dsa-texts: Add draft for DSA-4497-1 / 4.9.168-1+deb9u5

1 files changed, 161 insertions, 0 deletions

diff --git a/dsa-texts/4.9.168-1+deb9u5 b/dsa-texts/4.9.168-1+deb9u5
new file mode 100644
index 00000000..ce36f4f7
--- /dev/null
+++ b/dsa-texts/4.9.168-1+deb9u5
@@ -0,0 +1,161 @@
+From:  <>
+To: debian-security-announce@lists.debian.org
+Subject: [SECURITY] [DSA 4497-1] linux security update
+
+-------------------------------------------------------------------------
+Debian Security Advisory DSA-4497-1                   security@debian.org
+https://www.debian.org/security/
+August 11, 2019                       https://www.debian.org/security/faq
+-------------------------------------------------------------------------
+
+Package        : linux
+CVE ID         : CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856
+                 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207
+                 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648
+                 CVE-2019-14283 CVE-2019-14284
+
+Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a privilege escalation, denial of service or information
+leaks.
+
+CVE-2015-8553
+
+    Jan Beulich discovered that CVE-2015-2150 was not completely
+    addressed.  If a PCI physical function is passed through to a
+    Xen guest, the guest is able to access its memory and I/O
+    regions before enabling decoding of those regions.  This could
+    result in a denial-of-service (unexpected NMI) on the host.
+
+    The fix for this is incompatible with qemu versions before 2.5.
+
+(CVE ID not yet assigned)
+
+    A missing type check was discovered in the IPv4 multicast routing
+    implementation.  A user with the CAP_NET_ADMIN capability (in any
+    user namespace) could use this for denial-of-service (memory
+    corruption or crash) or possibly for privilege escalation.
+
+CVE-2018-5995
+
+    ADLab of VenusTech discovered that the kernel logged the virtual
+    addresses assigned to per-CPU data, which could make it easier to
+    exploit other vulnerabilities.
+
+CVE-2018-20836
+
+    chenxiang reported a race condition in libsas, the kernel
+    subsystem supporting Serial Attached SCSI (SAS) devices, which
+    could lead to a use-after-free.  It is not clear how this might be
+    exploited.
+
+CVE-2018-20856
+
+    Xiao Jin reported a potential double-free in the block subsystem,
+    in case an error occurs while initialising the I/O scheduler for a
+    block device.  It is not clear how this might be exploited.
+
+CVE-2019-1125
+
+    It was discovered that most x86 processors could speculatively
+    skip a conditional SWAPGS instruction used when entering the
+    kernel from user mode, and/or could speculatively execute it when
+    it should be skipped.  This is a subtype of Spectre variant 1,
+    which could allow local users to obtain sensitive information from
+    the kernel or other processes.  It has been mitigated by using
+    memory barriers to limit speculative execution.  Systems using an
+    i386 kernel are not affected as the kernel does not use SWAPGS.
+
+CVE-2019-3882
+
+    It was found that the vfio implementation did not limit the number
+    of DMA mappings to device memory.  A local user granted ownership
+    of a vfio device could use this to cause a denial of service
+    (out-of-memory condition).
+
+CVE-2019-3900
+
+    It was discovered that vhost drivers did not properly control the
+    amount of work done to service requests from guest VMs.  A
+    malicious guest could use this to cause a denial-of-service
+    (unbounded CPU usage) on the host.
+
+CVE-2019-10207
+
+    The syzkaller tool found a potential null dereference in various
+    drivers for UART-attached Bluetooth adapters.  A local user with
+    access to a pty device or other suitable tty device could use this
+    for denial-of-service (BUG/oops).
+
+CVE-2019-10638
+
+    Amit Klein and Benny Pinkas discovered that the generation of IP
+    packet IDs used a weak hash function, "jhash".  This could enable
+    tracking individual computers as they communicate with different
+    remote servers and from different networks.  The "siphash"
+    function is now used instead.
+
+CVE-2019-10639
+
+    Amit Klein and Benny Pinkas discovered that the generation of IP
+    packet IDs used a weak hash function that incorporated a kernel
+    virtual address.  This hash function is no longer used for IP IDs,
+    although it is still used for other purposes in the network stack.
+
+CVE-2019-13631
+
+    It was discovered that the gtco driver for USB input tablets could
+    overrun a stack buffer with constant data while parsing the device's
+    descriptor.  A physically present user with a specially
+    constructed USB device could use this to cause a denial-of-service
+    (BUG/oops), or possibly for privilege escalation.
+
+CVE-2019-13648
+
+    Praveen Pandey reported that on PowerPC (ppc64el) systems without
+    Transactional Memory (TM), the kernel would still attempt to
+    restore TM state passed to the sigreturn() system call.  A local
+    user could use this for denial-of-service (oops).
+
+CVE-2019-14283
+
+    The syzkaller tool found a missing bounds check in the floppy disk
+    driver.  A local user with access to a floppy disk device, with a
+    disk present, could use this to read kernel memory beyond the
+    I/O buffer, possibly obtaining sensitive information.
+
+CVE-2019-14284
+
+    The syzkaller tool found a potential division-by-zero in the
+    floppy disk driver.  A local user with access to a floppy disk
+    device could use this for denial-of-service (oops).
+
+(CVE ID not yet assigned)
+
+    Denis Andzakovic reported a possible use-after-free in the
+    TCP sockets implementation.  A local user could use this for
+    denial-of-service (memory corruption or crash) or possibly
+    for privilege escalation.
+
+(CVE ID not yet assigned)
+
+    The netfilter conntrack subsystem used kernel addresses as
+    user-visible IDs, which could make it easier to exploit other
+    security vulnerabilities.
+
+For the oldstable distribution (stretch), these problems have been fixed
+in version 4.9.168-1+deb9u5.
+
+For the stable distribution (buster), these problems were mostly fixed
+in version 4.19.37-5+deb10u2 or earlier.
+
+We recommend that you upgrade your linux packages.
+
+For the detailed security status of linux please refer to
+its security tracker page at:
+https://security-tracker.debian.org/tracker/linux
+
+Further information about Debian Security Advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: https://www.debian.org/security/
+
+Mailing list: debian-security-announce@lists.debian.org