CVE-2021-28964 CVE-2021-28971 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264 CVE-2021-29647 CVE-2021-29650 CVE-2021-31829 CVE-2021-31916 CVE-2021-32399 CVE-2021-33034 Debian Bug : 986949 988352 989451 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks. CVE-2020-24586, CVE-2020-24587, CVE-2020-26147 Mathy Vanhoef discovered that many Wi-Fi implementations, including Linux's mac80211, did not correctly implement reassembly of fragmented packets. In some circumstances, an attacker within range of a network could exploit these flaws to forge arbitrary packets and/or to access sensitive data on that network. CVE-2020-24588 Mathy Vanhoef discovered that most Wi-Fi implementations, including Linux's mac80211, did not authenticate the "is aggregated" packet header flag. An attacker within range of a network could exploit this to forge arbitrary packets on that network. CVE-2020-25670, CVE-2020-25671, CVE-2021-23134 kiyin (尹亮) of TenCent discovered several reference counting bugs in the NFC LLCP implementation which could lead to use-after-free. A local user could exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation. Nadav Markus and Or Cohen of Palo Alto Networks discovered that the original fixes for these introduced a new bug that could result in use-after-free and double-free. This has also been fixed. CVE-2020-25672 kiyin (尹亮) of TenCent discovered a memory leak in the NFC LLCP implementation. A local user could exploit this for denial of service (memory exhaustion). CVE-2020-26139 Mathy Vanhoef discovered that a bug in some Wi-Fi implementations, including Linux's mac80211. When operating in AP mode, they would forward EAPOL frames from one client to another while the sender was not yet authenticated. An attacker within range of a network could use this for denial of service or as an aid to exploiting other vulnerabilities. CVE-2020-26558, CVE-2021-0129 Researchers at ANSSI discovered vulnerabilities in the Bluetooth Passkey authentication method, and in Linux's implementation of it. An attacker within range of two Bluetooth devices while they pair using Passkey authentication could exploit this to obtain the shared secret (Passkey) and then impersonate either of the devices to each other. CVE-2020-29374 Jann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption. CVE-2021-3483 马哲宇 (Zheyu Ma) reported a bug in the "nosy" driver for TI PCILynx FireWire controllers, which could lead to list corruption and a use-after-free. On a system that uses this driver, local users granted access to /dev/nosy could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2021-3506 The ADLab of venustech discovered a bug in the F2FS driver which could lead to an out-of-bounds read when accessing a crafted filesystem. A local user permitted to mount arbitrary filesystems could exploit this to cause a denial of service (crash) or other security impact. CVE-2021-3564, CVE-2021-3573, CVE-2021-32399 The BlockSec team discovered several race conditions in the Bluetooth subsystem that could lead to a use-after-free or double-free. A local user could exploit these to caue a denial of service (crash or memory corruption) or po
[SECURITY] [DLA 2610-1] linux-4.19 security update
- Debian LTS Advisory DLA-2610-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 30, 2021https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.181-1~deb9u1 CVE ID : CVE-2020-27170 CVE-2020-27171 CVE-2021-3348 CVE-2021-3428 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660 Debian Bug : 983595 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks. CVE-2020-27170, CVE-2020-27171 Piotr Krysiuk discovered flaws in the BPF subsystem's checks for information leaks through speculative execution. A local user could use these to obtain sensitive information from kernel memory. CVE-2021-3348 ADlab of venustech discovered a race condition in the nbd block driver that can lead to a use-after-free. A local user with access to an nbd block device could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2021-3428 Wolfgang Frisch reported a potential integer overflow in the ext4 filesystem driver. A user permitted to mount arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2021-26930 (XSA-365) Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H. Schönherr discovered that the Xen block backend driver (xen-blkback) did not handle grant mapping errors correctly. A malicious guest could exploit this bug to cause a denial of service (crash), or possibly an information leak or privilege escalation, within the domain running the backend, which is typically dom0. CVE-2021-26931 (XSA-362), CVE-2021-26932 (XSA-361), CVE-2021-28038 (XSA-367) Jan Beulich discovered that the Xen support code and various Xen backend drivers did not handle grant mapping errors correctly. A malicious guest could exploit these bugs to cause a denial of service (crash) within the domain running the backend, which is typically dom0. CVE-2021-27363 Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to transport handle attributes in sysfs. On a system acting as an iSCSI initiator, this is an information leak to local users and makes it easier to exploit CVE-2021-27364. CVE-2021-27364 Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to cause a denial of service (disconnection of storage) or possibly for privilege escalation. CVE-2021-27365 Adam Nichols reported that the iSCSI initiator subsystem did not correctly limit the lengths of parameters or "passthrough PDUs" sent through its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to leak the contents of kernel memory, to cause a denial of service (kernel memory corruption or crash), and probably for privilege escalation. CVE-2021-28660 It was discovered that the rtl8188eu WiFi driver did not correctly limit the length of SSIDs copied into scan results. An attacker within WiFi range could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system. For Debian 9 stretch, these problems have been fixed in version 4.19.181-1~deb9u1. This update additionally fixes Debian bug #983595, and includes many more bug fixes from stable updates 4.19.172-4.19.181 inclusive. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 signature.asc Description: PGP signature
[SECURITY] [DLA 2586-1] linux security update
- Debian LTS Advisory DLA-2586-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings March 08, 2021https://wiki.debian.org/LTS - Package: linux Version: 4.9.258-1 CVE ID : CVE-2019-19318 CVE-2019-19813 CVE-2019-19816 CVE-2020-27815 CVE-2020-27825 CVE-2020-28374 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2020-36158 CVE-2021-3178 CVE-2021-3347 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-19318, CVE-2019-19813, CVE-2019-19816 "Team bobfuzzer" reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-27815 A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service. CVE-2020-27825 Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak. CVE-2020-28374 David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings. CVE-2020-29568 (XSA-349) Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path. CVE-2020-29569 (XSA-350) Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. CVE-2020-29660 Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID. CVE-2020-29661 Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation. CVE-2020-36158 A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value. CVE-2021-3178 吴异 reported an information leak in the NFSv3 server. When only a subdirectory of a filesystem volume is exported, an NFS client listing the exported directory would obtain a file handle to the parent directory, allowing it to access files that were not meant to be exported. Even after this update, it is still possible for NFSv3 clients to guess valid file handles and access files outside an exported subdirectory, unless the "subtree_check" export option is enabled. It is recommended that you do not use that option but only export whole filesystem volumes. CVE-2021-3347 It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. CVE-2021-26930 (XSA-365) Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H. Schönherr discovered that the Xen block backend driver (xen-blkback) did not handle grant mapping errors correctly. A malicious guest could exploit this bug to cause a denial of service (crash), or possibly an information leak or privilege escalation, within the domain running the backend, which is typically dom0. CVE-2021-26931 (XSA-362), CVE-2021-26932 (XSA-361), CVE-2021-28038 (XSA-367) Jan Beulich discovered that the Xen support code and various Xen backend drivers did not handle grant mapping errors correctly. A malicious guest could exploit these bugs to cause a denial of service (crash) within the domain running the backend, which is typically dom0. CVE-2021-27363 Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to transport handle attributes in sysfs. On a system acting a
[SECURITY] [DLA 2557-1] linux-4.19 security update
- Debian LTS Advisory DLA-2557-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings February 12, 2021 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.171-2~deb9u1 CVE ID : CVE-2020-27815 CVE-2020-27825 CVE-2020-27830 CVE-2020-28374 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2020-36158 CVE-2021-3347 CVE-2021-20177 Debian Bug : 970736 972345 977048 977615 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-27815 A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service. CVE-2020-27825 Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak. CVE-2020-27830 Shisong Qin reported a NULL pointer dereference flaw in the Speakup screen reader core driver. CVE-2020-28374 David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings. CVE-2020-29568 (XSA-349) Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path. CVE-2020-29569 (XSA-350) Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. CVE-2020-29660 Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID. CVE-2020-29661 Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation. CVE-2020-36158 A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value. CVE-2021-3347 It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. CVE-2021-20177 A flaw was discovered in the Linux implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) can take advantage of this flaw to cause a kernel panic when inserting iptables rules. For Debian 9 stretch, these problems have been fixed in version 4.19.171-2~deb9u1. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings Reality is just a crutch for people who can't handle science fiction. signature.asc Description: PGP signature
[SECURITY] [DLA 2494-1] linux security update
- Debian LTS Advisory DLA-2494-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings December 18, 2020 https://wiki.debian.org/LTS - Package: linux Version: 4.9.246-2 CVE ID : CVE-2020-0427 CVE-2020-8694 CVE-2020-14351 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-28974 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2020-0427 Elena Petrova reported a bug in the pinctrl subsystem that can lead to a use-after-free after a device is renamed. The security impact of this is unclear. CVE-2020-8694 Multiple researchers discovered that the powercap subsystem allowed all users to read CPU energy meters, by default. On systems using Intel CPUs, this provided a side channel that could leak sensitive information between user processes, or from the kernel to user processes. The energy meters are now readable only by root, by default. This issue can be mitigated by running: chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj This needs to be repeated each time the system is booted with an unfixed kernel version. CVE-2020-14351 A race condition was discovered in the performance events subsystem, which could lead to a use-after-free. A local user permitted to access performance events could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2020-25645 A flaw was discovered in the interface driver for GENEVE encapsulated traffic when combined with IPsec. If IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, tunneled data isn't correctly routed over the encrypted link and sent unencrypted instead. CVE-2020-25656 Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with the CAP_SYS_TTY_CONFIG capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25668 Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25669 Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd) that could lead to a use-after-free. On a system using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25704 kiyin(尹亮) discovered a potential memory leak in the performance events subsystem. A local user permitted to access performance events could use this to cause a denial of service (memory exhaustion). Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2020-25705 Keyu Man reported that strict rate-limiting of ICMP packet transmission provided a side-channel that could help networked attackers to carry out packet spoofing. In particular, this made it practical for off-path networked attackers to "poison" DNS caches with spoofed responses ("SAD DNS" attack). This issue has been mitigated by randomising whether packets are counted against the rate limit. CVE-2020-27673 / XSA-332 Julien Grall from Arm discovered a bug in the Xen event handling code. Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (excessive CPU usage or hang) in dom0. CVE-2020-27675 / XSA-331 Jinoh Kang of Theori discovered a race condition in the Xen event handling code. Where Linux was used in a Xen dom0, unprivileged (domU) guests could cause a denial of service (crash) in dom0. CVE-2020-28974 Yuan Ming discovered a bug in the virtual terminal (vt) driver that could lead to an out-of-bounds read. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could possibly use this to obtain sensitive informa
[SECURITY] [DLA 2483-1] linux-4.19 security update
- Debian LTS Advisory DLA-2483-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings December 05, 2020 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.160-2~deb9u1 CVE ID : CVE-2019-19039 CVE-2019-19377 CVE-2019-19770 CVE-2019-19816 CVE-2020-0423 CVE-2020-8694 CVE-2020-14351 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-28941 CVE-2020-28974 Debian Bug : 949863 968623 971058 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2019-19039 "Team bobfuzzer" reported a bug in Btrfs that could lead to an assertion failure (WARN). A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash) if the panic_on_warn kernel parameter is set. CVE-2019-19377 "Team bobfuzzer" reported a bug in Btrfs that could lead to a use-after-free. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2019-19770 The syzbot tool discovered a race condition in the block I/O tracer (blktrace) that could lead to a system crash. Since blktrace can only be controlled by privileged users, the security impact of this is unclear. CVE-2019-19816 "Team bobfuzzer" reported a bug in Btrfs that could lead to an out-of-bounds write. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-0423 A race condition was discovered in the Android binder driver, that could result in a use-after-free. On systems using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-8694 Multiple researchers discovered that the powercap subsystem allowed all users to read CPU energy meters, by default. On systems using Intel CPUs, this provided a side channel that could leak sensitive information between user processes, or from the kernel to user processes. The energy meters are now readable only by root, by default. This issue can be mitigated by running: chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj This needs to be repeated each time the system is booted with an unfixed kernel version. CVE-2020-14351 A race condition was discovered in the performance events subsystem, which could lead to a use-after-free. A local user permitted to access performance events could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2020-25656 Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with the CAP_SYS_TTY_CONFIG capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25668 Yuan Ming and Bodong Zhao discovered a race condition in the virtual terminal (vt) driver that could lead to a use-after-free. A local user with access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25669 Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd) that could lead to a use-after-free. On a system using this driver, a local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-25704 kiyin(尹亮) discovered a potential memory leak in the performance events subsystem. A local user permitted to access performance events could use this to cause a denial of service (memory exhaustion). Debian's kernel configuration does not allow unprivileged users to access peformance events by default, which fully mitigates this issue. CVE-2020-25705 Keyu Man reported that strict rate-limiting of ICMP packet transmission provided a side-channel that could help networked attackers to carry out packet spoofing. In particular, this
