From 9db458c1dae9942c673cc29fb111342b63a605b3 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 12 Aug 2020 18:32:51 +0100
Subject: Add DLAs for firmware and kernel backports

These cover the backported packages firmware-nonfree, linux-4.9, and
linux-latest-4.19.
---
 english/lts/security/2020/dla-2321.data |   9 +++
 english/lts/security/2020/dla-2321.wml  |  19 ++++++
 english/lts/security/2020/dla-2323.data |  10 +++
 english/lts/security/2020/dla-2323.wml  | 112 ++++++++++++++++++++++++++++++++
 english/lts/security/2020/dla-2324.data |   9 +++
 english/lts/security/2020/dla-2324.wml  |  40 ++++++++++++
 6 files changed, 199 insertions(+)
 create mode 100644 english/lts/security/2020/dla-2321.data
 create mode 100644 english/lts/security/2020/dla-2321.wml
 create mode 100644 english/lts/security/2020/dla-2323.data
 create mode 100644 english/lts/security/2020/dla-2323.wml
 create mode 100644 english/lts/security/2020/dla-2324.data
 create mode 100644 english/lts/security/2020/dla-2324.wml

diff --git a/english/lts/security/2020/dla-2321.data b/english/lts/security/2020/dla-2321.data
new file mode 100644
index 00000000000..9de5ff2cd77
--- /dev/null
+++ b/english/lts/security/2020/dla-2321.data
@@ -0,0 +1,9 @@
+<define-tag pagetitle>DLA-2321-1 firmware-nonfree</define-tag>
+<define-tag report_date>2020-08-11</define-tag>
+<define-tag packages>firmware-nonfree</define-tag>
+<define-tag isvulnerable>no</define-tag>
+<define-tag fixed>no</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
diff --git a/english/lts/security/2020/dla-2321.wml b/english/lts/security/2020/dla-2321.wml
new file mode 100644
index 00000000000..ccaab75ae3b
--- /dev/null
+++ b/english/lts/security/2020/dla-2321.wml
@@ -0,0 +1,19 @@
+<define-tag description>LTS new upstream version</define-tag>
+<define-tag moreinfo>
+<p>The firmware-nonfree package has been updated to include additional
+firmware that may be requested by some drivers in Linux 4.19.</p>
+
+<p>Along with additional kernel packages that will be announced later,
+this will provide a supported upgrade path for systems that currently
+use kernel and firmware packages from the "stretch-backports" suite.</p>
+
+<p>This update is not known to fix any security issues.</p>
+
+<p>Further information about Debian LTS security advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/lts/security/2020/dla-2321.data"
+# $Id: $
diff --git a/english/lts/security/2020/dla-2323.data b/english/lts/security/2020/dla-2323.data
new file mode 100644
index 00000000000..6da3e564bd9
--- /dev/null
+++ b/english/lts/security/2020/dla-2323.data
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-2323-1 linux-4.19</define-tag>
+<define-tag report_date>2020-08-12</define-tag>
+<define-tag secrefs>CVE-2019-18814 CVE-2019-18885 CVE-2019-20810 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-12655 CVE-2020-12771 CVE-2020-13974 CVE-2020-15393 Bug#958300 Bug#960493 Bug#962254 Bug#963493 Bug#964153 Bug#964480 Bug#965365</define-tag>
+<define-tag packages>linux-4.19</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
diff --git a/english/lts/security/2020/dla-2323.wml b/english/lts/security/2020/dla-2323.wml
new file mode 100644
index 00000000000..56346fd4c70
--- /dev/null
+++ b/english/lts/security/2020/dla-2323.wml
@@ -0,0 +1,112 @@
+<define-tag description>LTS new package</define-tag>
+<define-tag moreinfo>
+<p>Linux 4.19 has been packaged for Debian 9 as linux-4.19.  This
+provides a supported upgrade path for systems that currently use
+kernel packages from the "stretch-backports" suite.</p>
+
+<p>There is no need to upgrade systems using Linux 4.9, as that kernel
+version will also continue to be supported in the LTS period.</p>
+
+<p>This backport does not include the following binary packages:</p>
+
+<blockquote>hyperv-daemons libbpf-dev libbpf4.19 libcpupower-dev libcpupower1
+liblockdep-dev liblockdep4.19 linux-compiler-gcc-6-arm
+linux-compiler-gcc-6-x86 linux-cpupower linux-libc-dev lockdep
+usbip</blockquote>
+
+<p>Older versions of most of those are built from the linux source
+package in Debian 9.</p>
+
+<p>The kernel images and modules will not be signed for use on systems
+with Secure Boot enabled, as there is no support for this in Debian 9.</p>
+
+<p>Several vulnerabilities have been discovered in the Linux kernel that
+may lead to a denial of service or information leak.</p>
+
+<ul>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-18814">CVE-2019-18814</a>
+
+    <p>Navid Emamdoost reported a potential use-after-free in the
+    AppArmor security module, in the case that audit rule
+    initialisation fails.  The security impact of this is unclear.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-18885">CVE-2019-18885</a>
+
+    <p>The <q>bobfuzzer</q> team discovered that crafted Btrfs volumes could
+    trigger a crash (oops).  An attacker able to mount such a volume
+    could use this to cause a denial of service.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-20810">CVE-2019-20810</a>
+
+    <p>A potential memory leak was discovered in the go7007 media driver.
