diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2022-07-01 00:41:43 +0200 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2022-07-01 00:45:47 +0200 |
commit | a3bb9f20a8b21e3f0293fa25132aedf0f0430252 (patch) | |
tree | 6a4a7dd74ae96d8d2d8bc7e52ff59091349b2a6b | |
parent | 5d446a83da990e8d8910fca9a1551f1225682acc (diff) |
Update advisories to note additional important changes
At the end of each advisory, note:
- The stable updates included.
- The random driver changes and their visible effects. These are
slightly different for buster as systemd moved away from using
/dev/urandom.
- Enabling of crypto implementations for 32-bit Arm, which has
some security impact.
- Other fixes for Debian bugs.
-rw-r--r-- | dsa-texts/4.19.249-2 | 25 | ||||
-rw-r--r-- | dsa-texts/4.9.320-2 | 32 |
2 files changed, 43 insertions, 14 deletions
diff --git a/dsa-texts/4.19.249-2 b/dsa-texts/4.19.249-2 index 34f77df7..75f6a590 100644 --- a/dsa-texts/4.19.249-2 +++ b/dsa-texts/4.19.249-2 @@ -259,8 +259,29 @@ CVE-2022-33981 (crash or memory corruption) or possibly for privilege escalation. This ioctl is now disabled by default. -For the oldstable distribution (buster), these problems have been fixed -in version 4.19.249-2. +For the oldstable distribution (buster), these problems have been +fixed in version 4.19.249-2. + +This update also corrects a regression in the network scheduler +subsystem (bug #1013299). + +For the 32-bit Arm (armel and armhf) architectures, this update +enables optimised implementations of several cryptographic and CRC +algorithms. For at least AES, this should remove a timing side- +channel that could lead to a leak of sensitive information. + +This update includes many more bug fixes from stable updates +4.19.236-4.19.249 inclusive, including for bug #1006346. The random +driver has been backported from Linux 5.19, fixing numerous +performance and correctness issues. Some changes will be visible: + +- The entropy pool size is now 256 bits instead of 4096. You may need + to adjust the configuration of system monitoring or user-space + entropy gathering services to allow for this. + +- On systems without a hardware RNG, the kernel may log more uses of + /dev/urandom before it is fully initialised. These uses were + previously under-counted and this is not a regression. We recommend that you upgrade your linux packages. diff --git a/dsa-texts/4.9.320-2 b/dsa-texts/4.9.320-2 index 7169fec7..b8bfdc34 100644 --- a/dsa-texts/4.9.320-2 +++ b/dsa-texts/4.9.320-2 @@ -36,18 +36,8 @@ CVE-2018-1108 The original fix for this issue had to be reverted because it caused the boot process to hang on many systems. In this version, - the random driver has been backported from Linux 5.19 and is more - effective in gathering entropy without needing a hardware RNG. - - Some changes will be visible: - - - The entropy pool size is now 256 bits instead of 4096. You may - need to adjust the configuration of system monitoring or - user-space entropy gathering services to allow for this. - - - On systems without a hardware RNG, the kernel will log many uses - of /dev/urandom before it is fully initialised. These uses were - previously under-counted and this is not a regression. + the random driver has been updated, making it more effective in + gathering entropy without needing a hardware RNG. CVE-2021-4149 @@ -266,6 +256,24 @@ CVE-2022-33981 For Debian 9 stretch, these problems have been fixed in version 4.9.320-2. +For the 32-bit Arm (armel and armhf) architectures, this update +enables optimised implementations of several cryptographic and CRC +algorithms. For at least AES, this should remove a timing side- +channel that could lead to a leak of sensitive information. + +This update includes many more bug fixes from stable updates +4.9.304-4.9.320 inclusive. The random driver has been backported from +Linux 5.19, fixing numerous performance and correctness issues. Some +changes will be visible: + +- The entropy pool size is now 256 bits instead of 4096. You may need + to adjust the configuration of system monitoring or user-space + entropy gathering services to allow for this. + +- On systems without a hardware RNG, the kernel will log many more + uses of /dev/urandom before it is fully initialised. These uses + were previously under-counted and this is not a regression. + We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to |