[SECURITY] [DLA 2420-2] linux regression update
- Debian LTS Advisory DLA-2420-2debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 31, 2020 https://wiki.debian.org/LTS - Package: linux Version: 4.9.240-2 CVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448 CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771 CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393 CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212 CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-26088 This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2019-9445 A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information. CVE-2019-19073, CVE-2019-19074 Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear. CVE-2019-19448 "Team bobfuzzer" reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12351 Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges. CVE-2020-12352 Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information. CVE-2020-12655 Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service. CVE-2020-12771 Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear. CVE-2020-12888 It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash). CVE-2020-14305 Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege. CVE-2020-14314 A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2020-14331 A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14356, CVE-2020-25220 A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. The original fix for this bug introudced a new security issue, which is also addressed in this update. CVE-2020-14386 Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation w
[SECURITY] [DLA 2420-1] linux security update
- Debian LTS Advisory DLA-2420-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 29, 2020 https://wiki.debian.org/LTS - Package: linux Version: 4.9.240-1 CVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448 CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771 CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393 CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212 CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-26088 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2019-9445 A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information. CVE-2019-19073, CVE-2019-19074 Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear. CVE-2019-19448 "Team bobfuzzer" reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12351 Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges. CVE-2020-12352 Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information. CVE-2020-12655 Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service. CVE-2020-12771 Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear. CVE-2020-12888 It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash). CVE-2020-14305 Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege. CVE-2020-14314 A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2020-14331 A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14356, CVE-2020-25220 A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. The original fix for this bug introudced a new security issue, which is also addressed in this update. CVE-2020-14386 Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace)
[SECURITY] [DLA 2417-1] linux-4.19 security update
- Debian LTS Advisory DLA-2417-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 27, 2020 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.152-1~deb9u1 CVE ID : CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 CVE-2020-25645 Debian Bug : 908712 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2020-12351 Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker in short distance knowing the victim's Bluetooth device address can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges. CVE-2020-12352 Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker in short distance knowing the victim's Bluetooth device address address can retrieve kernel stack information. CVE-2020-25211 A flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service. CVE-2020-25643 ChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure. CVE-2020-25645 A flaw was discovered in the interface driver for GENEVE encapsulated traffic when combined with IPsec. If IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, tunneled data isn't correctly routed over the encrypted link and sent unencrypted instead. For Debian 9 stretch, these problems have been fixed in version 4.19.152-1~deb9u1. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2385-1] linux-4.19 security update
- Debian LTS Advisory DLA-2385-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings September 28, 2020https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.146-1~deb9u1 CVE ID : CVE-2019-3874 CVE-2019-19448 CVE-2019-19813 CVE-2019-19816 CVE-2020-10781 CVE-2020-12888 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14385 CVE-2020-14386 CVE-2020-14390 CVE-2020-16166 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-26088 Debian Bug : 966846 966917 968567 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2019-3874 Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use). CVE-2019-19448, CVE-2019-19813, CVE-2019-19816 "Team bobfuzzer" reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-10781 Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion). CVE-2020-12888 It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash). CVE-2020-14314 A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2020-14331 A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14356 A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14385 A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown). CVE-2020-14386 Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14390 Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. The scrollback feature has been disabled for now, as no other fix was available for this issue. CVE-2020-16166 Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking. CVE-2020-25212 A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client. CVE-2020-25284 It was discovered that the R
[SECURITY] [DLA 2324-1] linux-latest-4.19 new package
- Debian LTS Advisory DLA-2324-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 12, 2020 https://wiki.debian.org/LTS - Package: linux-latest-4.19 Version: 105+deb10u5~deb9u1 Linux 4.19 has been packaged for Debian 9 as linux-4.19. This provides a supported upgrade path for systems that currently use kernel packages from the "stretch-backports" suite. However, "apt full-upgrade" will *not* automatically install the updated kernel packages. You should explicitly install one of the following metapackages first, as appropriate for your system: linux-image-4.19-686 linux-image-4.19-686-pae linux-image-4.19-amd64 linux-image-4.19-arm64 linux-image-4.19-armmp linux-image-4.19-armmp-lpae linux-image-4.19-cloud-amd64 linux-image-4.19-marvell linux-image-4.19-rpi linux-image-4.19-rt-686-pae linux-image-4.19-rt-amd64 linux-image-4.19-rt-arm64 linux-image-4.19-rt-armmp For example, if the command "uname -r" currently shows "4.19.0-0.bpo.9-amd64", you should install linux-image-4.19-amd64. There is no need to upgrade systems using Linux 4.9, as that kernel version will also continue to be supported in the LTS period. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2323-1] linux-4.19 new package
- Debian LTS Advisory DLA-2323-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 12, 2020 https://wiki.debian.org/LTS - Package: linux-4.19 Version: 4.19.132-1~deb9u1 CVE ID : CVE-2019-18814 CVE-2019-18885 CVE-2019-20810 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-12655 CVE-2020-12771 CVE-2020-13974 CVE-2020-15393 Debian Bug : 958300 960493 962254 963493 964153 964480 965365 Linux 4.19 has been packaged for Debian 9 as linux-4.19. This provides a supported upgrade path for systems that currently use kernel packages from the "stretch-backports" suite. There is no need to upgrade systems using Linux 4.9, as that kernel version will also continue to be supported in the LTS period. This backport does not include the following binary packages: hyperv-daemons libbpf-dev libbpf4.19 libcpupower-dev libcpupower1 liblockdep-dev liblockdep4.19 linux-compiler-gcc-6-arm linux-compiler-gcc-6-x86 linux-cpupower linux-libc-dev lockdep usbip Older versions of most of those are built from the linux source package in Debian 9. The kernel images and modules will not be signed for use on systems with Secure Boot enabled, as there is no support for this in Debian 9. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or information leak. CVE-2019-18814 Navid Emamdoost reported a potential use-after-free in the AppArmor security module, in the case that audit rule initialisation fails. The security impact of this is unclear. CVE-2019-18885 The 'bobfuzzer' team discovered that crafted Btrfs volumes could trigger a crash (oops). An attacker able to mount such a volume could use this to cause a denial of service. CVE-2019-20810 A potential memory leak was discovered in the go7007 media driver. The security impact of this is unclear. CVE-2020-10766 Anthony Steinhauser reported a flaw in the mitigation for Speculative Store Bypass (CVE-2018-3639) on x86 CPUs. A local user could use this to temporarily disable SSB mitigation in other users' tasks. If those other tasks run sandboxed code, this would allow that code to read sensitive information in the same process but outside the sandbox. CVE-2020-10767 Anthony Steinhauser reported a flaw in the mitigation for Spectre variant 2 (CVE-2017-5715) on x86 CPUs. Depending on which other mitigations the CPU supports, the kernel might not use IBPB to mitigate Spectre variant 2 in user-space. A local user could use this to read sensitive information from other users' processes. CVE-2020-10768 Anthony Steinhauser reported a flaw in the mitigation for Spectre variant 2 (CVE-2017-5715) on x86 CPUs. After a task force- disabled indirect branch speculation through prctl(), it could still re-enable it later, so it was not possible to override a program that explicitly enabled it. CVE-2020-12655 Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service. CVE-2020-12771 Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear. CVE-2020-13974 Kyungtae Kim reported a potential integer overflow in the vt (virtual terminal) driver. The security impact of this is unclear. CVE-2020-15393 Kyungtae Kim reported a memory leak in the usbtest driver. The security impact of this is unclear. For Debian 9 "Stretch", these problems have been fixed in version 4.19.132-1~deb9u1. This update additionally fixes Debian bugs #958300, #960493, #962254, #963493, #964153, #964480, and #965365; and includes many more bug fixes from stable updates 4.19.119-4.19.132 inclusive. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2321-1] firmware-nonfree new upstream version
- Debian LTS Advisory DLA-2321-1debian-...@lists.debian.org https://www.debian.org/lts/security/ August 11, 2020 https://wiki.debian.org/LTS - Package: firmware-nonfree Version: 20190114-2~deb9u1 The firmware-nonfree package has been updated to include additional firmware that may be requested by some drivers in Linux 4.19. Along with additional kernel packages that will be announced later, this will provide a supported upgrade path for systems that currently use kernel and firmware packages from the "stretch-backports" suite. This update is not known to fix any security issues. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
NEW kernel and firmware packages for stretch
Since the stretch-backports suite is now closed, and some LTS users want to use the newer kernel version available there, I have uploaded an updated kernel backport package to the stretch-security suite as linux-4.19. Alongside this are linux-latest-4.19, building meta-packages to allow automatic upgrades of the backport packages over ABI bumps, and an updated firmware-nonfree that provides the additional files that may be requested by drivers in the new kernel version. All of these are now in the security NEW queue. Please have a look at them when you have the chance. They *don't* include any urgent security updates, though I expect that such an update will be needed before long. Ben. -- Ben Hutchings Theory and practice are closer in theory than in practice - John Levine signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2241-2] linux security update
n arbitary signal for a child process to send when it exits, but if the parent has executed a new program then the default SIGCHLD signal is sent. A local user permitted to run a program for several days could bypass this check, execute a setuid program, and then send an arbitrary signal to it. Depending on the setuid programs installed, this could have some security impact. CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.84-1. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2242-1] linux-4.9 security update
-2020-10711 Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled. CVE-2020-10732 An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes. CVE-2020-10751 Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions. CVE-2020-10757 Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges CVE-2020-10942 It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation. CVE-2020-11494 It was discovered that the slcan (serial line CAN) network driver did not fully initialise CAN headers for received packets, resulting in an information leak from the kernel to user-space or over the CAN network. CVE-2020-11565 Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an "mpol" mount option specifying an empty node list, leading to a stack-based out-of-bounds write. If user namespaces are enabled, a local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-11608, CVE-2020-11609, CVE-2020-11668 It was discovered that the ov519, stv06xx, and xirlink_cit media drivers did not properly validate USB device descriptors. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (crash) or possibly for privilege escalation. CVE-2020-12114 Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash). CVE-2020-12464 Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation. CVE-2020-12652 Tom Hatskevich reported a bug in the mptfusion storage drivers. An ioctl handler fetched a parameter from user memory twice, creating a race condition which could result in incorrect locking of internal data structures. A local user permitted to access /dev/mptctl could use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-12653 It was discovered that the mwifiex WiFi driver did not sufficiently validate scan requests, resulting a potential heap buffer overflow. A local user with CAP_NET_ADMIN capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12654 It was discovered that the mwifiex WiFi driver did not sufficiently validate WMM parameters received from an access point (AP), resulting a potential heap buffer overflow. A malicious AP could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system. CVE-2020-12770 It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion). CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.9.210-1+deb9u1~deb8u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the macvlan driver introduced in the previous security update (bug #952660). We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signa
[SECURITY] [DLA 2241-1] linux security update
ew program then the default SIGCHLD signal is sent. A local user permitted to run a program for several days could bypass this check, execute a setuid program, and then send an arbitrary signal to it. Depending on the setuid programs installed, this could have some security impact. CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.84-1. We recommend that you upgrade your linux packages. Binary packages for the EABI ARM (armel) architecture are not yet available, and a separate announcement will be made when they are. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.84 package, updated
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.84-1~git20200528.6eef58f, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.81-1). I intend to upload linux early next week. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.84 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.84-1~git20200523.f305d9f, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.81-1). I intend to upload linux within the next week. Ben. -- Ben Hutchings You can't have everything. Where would you put it? signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.83 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.83-1~git20200428.cbbd998, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.81-1). Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else. signature.asc Description: This is a digitally signed message part
Re: Jessie update of ceph?
