diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-08-11 22:38:36 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-08-11 22:39:16 +0100 |
commit | eb5964d5fa0827558f254269b270540b9a645c2d (patch) | |
tree | f3a0f41755b847a7723c2f96efa905605fd62e9f /dsa-texts/4.9.168-1+deb9u5 | |
parent | eaa8ec4347e578ff50549d34c4b52ebcdd054c10 (diff) |
dsa-texts: Add draft for DSA-4497-1 / 4.9.168-1+deb9u5
Diffstat (limited to 'dsa-texts/4.9.168-1+deb9u5')
-rw-r--r-- | dsa-texts/4.9.168-1+deb9u5 | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/dsa-texts/4.9.168-1+deb9u5 b/dsa-texts/4.9.168-1+deb9u5 new file mode 100644 index 00000000..ce36f4f7 --- /dev/null +++ b/dsa-texts/4.9.168-1+deb9u5 @@ -0,0 +1,161 @@ +From: <> +To: debian-security-announce@lists.debian.org +Subject: [SECURITY] [DSA 4497-1] linux security update + +------------------------------------------------------------------------- +Debian Security Advisory DSA-4497-1 security@debian.org +https://www.debian.org/security/ +August 11, 2019 https://www.debian.org/security/faq +------------------------------------------------------------------------- + +Package : linux +CVE ID : CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 + CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 + CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 + CVE-2019-14283 CVE-2019-14284 + +Several vulnerabilities have been discovered in the Linux kernel that +may lead to a privilege escalation, denial of service or information +leaks. + +CVE-2015-8553 + + Jan Beulich discovered that CVE-2015-2150 was not completely + addressed. If a PCI physical function is passed through to a + Xen guest, the guest is able to access its memory and I/O + regions before enabling decoding of those regions. This could + result in a denial-of-service (unexpected NMI) on the host. + + The fix for this is incompatible with qemu versions before 2.5. + +(CVE ID not yet assigned) + + A missing type check was discovered in the IPv4 multicast routing + implementation. A user with the CAP_NET_ADMIN capability (in any + user namespace) could use this for denial-of-service (memory + corruption or crash) or possibly for privilege escalation. + +CVE-2018-5995 + + ADLab of VenusTech discovered that the kernel logged the virtual + addresses assigned to per-CPU data, which could make it easier to + exploit other vulnerabilities. + +CVE-2018-20836 + + chenxiang reported a race condition in libsas, the kernel + subsystem supporting Serial Attached SCSI (SAS) devices, which + could lead to a use-after-free. It is not clear how this might be + exploited. + +CVE-2018-20856 + + Xiao Jin reported a potential double-free in the block subsystem, + in case an error occurs while initialising the I/O scheduler for a + block device. It is not clear how this might be exploited. + +CVE-2019-1125 + + It was discovered that most x86 processors could speculatively + skip a conditional SWAPGS instruction used when entering the + kernel from user mode, and/or could speculatively execute it when + it should be skipped. This is a subtype of Spectre variant 1, + which could allow local users to obtain sensitive information from + the kernel or other processes. It has been mitigated by using + memory barriers to limit speculative execution. Systems using an + i386 kernel are not affected as the kernel does not use SWAPGS. + +CVE-2019-3882 + + It was found that the vfio implementation did not limit the number + of DMA mappings to device memory. A local user granted ownership + of a vfio device could use this to cause a denial of service + (out-of-memory condition). + +CVE-2019-3900 + + It was discovered that vhost drivers did not properly control the + amount of work done to service requests from guest VMs. A + malicious guest could use this to cause a denial-of-service + (unbounded CPU usage) on the host. + +CVE-2019-10207 + + The syzkaller tool found a potential null dereference in various + drivers for UART-attached Bluetooth adapters. A local user with + access to a pty device or other suitable tty device could use this + for denial-of-service (BUG/oops). + +CVE-2019-10638 + + Amit Klein and Benny Pinkas discovered that the generation of IP + packet IDs used a weak hash function, "jhash". This could enable + tracking individual computers as they communicate with different + remote servers and from different networks. The "siphash" + function is now used instead. + +CVE-2019-10639 + + Amit Klein and Benny Pinkas discovered that the generation of IP + packet IDs used a weak hash function that incorporated a kernel + virtual address. This hash function is no longer used for IP IDs, + although it is still used for other purposes in the network stack. + +CVE-2019-13631 + + It was discovered that the gtco driver for USB input tablets could + overrun a stack buffer with constant data while parsing the device's + descriptor. A physically present user with a specially + constructed USB device could use this to cause a denial-of-service + (BUG/oops), or possibly for privilege escalation. + +CVE-2019-13648 + + Praveen Pandey reported that on PowerPC (ppc64el) systems without + Transactional Memory (TM), the kernel would still attempt to + restore TM state passed to the sigreturn() system call. A local + user could use this for denial-of-service (oops). + +CVE-2019-14283 + + The syzkaller tool found a missing bounds check in the floppy disk + driver. A local user with access to a floppy disk device, with a + disk present, could use this to read kernel memory beyond the + I/O buffer, possibly obtaining sensitive information. + +CVE-2019-14284 + + The syzkaller tool found a potential division-by-zero in the + floppy disk driver. A local user with access to a floppy disk + device could use this for denial-of-service (oops). + +(CVE ID not yet assigned) + + Denis Andzakovic reported a possible use-after-free in the + TCP sockets implementation. A local user could use this for + denial-of-service (memory corruption or crash) or possibly + for privilege escalation. + +(CVE ID not yet assigned) + + The netfilter conntrack subsystem used kernel addresses as + user-visible IDs, which could make it easier to exploit other + security vulnerabilities. + +For the oldstable distribution (stretch), these problems have been fixed +in version 4.9.168-1+deb9u5. + +For the stable distribution (buster), these problems were mostly fixed +in version 4.19.37-5+deb10u2 or earlier. + +We recommend that you upgrade your linux packages. + +For the detailed security status of linux please refer to +its security tracker page at: +https://security-tracker.debian.org/tracker/linux + +Further information about Debian Security Advisories, how to apply +these updates to your system and frequently asked questions can be +found at: https://www.debian.org/security/ + +Mailing list: debian-security-announce@lists.debian.org |