From a3bb9f20a8b21e3f0293fa25132aedf0f0430252 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 1 Jul 2022 00:41:43 +0200 Subject: Update advisories to note additional important changes At the end of each advisory, note: - The stable updates included. - The random driver changes and their visible effects. These are slightly different for buster as systemd moved away from using /dev/urandom. - Enabling of crypto implementations for 32-bit Arm, which has some security impact. - Other fixes for Debian bugs. --- dsa-texts/4.19.249-2 | 25 +++++++++++++++++++++++-- dsa-texts/4.9.320-2 | 32 ++++++++++++++++++++------------ 2 files changed, 43 insertions(+), 14 deletions(-) diff --git a/dsa-texts/4.19.249-2 b/dsa-texts/4.19.249-2 index 34f77df7..75f6a590 100644 --- a/dsa-texts/4.19.249-2 +++ b/dsa-texts/4.19.249-2 @@ -259,8 +259,29 @@ CVE-2022-33981 (crash or memory corruption) or possibly for privilege escalation. This ioctl is now disabled by default. -For the oldstable distribution (buster), these problems have been fixed -in version 4.19.249-2. +For the oldstable distribution (buster), these problems have been +fixed in version 4.19.249-2. + +This update also corrects a regression in the network scheduler +subsystem (bug #1013299). + +For the 32-bit Arm (armel and armhf) architectures, this update +enables optimised implementations of several cryptographic and CRC +algorithms. For at least AES, this should remove a timing side- +channel that could lead to a leak of sensitive information. + +This update includes many more bug fixes from stable updates +4.19.236-4.19.249 inclusive, including for bug #1006346. The random +driver has been backported from Linux 5.19, fixing numerous +performance and correctness issues. Some changes will be visible: + +- The entropy pool size is now 256 bits instead of 4096. You may need + to adjust the configuration of system monitoring or user-space + entropy gathering services to allow for this. + +- On systems without a hardware RNG, the kernel may log more uses of + /dev/urandom before it is fully initialised. These uses were + previously under-counted and this is not a regression. We recommend that you upgrade your linux packages. diff --git a/dsa-texts/4.9.320-2 b/dsa-texts/4.9.320-2 index 7169fec7..b8bfdc34 100644 --- a/dsa-texts/4.9.320-2 +++ b/dsa-texts/4.9.320-2 @@ -36,18 +36,8 @@ CVE-2018-1108 The original fix for this issue had to be reverted because it caused the boot process to hang on many systems. In this version, - the random driver has been backported from Linux 5.19 and is more - effective in gathering entropy without needing a hardware RNG. - - Some changes will be visible: - - - The entropy pool size is now 256 bits instead of 4096. You may - need to adjust the configuration of system monitoring or - user-space entropy gathering services to allow for this. - - - On systems without a hardware RNG, the kernel will log many uses - of /dev/urandom before it is fully initialised. These uses were - previously under-counted and this is not a regression. + the random driver has been updated, making it more effective in + gathering entropy without needing a hardware RNG. CVE-2021-4149 @@ -266,6 +256,24 @@ CVE-2022-33981 For Debian 9 stretch, these problems have been fixed in version 4.9.320-2. +For the 32-bit Arm (armel and armhf) architectures, this update +enables optimised implementations of several cryptographic and CRC +algorithms. For at least AES, this should remove a timing side- +channel that could lead to a leak of sensitive information. + +This update includes many more bug fixes from stable updates +4.9.304-4.9.320 inclusive. The random driver has been backported from +Linux 5.19, fixing numerous performance and correctness issues. Some +changes will be visible: + +- The entropy pool size is now 256 bits instead of 4096. You may need + to adjust the configuration of system monitoring or user-space + entropy gathering services to allow for this. + +- On systems without a hardware RNG, the kernel will log many more + uses of /dev/urandom before it is fully initialised. These uses + were previously under-counted and this is not a regression. + We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to -- cgit v1.2.3