On Wed, 2020-04-08 at 10:48 +0100, Chris Lamb wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of ceph: > https://security-tracker.debian.org/tracker/source-package/ceph > > Would you like to take care of this yourself? [...] Note that the fix for CVE-2018-1128 requires an incompatible change to the authentication protocol, which means both clients and servers would need to be updated (if authentication is actually used). I backported the required changes in the Linux kernel's ceph client as far as 4.9, but introduced a bug in the process (since fixed). At that point I decided not to backport them any further, but can have a go if someone sets up an updated server to test against. Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once. signature.asc Description: This is a digitally signed message part
Re: Wheezy LTS not present in archive.debian.org
On Tue, 2020-03-17 at 10:00 +0100, Emilio Pozuelo Monfort wrote: > On 17/03/2020 03:58, Ben Hutchings wrote: > > On Fri, 2020-03-13 at 16:29 +0100, Piviul wrote: > > > Sylvain Beucler ha scritto il 06/03/20 alle 13:14: [...] > > > > Anybody knows if there's an archived copy of Wheezy LTS/pre-ELTS? [...] > Actually it was properly archived, but under /debian-security/, e.g.: > > http://archive.debian.org/debian-security/dists/wheezy/updates/ Oh good, so there's the answer. Ben. -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong. signature.asc Description: This is a digitally signed message part
Re: Wheezy LTS not present in archive.debian.org
On Fri, 2020-03-13 at 16:29 +0100, Piviul wrote: > Sylvain Beucler ha scritto il 06/03/20 alle 13:14: > > [...] > > Good question :) > > > > Snapshot saved the deb7u16 update as part of wheezy-security in 2018: > > https://snapshot.debian.org/package/samba/2%3A3.6.6-6%2Bdeb7u16/ > > > > There's a modified copy of Wheezy LTS as part of the ELTS project > > (deb7u19, 2019): > > https://deb.freexian.com/extended-lts/ > > https://deb.freexian.com/extended-lts/pool/main/s/samba/ > > > > I also see there's a copy of Squeeze LTS in the Debian archive: > > http://archive.debian.org/debian/dists/squeeze-lts/ > > and a copy of Wheezy pre-LTS (2016): > > http://archive.debian.org/debian/dists/wheezy/ > > but there's no copy of Wheezy LTS. > > > > Anybody knows if there's an archived copy of Wheezy LTS/pre-ELTS? > I have to guess that nobody have to spend time to know why LTS/pre-ELTS > packages are not gone in debian wheezy archive? > > ...I can understand. Any way "normally" when a distribution is archived > all LTS security updates should be end in archived repos? During the full support period, all security updates are rolled up into point releases of the corresponding suite in the main archive, and that suite is copied to archive.debian.org later. During the extended support period covered by the LTS team, there are no more point releases and so security updates are not copied to the main archive, or from there to archive.debian.org. (But squeeze-lts was on the main archive, so it was copied along with the main squeeze suite.) So it seems that we are lacking a procedure for archiving a suite from the security archive. Ben. -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong. signature.asc Description: This is a digitally signed message part
Re: linux-latest for jessie
On Mon, 2020-03-09 at 13:28 +0100, wf...@niif.hu wrote: > Dear Kernel Team, > > The linux-4.9 package version 4.9.210-1~deb8u1 was accepted into jessie > at 2020-03-02, however, it wasn't accompanied by a corresponding > linux-latest update, so my jessie machines having linux-image-4.9-amd64 > installed didn't pull in the new linux-image-4.9.0-0.bpo.12-amd64. Was > this intentional, and do I misunderstand the linux-image-4.9 logic meant > for jessie? No, this was an oversight which I'm now correcting. Thanks for reporting this, Ben. > What's the current best practice for running jessie systems > with Linux 4.9? (I know that jessie is oldoldstable, the replacement > systems are already under testing, but until then...) > > (Please Cc me, I'm not subscribed.) -- Ben Hutchings 73.46% of all statistics are made up. signature.asc Description: This is a digitally signed message part
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mon, 2020-02-24 at 14:17 +, Holger Levsen wrote: > hi, > > today I unclaimed > > for LTS: > - python-pysaml2 (Abhijith PA) > > and none for eLTS. > > > And, thanks to Emilio's patch showing the authors here, we got significantly > less DLAs missing on www.debian.org: > > ERROR: .data or .wml file missing for DLA 2114-1 (reserved by Ben Hutchings) [...] Not yet issued as the upload is waiting in NEW. Ben. -- Ben Hutchings Larkinson's Law: All laws are basically false. signature.asc Description: This is a digitally signed message part
Re: Is it okay to bump dh-compat?
On Fri, 2020-02-21 at 17:20 +, Holger Levsen wrote: > Hi Utkarsh, > > On Fri, Feb 21, 2020 at 10:37:06PM +0530, Utkarsh Gupta wrote: > > Is it okay to add d/source/format file? Or should I instead be > > applying patches via d/rules file? > > as a general rule: don't change the packaging when doing security updates. > > And mind you, some old packages don't have a patch system at all... One should only make *minimal* changes in a security update. However, converting a package from 1.0 to 3.0 (quilt) when it previously had no changes to upstream is a small change. If the maintainer has also made that change in later versions, I wouldn't hesitate to do so in a security update. Ben. -- Ben Hutchings You can't have everything. Where would you put it? signature.asc Description: This is a digitally signed message part
Re: phppgadmin / CVE-2019-10784
On Thu, 2020-02-20 at 21:17 +0100, Ola Lundqvist wrote: > Hi fellow LTS contributors > > I have started to look into CVE-2019-10784 for phppgadmin. > > After some thinking on how it would be possible to protect against this I'm > starting to think about whether we really want to protect against this, and > whether it is in fact possible at all? > > I have ideas on how we can reduce the attack possibilities but I cannot > find any perfect solution to this. > > What we can do is to check that the User Agent provided Referrer string > points to the location where it is installed. There are however a few > disadvantages with this. > 1) It relies on that the user agent always provide the referrer string. A > problem is that it is an optional header. > 2) I think there are situations where "-" is used as the referrer string > and if we allow that the check is quite pointless. > I do not think this is a way forward. [...] My understanding is that the Referer field is normally provided when navigating within the same site, though some proxies may remove it. It is common practice to use the Referer field to protect against CSRF, though it's not the most effective mitigation: <https://owasp.org/www-community/attacks/csrf>. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
Re: closing bugs in security uploads and the BTS
On Thu, 2020-02-20 at 17:09 +, Holger Levsen wrote: [...] > sec-master doesn't send mail to the bts. So currently one has to close bugs > manually. Or maybe we can change the archive software to do something else. > > as this is also the case for stable-security, where such bugs only get closed > at pointreleases, Is it though? The packages are copied to -proposed-updates immediately after they're released to -security, and I think that closes bugs. Ben. > maybe this is something where we can use LTS ressources to > improve the situation both for LTS and normal security support? -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
Re: Triage advice for CVE-2020-8492
On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote: > Hi fellow LTS development team > > I'm not sure how to handle CVE-2020-8492. It is a client side vulnerability > and what it can cause it CPU load issue (on the client side as I > understand). I can not really see how it can be exploited in any normal > client. Sure if the attacker creates new python code it can, but then it > can do that anyway because an infinite loop is quite easy to do in any > python code. I don't know for sure, but I think the test case given in the upstream issue exercises part of the normal response handling. I think it shows what happens if a server sends a response with the header field: www-authenticate: Basic foo realm Ben. > So I think it is probably a minor issue, but I would like to check with > others for an opinion,. > > For now I have marked as ignored, but if people have good arguments I will > change my mind. > > Best regards > > // Ola > -- Ben Hutchings I haven't lost my mind; it's backed up on tape somewhere. signature.asc Description: This is a digitally signed message part
Re: [CVE-2019-17026] Firefox Security Advisory 2020-03
On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote: > Hi, > > > It seems urgent to me to correct a flaw exploited in firefox: > > https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ > > > > Here are the changes: > > https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch > > AFAIK this has already been addressed in jessie via DLA-2061-1[0] > (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020. Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for {stretch,buster}-security also references packages with an upstream version 68.4.1esr. However DLA-2061-1 for jessie-security has a version of 68.4.0esr-1~deb8u1. I think the wrong version was backported to jessie-security, leaving this issue unfixed. Ben. > [0] https://security-tracker.debian.org/tracker/CVE-2019-17026 > -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 2068-1] linux security update
On Sat, 2020-01-18 at 05:16 -0600, Steve Turner wrote: > Hi Ben > > Paul has now left the business. > > Please remove his details from your database. I don't know who Paul is, and I wouldn't be able to do edit the subscriber list anyway. You need to use the unsubscription form at < https://www.debian.org/MailingLists/unsubscribe>. Tick the box for "debian-lts-announce" (and any other Debian lists he was subscribed to), enter the email address that he used, and press Unsubscribe. You'll then get a confirmation mail, which you need to respond to. Ben. -- Ben Hutchings Humans are not rational beings; they are rationalising beings. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2068-1] linux security update
Gao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a null pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops). CVE-2019-19966 The syzkaller tool discovered a missing error check in the cpia2 media driver, which could lead to a use-after-free. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.81-1. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux 3.16.81-1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 17 Jan 2020 16:49:03 + Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-10 Source: linux Architecture: all source Version: 3.16.81-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-10 - Support files for Linux 3.16 Changes: linux (3.16.81-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.77 - ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() (CVE-2019-15098) - media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap (CVE-2019-15217) - media: technisat-usb2: break out of loop at end of buffer (CVE-2019-15505) - ax25: enforce CAP_NET_RAW for raw sockets (CVE-2019-17052) - ieee802154: enforce CAP_NET_RAW for raw sockets (CVE-2019-17053) - appletalk: enforce CAP_NET_RAW for raw sockets (CVE-2019-17054) - mISDN: enforce CAP_NET_RAW for raw sockets (CVE-2019-17055) - nfc: enforce CAP_NET_RAW for raw sockets (CVE-2019-17056) - cfg80211: wext: avoid copying malformed SSIDs (CVE-2019-17133) - rtlwifi: Fix potential overflow on P2P code (CVE-2019-17666) https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.78 - hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 - [x86] sysfb_efi: Add quirks for some devices with swapped width and height - [armhf] mmc: mmc_spi: Enable stable writes - ALSA: compress: Fix regression on compressed capture streams - can: peak_usb: fix potential double kfree_skb() - [x86] usb: pci-quirks: Correct AMD PLL quirk detection - usb: wusbcore: fix unbalanced get/put cluster_id - [x86] speculation/mds: Apply more accurate check on hypervisor platform - [x86] hpet: Fix division by zero in hpet_time_div() - sched/fair: Don't free p->numa_faults with concurrent readers - tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop - bnx2x: Disable multi-cos feature. - net: sched: Fix a possible null-pointer dereference in dequeue_func() - net: fix ifindex collision during namespace removal - libata: zpodd: Fix small read overflow in zpodd_get_mech_type() - selinux: fix memory leak in policydb_init() - net: bridge: mcast: don't delete permanent entries when fast leave is enabled - xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() - can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices (CVE-2019-19536) - asm-generic: fix -Wtype-limits compiler warnings - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() - USB: serial: option: Add support for ZTE MF871A - usb: yurex: Fix use-after-free in yurex_delete (CVE-2019-19531) - SMB3: Fix deadlock in validate negotiate hits reconnect - smb3: send CAP_DFS capability during session setup - sound: fix a memory leak bug - ALSA: firewire: fix a memory leak bug - ALSA: hda - Fix a memory leak bug - [x86] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' - [x86] staging: comedi: dt3000: Fix rounding up of timer divisor - USB: core: Fix races in character device registration and deregistraion (CVE-2019-19537) - netfilter: conntrack: Use consistent ct id hash calculation - sctp: fix the transport error_count check - USB: serial: option: Add Motorola modem UARTs - usb: cdc-acm: make sure a refcount is taken early enough (CVE-2019-19530) - net/packet: fix race in tpacket_snd() - Revert "cfg80211: fix processing world regdomain when non modular" - usb-storage: Add new JMS567 revision to unusual_devs - dm btree: fix order of block initialization in btree_split_beneath - dm space map metadata: fix missing store of apply_bops() return value - dm table: fix invalid memory accesses with too high sector number - [i386] retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 - batman-adv: Only read OGM tvlv_len after buffer len check - ALSA: seq: Fix potential concurrent access to the deleted pool - [x86] ptrace: Make user_64bit_mode() available to 32-bit builds - [x86] uprobes: Fix detection of 32-bit user mode - [x86] apic: Do not initialize LDR and DFR for bigsmp - [x86] apic: Drop logical_smp_processor_id() inline - [i386] apic: Avoid bogus LDR warnings - usb: host: ohci: fix a race condition between shutdown and irq - USB: storage: ums-realtek: Update mod
RFT: Linux 3.16.81 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.81-1~git20200112.fa3d7dc, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.76-1). I intend to upload soon, so please plan to test and report back before the end of this week. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.80 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.80-1~git20200102.daa5bf7, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.76-1). Ben. -- Ben Hutchings Who are all these weirdos? - David Bowie, on joining IRC signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.79 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.79-1~git20191210.9165d99, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.76-1). Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.78 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.78-1~git20191122.89a5307, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.76-1). Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 1990-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.189-3+deb9u2~deb8u1 CVE ID : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2018-12207 It was discovered that on Intel CPUs supporting hardware virtualisation with Extended Page Tables (EPT), a guest VM may manipulate the memory management hardware to cause a Machine Check Error (MCE) and denial of service (hang or crash). The guest triggers this error by changing page tables without a TLB flush, so that both 4 KB and 2 MB entries for the same virtual address are loaded into the instruction TLB (iTLB). This update implements a mitigation in KVM that prevents guest VMs from loading 2 MB entries into the iTLB. This will reduce performance of guest VMs. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html> or in the linux-doc-4.9 package. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0>;. CVE-2019-0154 Intel discovered that on their 8th and 9th generation GPUs, reading certain registers while the GPU is in a low-power state can cause a system hang. A local user permitted to use the GPU can use this for denial of service. This update mitigates the issue through changes to the i915 driver. The affected chips (gen8 and gen9) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen8>;. CVE-2019-0155 Intel discovered that their 9th generation and newer GPUs are missing a security check in the Blitter Command Streamer (BCS). A local user permitted to use the GPU could use this to access any memory that the GPU has access to, which could result in a denial of service (memory corruption or crash), a leak of sensitive information, or privilege escalation. This update mitigates the issue by adding the security check to the i915 driver. The affected chips (gen9 onward) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen9>;. CVE-2019-11135 It was discovered that on Intel CPUs supporting transactional memory (TSX), a transaction that is going to be aborted may continue to execute speculatively, reading sensitive data from internal buffers and leaking it through dependent operations. Intel calls this "TSX Asynchronous Abort" (TAA). For CPUs affected by the previously published Microarchitectural Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091), the existing mitigation also mitigates this issue. For processors that are vulnerable to TAA but not MDS, this update disables TSX by default. This mitigation requires updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) will be provided via a future DLA. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html> or in the linux-doc-4.9 package. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>;. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3+deb9u2~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-4.9 4.9.189-3+deb9u2~deb8u1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2019 22:05:49 + Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3+deb9u2~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3+deb9u2~deb8u1) jessie-security; urgency=medium . * Backport to jessie; no further changes required . linux (4.9.189-3+deb9u2) stretch-security; urgency=high . * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - KVM: x86: simplify ept_misconfig - KVM: x86: extend usage of RET_MMIO_PF_* constants - KVM: MMU: drop vcpu param in gpte_access - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: Add is_executable_pte() - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: kick out cmd_parser specific structs from i915_drv.h - drm/i915: cleanup use of INSTR_CLIENT_MASK - drm/i915: return EACCES for check_cmd() failures - drm/i915: don't whitelist oacontrol in cmd parser - drm/i915: Use the precomputed value for whether to enable command parsing - drm/i915/cmdparser: Limit clflush to active cachelines - drm/i915/gtt: Add read only pages to gen8_pte_encode - drm/i915/gtt: Read-only pages for insert_entries on bdw+ - drm/i915/gtt: Disable read-only support under GVT - drm/i915: Prevent writing into a read-only object via a GGTT mmap - drm/i915/cmdparser: Check reg_table_count before derefencing. - drm/i915/cmdparser: Do not check past the cmd length. - drm/i915: Silence smatch for cmdparser - drm/i915: Move engine->needs_cmd_parser to engine->flags - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA * drm/i915: Avoid ABI change for CVE-2019-0155 Checksums-Sha1: 4168501c46e22ef35ff11ea9c6512a7c53f39642 15751 linux-4.9_4
[SECURITY] [DLA 1989-1] linux security update
Package: linux Version: 3.16.76-1 CVE ID : CVE-2019-0154 CVE-2019-11135 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2019-0154 Intel discovered that on their 8th and 9th generation GPUs, reading certain registers while the GPU is in a low-power state can cause a system hang. A local user permitted to use the GPU can use this for denial of service. This update mitigates the issue through changes to the i915 driver. The affected chips (gen8) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen8>;. CVE-2019-11135 It was discovered that on Intel CPUs supporting transactional memory (TSX), a transaction that is going to be aborted may continue to execute speculatively, reading sensitive data from internal buffers and leaking it through dependent operations. Intel calls this "TSX Asynchronous Abort" (TAA). For CPUs affected by the previously published Microarchitectural Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091), the existing mitigation also mitigates this issue. For processors that are vulnerable to TAA but not MDS, this update disables TSX by default. This mitigation requires updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) will be provided via a future DLA. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html> or in the linux-doc-3.16 package. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>;. For Debian 8 "Jessie", these problems have been fixed in version 3.16.76-1. This update also includes other fixes from upstream stable updates. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux 3.16.76-1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2019 15:56:11 + Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-10 Source: linux Architecture: all source Version: 3.16.76-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-10 - Support files for Linux 3.16 Changes: linux (3.16.76-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.75 - net/mlx4_core: Change the error print to info print - spi: bitbang: Fix NULL pointer dereference in spi_unregister_master - Btrfs: fix race between ranged fsync and writeback of adjacent ranges - scsi: bnx2fc: fix incorrect cast to u64 on shift operation - USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - USB: Add LPM quirk for Surface Dock GigE adapter - usbip: usbip_host: fix BUG: sleeping function called from invalid context - USB: rio500: fix memory leak in close after disconnect - [x86] drm/gma500/cdv: Check vbt config bits when detecting lvds panels - USB: serial: pl2303: add Allied Telesis VT-Kit3 - usb: xhci: avoid null pointer deref when bos field is NULL - [armhf] net: stmmac: fix reset gpio free missing - igmp: acquire pmc lock for ip_mc_clear_src() - igmp: add a missing spin_lock_init() - ipv4/igmp: fix another memory leak in igmpv3_del_delrec() - sbitmap: fix improper use of smp_mb__before_atomic() - Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD - perf/ring_buffer: Fix exposing a temporarily decreased data_head - perf/ring_buffer: Add ordering to rb->nest increment - i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr - configfs: Fix use-after-free when accessing sd->s_dentry - llc: fix skb leak in llc_build_and_send_ui_pkt() - CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM - usbip: usbip_host: fix stub_dev lock context imbalance regression - signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO - net-gro: fix use-after-free read in napi_gro_frags() - kernel/signal.c: trace_signal_deliver when signal_group_exit - USB: usb-storage: Add new ID to ums-realtek - USB: Fix chipmunk-like voice when using Logitech C270 for recording audio. - hwmon: (pmbus/core) Treat parameters as paged if on multiple pages - net: rds: fix memory leak in rds_ib_flush_mr_pool - pktgen: do not sleep with the thread lock held. - can: af_can: Fix error path of can_init() - can: purge socket error queue on sock destruct - ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero - ptrace: restore smp_rmb() in __ptrace_may_access() - bcache: fix stack corruption by PRECEDING_KEY() - libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk - cifs: add spinlock for the openFileList to cifsInodeInfo - fs/ocfs2: fix race in ocfs2_dentry_attach_lock() - coredump: fix race condition between collapse_huge_page() and core dumping - cfg80211: fix memory leak of wiphy device name - Btrfs: fix race between readahead and device replace/removal - btrfs: start readahead also in seed devices - be2net: Fix number of Rx queues used for flow hashing - neigh: fix use-after-free read in pneigh_get_next - perf/core: Fix perf_sample_regs_user() mm check - SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write - apparmor: enforce nullbyte at end of tag string - net: netem: fix backlog accounting for corrupted GSO frames - scsi: ufs: Avoid runtime suspend possibly being blocked forever - [x86] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() - [x86] apic: Fix integer overflow on 10 bit left shift of cpu_khz - be2net: fix link failure after ethtool offline test - perf/ioctl: Add check for the sample_period value - [x86] speculation: Allow guests to use SSBD even if host does not - cpu/speculation: Warn on unsupported mitigations= parameter - bonding: Always enable vlan tx offload - bonding: Add vlan tx offload to hw_enc_features - sctp: change to hold sk after auth shkey is created successfully - ALSA: seq: fix incorrect order of dest_client/dest_ports arguments - tracing/snapshot: Resize spare buffer if size changed - scsi: target/iblock: Fix overrun in WRITE SAME emulation - lib/mpi: Fix karactx leak in mpi_powm - crypto: user - prevent operating on larval algorithms