+    The security impact of this is unclear.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10766">CVE-2020-10766</a>
+
+    <p>Anthony Steinhauser reported a flaw in the mitigation for
+    Speculative Store Bypass (<a href="https://security-tracker.debian.org/tracker/CVE-2018-3639">CVE-2018-3639</a>) on x86 CPUs.  A local
+    user could use this to temporarily disable SSB mitigation in other
+    users' tasks.  If those other tasks run sandboxed code, this would
+    allow that code to read sensitive information in the same process
+    but outside the sandbox.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10767">CVE-2020-10767</a>
+
+    <p>Anthony Steinhauser reported a flaw in the mitigation for Spectre
+    variant 2 (<a href="https://security-tracker.debian.org/tracker/CVE-2017-5715">CVE-2017-5715</a>) on x86 CPUs.  Depending on which other
+    mitigations the CPU supports, the kernel might not use IBPB to
+    mitigate Spectre variant 2 in user-space.  A local user could use
+    this to read sensitive information from other users' processes.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-10768">CVE-2020-10768</a>
+
+    <p>Anthony Steinhauser reported a flaw in the mitigation for Spectre
+    variant 2 (<a href="https://security-tracker.debian.org/tracker/CVE-2017-5715">CVE-2017-5715</a>) on x86 CPUs.  After a task force    disabled indirect branch speculation through prctl(), it could
+    still re-enable it later, so it was not possible to override a
+    program that explicitly enabled it.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12655">CVE-2020-12655</a>
+
+    <p>Zheng Bin reported that crafted XFS volumes could trigger a system
+    hang.  An attacker able to mount such a volume could use this to
+    cause a denial of service.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-12771">CVE-2020-12771</a>
+
+    <p>Zhiqiang Liu reported a bug in the bcache block driver that could
+    lead to a system hang.  The security impact of this is unclear.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-13974">CVE-2020-13974</a>
+
+    <p>Kyungtae Kim reported a potential integer overflow in the vt
+    (virtual terminal) driver.  The security impact of this is
+    unclear.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-15393">CVE-2020-15393</a>
+
+    <p>Kyungtae Kim reported a memory leak in the usbtest driver.  The
+    security impact of this is unclear.</p></li>
+
+</ul>
+
+<p>For Debian 9 <q>Stretch</q>, these problems have been fixed in version
+4.19.132-1~deb9u1.  This update additionally fixes Debian bugs
+<a href="https://bugs.debian.org/958300">#958300</a>, <a href="https://bugs.debian.org/960493">#960493</a>, <a href="https://bugs.debian.org/962254">#962254</a>, <a href="https://bugs.debian.org/963493">#963493</a>, <a href="https://bugs.debian.org/964153">#964153</a>, <a href="https://bugs.debian.org/964480">#964480</a>, and <a href="https://bugs.debian.org/965365">#965365</a>; and
+includes many more bug fixes from stable updates 4.19.119-4.19.132
+inclusive.</p>
+
+<p>We recommend that you upgrade your linux-4.19 packages.</p>
+
+<p>For the detailed security status of linux-4.19 please refer to
+its security tracker page at:
+<a href="https://security-tracker.debian.org/tracker/linux-4.19">https://security-tracker.debian.org/tracker/linux-4.19</a></p>
+
+<p>Further information about Debian LTS security advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/lts/security/2020/dla-2323.data"
+# $Id: $
diff --git a/english/lts/security/2020/dla-2324.data b/english/lts/security/2020/dla-2324.data
new file mode 100644
index 00000000000..34f84cc3be2
--- /dev/null
+++ b/english/lts/security/2020/dla-2324.data
@@ -0,0 +1,9 @@
+<define-tag pagetitle>DLA-2324-1 linux-latest-4.19</define-tag>
+<define-tag report_date>2020-08-12</define-tag>
+<define-tag packages>linux-latest-4.19</define-tag>
+<define-tag isvulnerable>no</define-tag>
+<define-tag fixed>no</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
diff --git a/english/lts/security/2020/dla-2324.wml b/english/lts/security/2020/dla-2324.wml
new file mode 100644
index 00000000000..466089d339e
--- /dev/null
+++ b/english/lts/security/2020/dla-2324.wml
@@ -0,0 +1,40 @@
+<define-tag description>LTS new package</define-tag>
+<define-tag moreinfo>
+<p>Linux 4.19 has been packaged for Debian 9 as linux-4.19.  This
+provides a supported upgrade path for systems that currently use
+kernel packages from the "stretch-backports" suite.</p>
+
+<p>However, "apt full-upgrade" will *not* automatically install the
+updated kernel packages.  You should explicitly install one of the
+following metapackages first, as appropriate for your system:</p>
+
+<ul>
+  <li>linux-image-4.19-686</li>
+  <li>linux-image-4.19-686-pae</li>
+  <li>linux-image-4.19-amd64</li>
+  <li>linux-image-4.19-arm64</li>
+  <li>linux-image-4.19-armmp</li>
+  <li>linux-image-4.19-armmp-lpae</li>
+  <li>linux-image-4.19-cloud-amd64</li>
+  <li>linux-image-4.19-marvell</li>
+  <li>linux-image-4.19-rpi</li>
+  <li>linux-image-4.19-rt-686-pae</li>
+  <li>linux-image-4.19-rt-amd64</li>
+  <li>linux-image-4.19-rt-arm64</li>
+  <li>linux-image-4.19-rt-armmp</li>
+</ul>
+
+<p>For example, if the command "uname -r" currently shows
+"4.19.0-0.bpo.9-amd64", you should install linux-image-4.19-amd64.</p>
+
+<p>There is no need to upgrade systems using Linux 4.9, as that kernel
+version will also continue to be supported in the LTS period.</p>
+
+<p>Further information about Debian LTS security advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/lts/security/2020/dla-2324.data"
+# $Id: $
-- 
cgit v1.2.3