RFT: Linux 3.16.76 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.76-1~git20191101.154b211, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.74-1). Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou signature.asc Description: This is a digitally signed message part
RFT: Linux 3.16.75 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.75-1~git20191022.e189a9e. to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.74-1). Ben. -- Ben Hutchings Hoare's Law of Large Problems: Inside every large problem is a small problem struggling to get out. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1942-2] phpbb3 regression update
On Mon, 2019-10-07 at 07:02 -0700, howard wrote: > Please discontinue sending [SECURITY] [XXX --] items,Thank > you! [...] You need to write to debian-lts-announce-requ...@lists.debian.org, as explained at <https://www.debian.org/MailingLists/#subunsub>. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
On Sun, 2019-10-06 at 17:12 +, Holger Levsen wrote: > Hi Mike, > > On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: > > This is a follow-up to DLA-1942-1. > > this mail didnt make it to lts-announce... I believe that debian-lts-announce, like other Debian announce lists, is configured to redirect replies to a discussion list. Mike, you should issue a DLA-1942-2 as a new non-reply message. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 1940-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.189-3+deb9u1~deb8u1 CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-14821 Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-14835 Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host. CVE-2019-15117 Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash). CVE-2019-15118 Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. On the amd64 architecture this is mitigated by a guard page on the kernel stack, so that it is only possible to cause a crash. CVE-2019-15902 Brad Spengler reported that a backporting error reintroduced a spectre-v1 vulnerability in the ptrace subsystem in the ptrace_get_debugreg() function. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3+deb9u1~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-4.9 4.9.189-3+deb9u1~deb8u1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 30 Sep 2019 15:49:24 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3+deb9u1~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3+deb9u1~deb8u1) jessie-security; urgency=medium . * Backport to jessie; no further changes required . linux (4.9.189-3+deb9u1) stretch-security; urgency=high . * vhost: make sure log_num < in_num (CVE-2019-14835) * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) Checksums-Sha1: 9e4c19a3ed9e6f4e18905657efa747fd3fa7f27b 15751 linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 7b05c2c621c331b58e03d0cbf04ef8e00134af7b 2028376 linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz ac279987526e87d7e435c2ec5fa0737b76b67abb 7710232 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 9e82b2116834a97c72ebd31dad9e6b94bba8f59d 5767012 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 871f7d26d3b75c64d0a9a8996ebaabb157e0f719 708822 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb 11c626f31315c40596d1af934d0f2d631151c667 11442010 linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 0edc3f35e4627e54c87140507dcd6c809303843d 3247976 linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 01b6f488f8c7fa0340dc9f5e98112ee76c1ac925 96898772 linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb Checksums-Sha256: 586342ea99969ffa7f56b13e48e21746013846b89606d26dfd0c41a11b8f7b54 15751 linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 02a6ed85333f832354f4b3191e0294dedf85b49ae6da7e9bb968635b4a7962cb 2028376 linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz 2da03ffb13d9e04892804252f7d30fb4b4020f8d5072b2902cb1f0014034b32d 7710232 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 8b72a01f9592e0f598262f476de2ae3757d68f30118c2f770379ce89af6e931a 5767012 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 7ae0f150fd31345d3ad01f8a404d1df2db59456601839ef45b3b9e07f5c1751a 708822 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb a3f79c3277d1f42dad825a6478b25d8e1cbe9f01d9853f900f0ea7cda5229148 11442010 linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 90f41f355e3da98f6c2f52d1f1cda354b4efa6a42c5135406c959e3efc66e2e9 3247976 linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 7038f703b34f38431904d46b52e41c2d906120c0b8c1fa1f69589e40f8ec0880 96898772 linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb Files: 354af74003a39f10f78737f3491ad597 15751 kernel optional linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 99f64ba83e17682b16dc6853e173a240 2028376 kernel optional linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz aa9dd83c2fec34dee0ddbe34c977f37b 7710232 kernel optional linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 23f7ad7461dc0e3e3ab40a71d8a4fc76 5767012 kernel optional linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 026b0e008f16add0deaf2f21bee5aa1a 708822 devel optional linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb c93adf547e751acc5e38b873999ccd28 11442010 doc optional linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 28cb1ddad73cbddfbf781f2869df481c 3247976 doc optional linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 4e3d8ea064acac893212967b11966c9a 96898772 kernel optional linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl2SulcACgkQ57/I7JWG EQkLfRAAq3ZSFFtAd1jwW2d8OGLxbIBRyHujQIRxKD8t7n51GOLIv3z/rGUPNKo+ 3BT26swlp7JppB+L4bvFlG/+MGgFYMXMaUe76e67oMc3e99OsavfUJ08LJoQ9Ctq YnHfvGAdofYXtYVQrkTIRG5K1++CF7lYGv6x2JBAszaI3NI9aICCESo3+X7+9rdl WrUOLF+FfnlG5sCkE0Eqm5UnwkVdMVcaqskS3Utnz4o7TtIzjnHOUuiq60g5SIs9 03DBmEugESqKzjFBYr2xKYbw5TAQVzOiS1pewE0ubLfU8m+qe6yLxGG5dKcY55tO IgpUJYqzvH8hBE85ZlcvgHx8+dFhDOO7VmIX/P+MVQ+VuSr6UDGqWSWV9KV6K8hQ DLYsdN0vyJEwk3uP3Zqrl5HBFNj+AiukvuRNoQZPD9ODGAomWgTDZXkBuvbmpe+P nUMvYIY3zqEZHs4SRE9IxsB64naqYEiLwAAT5WU2OYs40jjoTrVNhfABtT8yAV84 w22s5I52lYudCsJTznYVOBaElUttxcBNNvIq2RacC7tK7XD91tSxqfmIMgrkI
[SECURITY] [DLA 1930-1] linux security update
attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15220 The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15221 The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15292 The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15917 The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 3.16.74-1. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux 3.16.74-1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 24 Sep 2019 01:31:30 +0100 Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-10 Source: linux Architecture: all source Version: 3.16.74-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-10 - Support files for Linux 3.16 Changes: linux (3.16.74-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.73 - ext4: brelse all indirect buffer in ext4_ind_remove_space() - ext4: cleanup bh release code in ext4_ind_remove_space() https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.74 - media: ivtv: update *pos correctly in ivtv_read_pos() - media: cx18: update *pos correctly in cx18_read_pos() - [armhf] dts: exynos: Fix interrupt for shared EINTs on Exynos5260 - [armhf] media: wl128x: Fix an error code in fm_download_firmware() - pwm: Fix deadlock warning when removing PWM device - [armhf] pwm: tiehrpwm: Update shadow register for disabling PWMs - scsi: qla4xxx: avoid freeing unallocated dma memory - [armhf] OMAP2+: Fix potentially uninitialized return value for _setup_reset() - tty/vt: fix write/write race in ioctl(KDSKBSENT) handler - [armhf] media: wl128x: prevent two potential buffer overflows - kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. - cxgb3/l2t: Fix undefined behaviour - drm/fb-helper: dpms_legacy(): Only set on connectors in use - scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines - PCI: Factor out pcie_retrain_link() function - PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum - jbd2: check superblock mapped prior to committing - crypto: crct10dif-generic - fix use via crypto_shash_digest() - [x86] crypto: crct10dif-pcl - fix use via crypto_shash_digest() - scsi: qla2xxx: Unregister chrdev if module initialization fails - [x86] hwmon: (f71805f) Use request_muxed_region for Super-IO accesses - hwmon: (pc87427) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses - [x86] hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses - hwmon: (vt1211) Use request_muxed_region for Super-IO accesses - RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure - [x86] platform: alienware-wmi: fix kfree on potentially uninitialized pointer - crypto: salsa20 - don't access already-freed walk.iv - media: pvrusb2: Prevent a buffer overflow - PCI: Mark Atheros AR9462 to avoid bus reset - [x86] uaccess: Dont leak the AC flag into __put_user() argument evaluation - ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk() - fuse: fix writepages on 32bit - fuse: honor RLIMIT_FSIZE in fuse_file_fallocate - fuse: fallocate: fix return with locked inode - bcache: fix memory corruption in init error path - bcache: fix a race between cache register and cacheset unregister - bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() - TTY: serial_core, add ->install - [x86] PCI: Reset Lenovo ThinkPad P50 nvgpu at boot if necessary - Bluetooth: Align minimum encryption key size for LE and BR/EDR connections (CVE-2019-9506) - Bluetooth: Fix regression with minimum encryption key size alignment - Bluetooth: Fix faulty expression for minimum encryption key size check - at76c50x-usb: Don't register led_trigger if usb_register_driver failed - mwl8k: Fix rate_idx underflow - p54: drop device reference count if fails to enable device - ext4: actually request zeroing of inode table after grow - USB: serial: fix initial-termios handling - ALSA: hda/realtek - EAPD turn on later - ALSA: hda/realtek - Fix overridden device-specific initialization - ALSA: usb-audio: Fix a memory leak bug - cdc-acm: fix race between callback and unthrottle - cdc-acm: store in and out pipes in acm structure - cdc-acm: handle read pipe errors - usb: cdc-acm: fix race during wakeup blocking TX traffic - USB: cdc-acm: fix unthrottle races - USB: serial: use variable for status - USB: serial: fix unthrottle races - of: fix clang -Wunsequenced for be32_to_cpu() - [x86] iommu/vt-d: Set intel_iommu_gfx_mapped correctly - ALSA: hda/hdmi - Read the pin sense from register when repolling - [x86] A
[SECURITY] [DLA 1919-2] linux-4.9 security update
r possibly for privilege escalation. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15924 The Hulk Robot tool found a missing error check in the fm10k Ethernet driver, which could lead to a null pointer dereference and crash (BUG/oops). The security impact of this is unclear. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3~deb8u1. This version also includes a fix for Debian bug #930904, and other fixes included in upstream stable updates. We recommend that you upgrade your linux-4.9 and linux-latest-4.9 packages. You will need to use "apt-get upgrade --with-new-pkgs" or "apt upgrade" as the binary package names have changed. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-latest-4.9 80+deb9u9~deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 15 Sep 2019 17:15:18 +0100 Source: linux-latest-4.9 Binary: linux-image-4.9-alpha-generic linux-headers-4.9-alpha-generic linux-image-4.9-alpha-smp linux-headers-4.9-alpha-smp linux-image-4.9-amd64 linux-headers-4.9-amd64 linux-image-4.9-amd64-dbg linux-image-4.9-rt-amd64 linux-headers-4.9-rt-amd64 linux-image-4.9-rt-amd64-dbg linux-image-4.9-arm64 linux-headers-4.9-arm64 linux-image-4.9-arm64-dbg linux-image-4.9-marvell linux-headers-4.9-marvell linux-image-4.9-armmp linux-headers-4.9-armmp linux-image-4.9-armmp-lpae linux-headers-4.9-armmp-lpae linux-image-4.9-parisc linux-headers-4.9-parisc linux-image-4.9-parisc64-smp linux-headers-4.9-parisc64-smp linux-image-4.9-686 linux-headers-4.9-686 linux-image-4.9-686-pae linux-headers-4.9-686-pae linux-image-4.9-686-pae-dbg linux-image-4.9-rt-686-pae linux-headers-4.9-rt-686-pae linux-image-4.9-rt-686-pae-dbg linux-image-4.9-m68k linux-headers-4.9-m68k linux-image-4.9-4kc-malta linux-headers-4.9-4kc-malta linux-image-4.9-5kc-malta linux-headers-4.9-5kc-malta linux-image-4.9-octeon linux-headers-4.9-octeon linux-image-4.9-loongson-3 linux-headers-4.9-loongson-3 linux-image-4.9-powerpc linux-headers-4.9-powerpc linux-image-4.9-powerpc-smp linux-headers-4.9-powerpc-smp linux-image-4.9-powerpc64 linux-headers-4.9-powerpc64 linux-image-4.9-powerpcspe linux-headers-4.9-powerpcspe linux-image-4.9-powerpc64le linux-headers-4.9-powerpc64le linux-image-4.9-s390x linux-headers-4.9-s390x linux-image-4.9-s390x-dbg linux-image-4.9-sh7751r linux-headers-4.9-sh7751r linux-image-4.9-sh7785lcr linux-headers-4.9-sh7785lcr linux-image-4.9-sparc64 linux-headers-4.9-sparc64 linux-image-4.9-sparc64-smp linux-headers-4.9-sparc64-smp Architecture: source amd64 Version: 80+deb9u9~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-headers-4.9-4kc-malta - Header files for Linux 4kc-malta configuration (meta-package) linux-headers-4.9-5kc-malta - Header files for Linux 5kc-malta configuration (meta-package) linux-headers-4.9-686 - Header files for Linux 686 configuration (meta-package) linux-headers-4.9-686-pae - Header files for Linux 686-pae configuration (meta-package) linux-headers-4.9-alpha-generic - Header files for Linux alpha-generic configuration (meta-package) linux-headers-4.9-alpha-smp - Header files for Linux alpha-smp configuration (meta-package) linux-headers-4.9-amd64 - Header files for Linux amd64 configuration (meta-package) linux-headers-4.9-arm64 - Header files for Linux arm64 configuration (meta-package) linux-headers-4.9-armmp - Header files for Linux armmp configuration (meta-package) linux-headers-4.9-armmp-lpae - Header files for Linux armmp-lpae configuration (meta-package) linux-headers-4.9-loongson-3 - Header files for Linux loongson-3 configuration (meta-package) linux-headers-4.9-m68k - Header files for Linux m68k configuration (meta-package) linux-headers-4.9-marvell - Header files for Linux marvell configuration (meta-package) linux-headers-4.9-octeon - Header files for Linux octeon configuration (meta-package) linux-headers-4.9-parisc - Header files for Linux parisc configuration (meta-package) linux-headers-4.9-parisc64-smp - Header files for Linux parisc64-smp configuration (meta-package) linux-headers-4.9-powerpc - Header files for Linux powerpc configuration (meta-package) linux-headers-4.9-powerpc-smp - Header files for Linux powerpc-smp configuration (meta-package) linux-headers-4.9-powerpc64 - Header files for Linux powerpc64 configuration (meta-package) linux-headers-4.9-powerpc64le - Header files for Linux powerpc64le configuration (meta-package) linux-headers-4.9-powerpcspe - Header files for Linux powerpcspe configuration (meta-package) linux-headers-4.9-rt-686-pae - Header files for Linux rt-686-pae configuration (meta-package) linux-headers-4.9-rt-amd64 - Header files for Linux rt-amd64 configuration (meta-package) linux-headers-4.9-s390x - Header files for Linux s390x configuration (meta-package) linux-headers-4.9-sh7751r - Header files for Linux sh7751r configuration (meta-package) linux-headers-4.9-sh7785lcr - Header files for Linux sh7785lcr configuration (meta-package) linux-headers-4.9-sparc64 - Header files for Linux sparc64 configuration (meta-package) linux-headers-4.9-sparc64-smp - Header files for Linux sparc64-smp configuration (meta-package) linux-image-4.9-4kc-malta - Linux for MIPS Malta (meta-package) linux-image-4.9-5kc-malta - Linux for MIPS Malta (64-bit) (meta-package) linux-image-4.9-686 - Linux for older PCs (meta-package) linux-image-4.9-686-pae - Linux for modern PCs (meta-package) linux-image-4.9-686-pae-dbg - Debugging symbols for Linux 686-pae configuration (meta-package) linux-image-4.9-alpha-generic - Linux for Alpha (meta-package) linux-image-4.9-alpha-smp - Linux for Alpha SMP
[SECURITY] [DLA 1919-1] linux-4.9 security update
s) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15924 The Hulk Robot tool found a missing error check in the fm10k Ethernet driver, which could lead to a null pointer dereference and crash (BUG/oops). The security impact of this is unclear. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-4.9 4.9.189-3~deb8u1 (all source) into oldoldstable, oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 19:47:06 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Closes: 866122 904385 930904 935134 Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3~deb8u1) jessie-security; urgency=medium . * Backport to jessie: - Change ABI number to 0.bpo.11 . linux (4.9.189-3) stretch; urgency=medium . * tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue . linux (4.9.189-2) stretch; urgency=medium . [ Salvatore Bonaccorso ] * xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT (CVE-2019-15538) . [ Ben Hutchings ] * [s390x] Revert "perf test 6: Fix missing kvm module load for s390" (fixes FTBFS) . linux (4.9.189-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.186 - [x86] Input: elantech - enable middle button support on 2 ThinkPads - mac80211: mesh: fix RCU warning - mac80211: free peer keys before vif down in mesh - netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments - netfilter: ipv6: nf_defrag: accept duplicate fragments again - [armhf] Input: imx_keypad - make sure keyboard can always wake up system - [arm64] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy - mac80211: only warn once on chanctx_conf being NULL - md: fix for divide error in status_resync - bnx2x: Check if transceiver implements DDM before access - ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL - net :sunrpc :clnt :Fix xps refcount imbalance on the error path - udf: Fix incorrect final NOT_ALLOCATED (hole) extent length - [x86] ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() - [x86] tls: Fix possible spectre-v1 in do_get_thread_area() - fscrypt: don't set policy for a dead directory - USB: serial: ftdi_sio: add ID for isodebug v1 - USB: serial: option: add support for GosunCn ME3630 RNDIS mode - Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" - p54usb: Fix race between disconnect and firmware loading (CVE-2019-15220) - usb: gadget: ether: Fix race between gether_disconnect and rx_submit - [i386] staging: comedi: dt282x: fix a null pointer deref on interrupt - [x86] staging: comedi: amplc_pci230: fix null pointer deref on interrupt - carl9170: fix misuse of device driver API - [x86] VMCI: Fix integer overflow in VMCI handle arrays - Revert "e1000e: fix cyclic resets at link up with active tx" - e1000e: start network tx queue only when link is up - [arm64] crypto: remove accidentally backported files - perf/core: Fix perf_sample_regs_user() mm check - [armhf] omap2: remove incorrect __init annotation - be2net: fix link failure after ethtool offline test - ppp: mppe: Add softdep to arc4 - sis900: fix TX completion - dm verity: use message limit for data block corruption message - [s390x] fix stfle zero padding - [s390x] qdio: (re-)initialize tiqdio list entries - [s390x] qdio: don't touch the dsci in tiqdio_add_input_queues() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.187 - [arm64] efi: Mark __efistub_stext_offset as an absolute symbol explicitly - [armhf] dmaengine: imx-sdma: fix use-after-free on probe error path - ath10k: Do not send probe response template for mesh - ath9k: Check for errors when reading SREV register - ath6kl: add some bounds checking - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection - batman-adv: fix for leaked TVLV handler. - media: dvb: usb: fix use after free in dvb_usb_device_exit - media: marvell-ccic: fix DMA s/g desc number calculation - media: media_device_enum_links32: clean a reserved field - [armhf,arm64] net: stmmac: dwmac1000: Clear unused address entries - [armhf,arm64] net: stmmac: dwmac4/5: Clear unused address entries - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig - af_key: fix leaks in key_pol_get_resp and dump_sp. - xfrm: Fix xfr
[SECURITY] [DLA 1884-1] linux security update
Package: linux Version: 3.16.72-1 CVE ID : CVE-2017-18509 CVE-2018-20836 CVE-2019-1125 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-13631 CVE-2019-14283 CVE-2019-14284 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-18509 Denis Andzakovic reported a missing type check in the IPv4 multicast routing implementation. A user with the CAP_NET_ADMIN capability (in any user namespace) could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20836 chenxiang reported a race condition in libsas, the kernel subsystem supporting Serial Attached SCSI (SAS) devices, which could lead to a use-after-free. It is not clear how this might be exploited. CVE-2019-1125 It was discovered that most x86 processors could speculatively skip a conditional SWAPGS instruction used when entering the kernel from user mode, and/or could speculatively execute it when it should be skipped. This is a subtype of Spectre variant 1, which could allow local users to obtain sensitive information from the kernel or other processes. It has been mitigated by using memory barriers to limit speculative execution. Systems using an i386 kernel are not affected as the kernel does not use SWAPGS. CVE-2019-3900 It was discovered that vhost drivers did not properly control the amount of work done to service requests from guest VMs. A malicious guest could use this to cause a denial-of-service (unbounded CPU usage) on the host. CVE-2019-10207 The syzkaller tool found a potential null dereference in various drivers for UART-attached Bluetooth adapters. A local user with access to a pty device or other suitable tty device could use this for denial-of-service (BUG/oops). CVE-2019-10638 Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function, "jhash". This could enable tracking individual computers as they communicate with different remote servers and from different networks. The "siphash" function is now used instead. CVE-2019-13631 It was discovered that the gtco driver for USB input tablets could overrun a stack buffer with constant data while parsing the device's descriptor. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (BUG/oops), or possibly for privilege escalation. CVE-2019-14283 The syzkaller tool found a missing bounds check in the floppy disk driver. A local user with access to a floppy disk device, with a disk present, could use this to read kernel memory beyond the I/O buffer, possibly obtaining sensitive information. CVE-2019-14284 The syzkaller tool found a potential division-by-zero in the floppy disk driver. A local user with access to a floppy disk device could use this for denial-of-service (oops). (CVE ID not yet assigned) Denis Andzakovic reported a possible use-after-free in the TCP sockets implementation. A local user could use this for denial-of-service (memory corruption or crash) or possibly for privilege escalation. (CVE ID not yet assigned) The netfilter conntrack subsystem used kernel addresses as user-visible IDs, which could make it easier to exploit other security vulnerabilities. XSA-300 Julien Grall reported that Linux does not limit the amount of memory which a domain will attempt to balloon out, nor limits the amount of "foreign / grant map" memory which any individual guest can consume, leading to denial of service conditions (for host or guests). For Debian 8 "Jessie", these problems have been fixed in version 3.16.72-1. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-4.9 4.9.168-1+deb9u5~deb8u1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 19:47:06 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.9-common linux-headers-4.9.0-0.bpo.9-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.9 Source: linux-4.9 Architecture: all source Version: 4.9.168-1+deb9u5~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.9-common - Common header files for Linux 4.9.0-0.bpo.9 linux-headers-4.9.0-0.bpo.9-common-rt - Common header files for Linux 4.9.0-0.bpo.9-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.9 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.168-1+deb9u5~deb8u1) jessie-security; urgency=medium . * Backport to jessie: - [x86] Revert "xen/pciback: Don't disable PCI_COMMAND on PCI device reset." (reintroduces CVE-2015-8553) - [x86] Remove Breaks relation to qemu-system-x86 . linux (4.9.168-1+deb9u5) stretch-security; urgency=high . * [amd64] Add mitigation for Spectre v1 swapgs (CVE-2019-1125): - cpufeatures: Sort feature word 7 - speculation: Prepare entry code for Spectre v1 swapgs mitigations - speculation: Enable Spectre v1 swapgs mitigations - entry: Use JMP instead of JMPQ - speculation/swapgs: Exclude ATOMs from speculation through SWAPGS * [x86] xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (CVE-2015-8553) - Add Breaks relation to incompatible qemu-system-x86 versions * ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt * percpu: stop printing kernel addresses (CVE-2018-5995) * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836) * block: blk_init_allocated_queue() set q->fq as NULL in the fail case (CVE-2018-20856) * vfio/type1: Limit DMA mappings per container (CVE-2019-3882) * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) * siphash: add cryptographically secure PRF * inet: switch IP ID generator to siphash (CVE-2019-10638, CVE-2019-10639) * Input: gtco - bounds check collection indent level (CVE-2019-13631) * [ppc64el] tm: Fix oops on sigreturn on systems without TM (CVE-2019-13648) * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) * floppy: fix out-of-bounds read in next_valid_format * floppy: fix invalid pointer dereference in drive_name * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283) * inet: Avoid ABI change for IP ID hash change * vhost: Fix possible infinite loop (CVE-2019-3900): - vhost-net: set packet weight of tx polling to 2 * vq size - vhost_net: use packet weight for rx handler, too - vhost_net: introduce vhost_exceeds_weight() - vhost: introduce vhost_exceeds_weight() - vhost_net: fix possible infinite loop - vhost: scsi: add weight support * vhost: Ignore ABI changes * netfilter: ctnetlink: don't use conntrack/expect object addresses as id * xen: let alloc_xenballooned_pages() fail if not enough memory free * tcp: Clear sk_send_head after purging the write queue Checksums-Sha1: cca1b3fdc7700584e039efae190ea1c93c04dfd6 15581 linux-4.9_4.9.168-1+deb9u5~deb8u1.dsc cb3d7617e46747a5c673689850528ff69930a8df 2097692 linux-4.9_4.9.168-1+deb9u5~deb8u1.debian.tar.xz 4f4d8087dfb920973a6e1c02411f578cb4ba09d7 7681450 linux-headers-4.9.0-0.bpo.9-common_4.9.168-1+deb9u5~deb8u1_all.deb 0d0f2808b4fd697b29badb7df1c7c68b332ecd6d 5740712 linux-headers-4.9.0-0.bpo.9-common-rt_4.9.168-1+deb9u5~deb8u1_all.deb 2118b019d009677859b5974d0c7e0897b58cbb11 11417668 linux-doc-4.9_4.9.168-1+deb9u5~deb8u1_all.deb 4317ae13253686506bf77636ad559a9b3e823c02 685558 linux-support-4.9.0-0.bpo.9_4.9.168-1+deb9u5~deb8u1_all.deb ef9f927e7e056fb93d26be25750757d6df6f3449 3237820 linux-manual-4.9_4.9.168-1+deb9u5~deb8u1_all.deb fb8cc9ba05e6fa0ab0d94ba496dc2ee92eeb5cdc 96847172 linux-source-4.9_4.9.168-1+deb9u5~deb8u1_all.deb Checksums-Sha256: dd39ed2915c0f9b7d67bfb03369c1214fac3667146ebce424d9bd846cc34011a 15581 linux-4.9_4.9.168-1+deb9u5~deb8u1.dsc 60e3eb7734f5ba6bd77a3d91c527ccd2a84a1f49f4a2a40e24d37bf456f8e4df 2097692 linux-4.9_4.9.168-1+deb9u5~deb8u1.debian.tar.xz 0bd4885613f91fae46e00333217c620d84d46f622558b1d2054167ae52d83ef9 7681450 linux-headers-4.9.0-0.bpo.9-common_4.9.168-1+deb9u5~deb8u1_all.deb ddba276e7f6bd01089b45008df72347d8f12c6c67ad75668fff85fd7438e76ef 5740712 linux-headers-4.9.0-0.bpo.9-common-rt_4.9.168-1+deb9u5~deb8u1_all.deb 834b9ea5ae8e1ebc10f4c3374b7a55cbe912ffa2e3879c48afba5f564d92e91f 11417668 linux-doc-4.9_4.9.168-1+deb9u5~deb8u1_all.deb b0d8937da645d8c445a0657257069f75dfc087a76cb068bee4ee5dfafbc40ebc 685558 linux-support-4.9.0-0.bp
Accepted linux 3.16.72-1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 19:44:18 +0100 Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-10 Source: linux Architecture: all source Version: 3.16.72-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-10 - Support files for Linux 3.16 Changes: linux (3.16.72-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.71 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.72 - ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt (CVE-2017-18509) - xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink - Staging: iio: meter: fixed typo - iio: Use kmalloc_array() in iio_scan_mask_set() - iio: Fix scan mask selection - perf/core: Restore mmap record type correctly - ext4: fix data corruption caused by unaligned direct AIO - ext4: add missing brelse() in add_new_gdb_meta_bg() - xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module - IB/mlx4: Fix race condition between catas error reset and aliasguid flows - staging: speakup_soft: Fix alternate speech with other synths - netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING - udf: Fix crash on IO error during truncate - sctp: get sctphdr by offset in sctp_compute_cksum - NFS: fix mount/umount race in nlmclnt. - [armhf] imx6q: cpuidle: fix bug that CPU might not wake up at expected time - USB: serial: ftdi_sio: add additional NovaTech products - device_cgroup: fix RCU imbalance in error case - net-sysfs: call dev_hold if kobject_init_and_add success - tcp: do not use ipv6 header for ipv4 flow - dccp: do not use ipv6 header for ipv4 flow - [i386] 3c515: fix integer overflow warning - [armhf] dts: pfla02: increase phy reset duration - USB: serial: mos7720: fix mos_parport refcount imbalance on error path - staging: rtl8712: uninitialized memory in read_bbreg_hdl() - ALSA: rawmidi: Fix potential Spectre v1 vulnerability (CVE-2017-5753) - ALSA: seq: oss: Fix Spectre v1 vulnerability (CVE-2017-5753) - [x86] iommu/vt-d: Check capability before disabling protected memory - futex: Ensure that futex address is aligned in handle_futex_death() - ALSA: pcm: Fix possible OOB access in PCM oss plugins - xhci: Don't let USB3 ports stuck in polling state prevent suspend - batman-adv: Reduce claim hash refcnt only for removed entry - batman-adv: Reduce tt_local hash refcnt only for removed entry - batman-adv: Reduce tt_global hash refcnt only for removed entry - ALSA: pcm: Don't suspend stream in unrecoverable PCM state - net: phy: don't clear BMCR in genphy_soft_reset - USB: serial: cp210x: add new device id - afs: Fix StoreData op marshalling - KVM: Reject device ioctls from processes other than the VM's creator - [x86] kvm: IA32_ARCH_CAPABILITIES is always supported - [x86] KVM: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts - fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links - iio: core: fix a possible circular locking dependency - dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors - dccp: Fix memleak in __feat_register_sp - xfrm4: Fix header checks in _decode_session4. - xfrm4: Reload skb header pointers after calling pskb_may_pull. - xfrm4: Fix uninitialized memory read in _decode_session4 - sched/fair: Do not re-read ->h_load_next during hierarchical load calculation - btrfs: prop: fix vanished compression property after failed set - btrfs: correctly validate compression type - dm: disable DISCARD if the underlying storage no longer supports it - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer - xen: Prevent buffer overflow in privcmd ioctl - ALSA: seq: Fix OOB-reads from strlcpy - PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller - sunrpc: don't mark uninitialised items as VALID. - lib/string.c: implement a basic bcmp - ACPICA: Namespace: remove address node from global list after method termination - block: do not leak memory in bio_copy_user_iov() - net: bridge: multicast: use rcu to access port list from br_multicast_start_querier - [x86] iommu/amd: Set exclusion range correctly - rt2x00: do not increment sequence number while re-transmitting - vxge: fix return of a free'd memblock on a failed
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
On Sat, 2019-07-27 at 18:30 -0300, Hugo Lefeuvre wrote: > Hi Ben, > > > > > For Debian 8 "Jessie", these problems have been fixed in version > > > > 1.2.12-5+deb9u2. > > > > > > Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. > > > > The proper way to make such a correction is to issue a -2 advisory with > > the correct information and a note about what changed. > > Thanks, I wasn't aware of this. I can't find any information about it in > our documentation, did I miss something? > > (just in case: this is not a regression, just a typo in the advisory) I don't think it's explicitly documented; I inferred it from these rules: 1. Corrections should be sent to the same recipients as the original incorrect information. 2. All messages sent to debian-lts-announce about package updates should be numbered DLAs. 3. DLAs that are related to prior DLAs should use the same first part and an incremented second part. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
On Sat, 2019-07-27 at 16:04 -0300, Hugo Lefeuvre wrote: > On Sat, Jul 27, 2019 at 03:30:14PM -0300, Hugo Lefeuvre wrote: > > Package: sdl-image1.2 > > Version: 1.2.12-5+deb9u2 > > CVE ID : CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635 > > CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 > > CVE-2019-12219 > > CVE-2019-12220 CVE-2019-12221 CVE-2019-1 > > > > [...] > > > > For Debian 8 "Jessie", these problems have been fixed in version > > 1.2.12-5+deb9u2. > > Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. The proper way to make such a correction is to issue a -2 advisory with the correct information and a note about what changed. Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 1863-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.168-1+deb9u4~deb8u1 CVE ID : CVE-2019-13272 Jann Horn discovered that the ptrace subsystem in the Linux kernel mishandles the management of the credentials of a process that wants to create a ptrace relationship, allowing a local user to obtain root privileges under certain scenarios. For Debian 8 "Jessie", this problem has been fixed in version 4.9.168-1+deb9u4~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 1862-1] linux security update
Package: linux Version: 3.16.70-1 CVE ID : CVE-2019-2101 CVE-2019-10639 CVE-2019-13272 Debian Bug : 930904 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-2101 Andrey Konovalov discovered that the USB Video Class driver (uvcvideo) did not consistently handle a type field in device descriptors, which could result in a heap buffer overflow. This could be used for denial of service or possibly for privilege escalation. CVE-2019-10639 Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel virtual address. In Linux 3.16 this hash function is not used for IP IDs but is used for other purposes in the network stack. In custom kernel configurations that enable kASLR, this might weaken kASLR. CVE-2019-13272 Jann Horn discovered that the ptrace subsystem in the Linux kernel mishandles the management of the credentials of a process that wants to create a ptrace relationship, allowing a local user to obtain root privileges under certain scenarios. For Debian 8 "Jessie", these problems have been fixed in version 3.16.70-1. This update also fixes a regression introduced by the original fix for CVE-2019-11478 (#930904), and includes other fixes from upstream stable updates. We recommend that you upgrade your linux and linux-latest packages. You will need to use "apt-get upgrade --with-new-pkgs" or "apt upgrade" as the binary package names have changed. We recommend that you upgrade your linux packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted linux-4.9 4.9.168-1+deb9u4~deb8u1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jul 2019 22:50:24 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.9-common linux-headers-4.9.0-0.bpo.9-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.9 Source: linux-4.9 Architecture: all source Version: 4.9.168-1+deb9u4~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.9-common - Common header files for Linux 4.9.0-0.bpo.9 linux-headers-4.9.0-0.bpo.9-common-rt - Common header files for Linux 4.9.0-0.bpo.9-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.9 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.168-1+deb9u4~deb8u1) jessie-security; urgency=high . * Backport to jessie; no further changes required . linux (4.9.168-1+deb9u4) stretch-security; urgency=high . * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272) Checksums-Sha1: f2d4175d2969a2e3d2c042bfb0025a1e36e307d7 15581 linux-4.9_4.9.168-1+deb9u4~deb8u1.dsc 0fa0cc8758065a1630c3f1ed8b6f2df762d09609 2069332 linux-4.9_4.9.168-1+deb9u4~deb8u1.debian.tar.xz b6b8c696ce626246a7d84e69c1c0caa78d9f5ff9 7680034 linux-headers-4.9.0-0.bpo.9-common_4.9.168-1+deb9u4~deb8u1_all.deb 0ec0406101b9415645de9febd1b3a30a4189 5739344 linux-headers-4.9.0-0.bpo.9-common-rt_4.9.168-1+deb9u4~deb8u1_all.deb 7b74f0d940f743e3be931b4ced961df451da7c3a 684976 linux-support-4.9.0-0.bpo.9_4.9.168-1+deb9u4~deb8u1_all.deb 29d4960265f0d2b74f6157f410c2a834df1cf7cb 11415184 linux-doc-4.9_4.9.168-1+deb9u4~deb8u1_all.deb f0a9b9912590e1f48136be339f32f1bfc541d865 3232884 linux-manual-4.9_4.9.168-1+deb9u4~deb8u1_all.deb de11a8b021d5b930e5cd76c017247114c1d8eeba 96838012 linux-source-4.9_4.9.168-1+deb9u4~deb8u1_all.deb Checksums-Sha256: fc3d3a1b7f781a52a05e63bf227500e42623e070ba3697b6c728e814b6460fb7 15581 linux-4.9_4.9.168-1+deb9u4~deb8u1.dsc 1420e60858fd1e51aeddc4acacde6d8f3373f1990d067dc5469e93ff34bcf9f2 2069332 linux-4.9_4.9.168-1+deb9u4~deb8u1.debian.tar.xz cbf0ba2518ad94227f50e3e17d900ba4ae453a340debe9a453c31c49dfae009c 7680034 linux-headers-4.9.0-0.bpo.9-common_4.9.168-1+deb9u4~deb8u1_all.deb 8bce24b8a7a5d07316db47ff7b5b2b5038aad9ded78d9129ce8b4040460e6b99 5739344 linux-headers-4.9.0-0.bpo.9-common-rt_4.9.168-1+deb9u4~deb8u1_all.deb 2c141f0c498e433008bce2fc8f8133af2c8d8ac6e46c505638f78872a70ba5a4 684976 linux-support-4.9.0-0.bpo.9_4.9.168-1+deb9u4~deb8u1_all.deb 1e10e9ccdf9b3c7ce456e389650b4abbeb7848596e03373b7a4dd39dcd227059 11415184 linux-doc-4.9_4.9.168-1+deb9u4~deb8u1_all.deb 7de7ac3d28d4c3420518fd40438181c84b427b7b87003eedeb910bdf028043c2 3232884 linux-manual-4.9_4.9.168-1+deb9u4~deb8u1_all.deb e92dfad7ddd4c49e595d269a41a6fcc9fc81a7add189f1819a7a8d7c30e8928d 96838012 linux-source-4.9_4.9.168-1+deb9u4~deb8u1_all.deb Files: c48747bcf2d87e4f26759e3aaf7a765c 15581 kernel optional linux-4.9_4.9.168-1+deb9u4~deb8u1.dsc a60b53af4671eb909b789d7a3b81f982 2069332 kernel optional linux-4.9_4.9.168-1+deb9u4~deb8u1.debian.tar.xz 1525055e92fe3cb1699dff90025ded54 7680034 kernel optional linux-headers-4.9.0-0.bpo.9-common_4.9.168-1+deb9u4~deb8u1_all.deb c4609948ebb12026e2d5af5ac9b52c49 5739344 kernel optional linux-headers-4.9.0-0.bpo.9-common-rt_4.9.168-1+deb9u4~deb8u1_all.deb 0164e4d0ed03ae7a72d6672c70edb888 684976 devel optional linux-support-4.9.0-0.bpo.9_4.9.168-1+deb9u4~deb8u1_all.deb 446a9de1924e33a294a12e5efc723181 11415184 doc optional linux-doc-4.9_4.9.168-1+deb9u4~deb8u1_all.deb 075cacbc5184664061d20769b886d330 3232884 doc optional linux-manual-4.9_4.9.168-1+deb9u4~deb8u1_all.deb 552358ac4b185eed5c819ea370fc3abb 96838012 kernel optional linux-source-4.9_4.9.168-1+deb9u4~deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl03CeUACgkQ57/I7JWG EQl9ww//UJJyA7YhVYw2kviLvYC8d9/zbzU2cCnp65TjZup2gmZ31Wy3ZLO0cB7O jojgM4NseCgaRbIE1AqlPNxRx//vvo0aeqOAWxHpqfVk3+EwNdXlTnFnrARpgKhp iEFad5QHE7/IJZgYrcwwxwhle53Ns41GpKA7lcZNoAGeBh46fKiW9rFkZpw9Qz96 QB/r2y7ZYHJ6qYOKzJn4cxEuerauO5liTGRS+0HSHcfiARLMDWpdlVVdbezwjQNB sJvIFVHVOB+QoNqZk2WciOWSw09HUJ1wGsOueGPbP6/Q+Ve07eDNy/whgm8McRux QCaI8whQo4pKMuogCpeV9cauhDQcTmtEf1vHdJoSaiXn3/N3Xx4LLhxz546wa/8F fBRu3Xjkn817qDuBYJfEde73aMylbNX3s1gwd/2TifT4awcumLhqGcCW7yKY1hio J6OIWhjKZKgxpsqhQBit+W2DX/vN/X2jUCny7zz9/aszSF+q1KHSV8Hi6mt+Bcrp EsRA8EBmY3k+KQZFjKUN19zSw7fMsY+2HI5/2yf3EVwDMDz6hQdZ4X9yhXYLIWjo mfL8Z7GAcoaY0hu9F5kbBvryHNw4ZmVnNBqYWGkAa7EGhzjnMMOVJN1SPOLxoMK4 WwsoWjsWCiML4YbPDJGe0G2gorSw49EIe2K2IgO2VfH076aqIcc= =C+vV -END PGP SIGNATURE-
Accepted linux 3.16.70-1 (all source) into oldoldstable, oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 Jul 2019 22:26:07 +0100 Binary: linux-doc-3.16 linux-manual-3.16 linux-source-3.16 linux-support-3.16.0-10 Source: linux Architecture: all source Version: 3.16.70-1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Closes: 931307 Description: linux-doc-3.16 - Linux kernel specific documentation for version 3.16 linux-manual-3.16 - Linux kernel API manual pages for version 3.16 linux-source-3.16 - Linux kernel source for version 3.16 with Debian patches linux-support-3.16.0-10 - Support files for Linux 3.16 Changes: linux (3.16.70-1) jessie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.69 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.70 - staging: iio: adt7316: fix register and bit definitions - staging: iio: adt7316: invert the logic of the check for an ldac pin - staging: iio: adt7316: allow adt751x to use internal vref for all dacs - [armhf] clk: highbank: fix refcount leak in hb_clk_init() - [armhf] clk: socfpga: fix refcount leak - [armhf] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() - [armhf] clk: imx6q: fix refcount leak in imx6q_clocks_init() - [armhf] clk: armada-370: fix refcount leak in a370_clk_init() - [armel] clk: kirkwood: fix refcount leak in kirkwood_clk_init() - [armhf] clk: armada-xp: fix refcount leak in axp_clk_init() - drm: Fix error handling in drm_legacy_addctx - RDMA/ocrdma: Fix out of bounds index check in query pkey - selinux: avoid silent denials in permissive mode under RCU walk - crypto: pcbc - remove bogus memcpy()s with src == dest - media: v4l2: i2c: ov7670: Fix PLL bypass register values - crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails - crypto: tgr192 - fix unaligned memory access - [armhf] ASoC: imx-sgtl5000: put of nodes if finding codec fails - hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable - [x86] applicom: Fix potential Spectre v1 vulnerabilities - rcu: Do RCU GP kthread self-wakeup from softirq and interrupt - tty: ipwireless: Fix potential NULL pointer dereference - ext2: Fix underflow in ext2_max_size() - devres: always use dev_name() in devm_ioremap_resource() - crypto: testmgr - skip crc32c context test for ahash algorithms - splice: don't merge into linked buffers - scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock - USB: serial: cp210x: add ID for Ingenico 3070 - media: uvcvideo: Avoid NULL pointer dereference at the end of streaming - crypto: ahash - fix another early termination in hash walk - bcache: never writeback a discard operation - bcache: treat stale && dirty keys as bad keys - jbd2: clear dirty flag when revoking a buffer from an older transaction - ext4: fix check of inode in swap_inode_boot_loader - ext4: update quota information while swapping boot loader inode - ext4: add mask of ext4 flags to swap - parport_pc: fix find_superio io compare code, should use equal test. - ext4: fix crash during online resizing - [x86] iscsi_ibft: Fix missing break in switch statement - [x86] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete - [x86] tpm: Fix off-by-one when reading binary_bios_measurements - serial: 8250_pci: Fix number of ports for ACCES serial cards - serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() - USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 - cdc-wdm: pass return value of recover_from_urb_loss - libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer - drm/radeon/evergreen_cs: fix missing break in switch statement - [x86] KVM: mmu: Do not cache MMIO accesses while memslots are in flux - fs/nfs: Fix nfs_parse_devname to not modify it's argument - [armhf] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization - [armhf] mmc: omap: fix the maximum timeout setting - btrfs: init csum_list before possible free - ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 - Btrfs: fix corruption reading shared and compressed extents after hole punching - NFSv4.1: Reinitialise sequence results before retransmitting a request - 9p: use inode->i_lock to protect i_size_write() under 32-bit - net-sysfs: Fix mem leak in netdev_register_kobject - ip6mr: Do not call __IP6_INC_STATS() from preemptible context - CIFS: Do not reset lease state to NONE on lease break - nfsd: fix memory corruption caused by readdir - CIFS: Fix read after write for files with read cac
[SECURITY] [DLA 1824-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.168-1+deb9u3~deb8u1 CVE ID : CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833 CVE-2019-11884 Debian Bug : 928989 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3846, CVE-2019-10126 huangwen reported multiple buffer overflows in the Marvell wifi (mwifiex) driver, which a local user could use to cause denial of service or the execution of arbitrary code. CVE-2019-5489 Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh discovered that local users could use the mincore() system call to obtain sensitive information from other processes that access the same memory-mapped file. CVE-2019-9500, CVE-2019-9503 Hugues Anguelkov discovered a buffer overflow and missing access validation in the Broadcom FullMAC wifi driver (brcmfmac), which a attacker on the same wifi network could use to cause denial of service or the execution of arbitrary code. CVE-2019-11477 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) allows a remotely triggerable kernel panic. CVE-2019-11478 Jonathan Looney reported that a specially crafted sequence of TCP selective acknowledgements (SACKs) will fragment the TCP retransmission queue, allowing an attacker to cause excessive resource usage. CVE-2019-11479 Jonathan Looney reported that an attacker could force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data, drastically increasing the bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard- coded value of 48. We recommend raising this to 536 unless you know that your network requires a lower value. CVE-2019-11486 Jann Horn of Google reported numerous race conditions in the Siemens R3964 line discipline. A local user could use these to cause unspecified security impact. This module has therefore been disabled. CVE-2019-11599 Jann Horn of Google reported a race condition in the core dump implementation which could lead to a use-after-free. A local user could use this to read sensitive information, to cause a denial of service (memory corruption), or for privilege escalation. CVE-2019-11815 It was discovered that a use-after-free in the Reliable Datagram Sockets protocol could result in denial of service and potentially privilege escalation. This protocol module (rds) is not auto- loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. CVE-2019-11833 It was discovered that the ext4 filesystem implementation writes uninitialised data from kernel memory to new extent blocks. A local user able to write to an ext4 filesystem and then read the filesystem image, for example using a removable drive, might be able to use this to obtain sensitive information. CVE-2019-11884 It was discovered that the Bluetooth HIDP implementation did not ensure that new connection names were null-terminated. A local user with CAP_NET_ADMIN capability might be able to use this to obtain sensitive information from the kernel stack. For Debian 8 "Jessie", these problems have been fixed in version 4.9.168-1+deb9u3~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part