1 |
type: security |
2 |
subject: Updated kernel-tmb packages fix multiple security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2013-0231 |
5 |
- CVE-2013-2232 |
6 |
- CVE-2013-2234 |
7 |
- CVE-2013-2237 |
8 |
- CVE-2013-2850 |
9 |
- CVE-2013-2852 |
10 |
src: |
11 |
3: |
12 |
core: |
13 |
- kernel-tmb-3.8.13.4-1.mga3 |
14 |
description: | |
15 |
This kernel-tmb update provides the extended stable 3.8.13.4 kernel and |
16 |
fixes the following security issues: |
17 |
|
18 |
The pciback_enable_msi function in the PCI backend driver |
19 |
(drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux |
20 |
kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to |
21 |
cause a denial of service via a large number of kernel log messages. |
22 |
(CVE-2013-0231 / XSA-43) |
23 |
|
24 |
ipv6: ip6_sk_dst_check() must not assume ipv6 dst |
25 |
It's possible to use AF_INET6 sockets and to connect to an IPv4 |
26 |
destination. After this, socket dst cache is a pointer to a rtable, |
27 |
not rt6_info. This bug can be exploited by local non-root users |
28 |
to trigger various corruptions/crashes (CVE-2013-2232) |
29 |
|
30 |
af_key: fix info leaks in notify messages |
31 |
key_notify_sa_flush() and key_notify_policy_flush() miss to |
32 |
initialize the sadb_msg_reserved member of the broadcasted message |
33 |
and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234) |
34 |
|
35 |
af_key: initialize satype in key_notify_policy_flush() |
36 |
key_notify_policy_flush() miss to nitialize the sadb_msg_satype member |
37 |
of the broadcasted message and thereby leak heap memory to listeners |
38 |
(CVE-2013-2237) |
39 |
|
40 |
Heap-based buffer overflow in the iscsi_add_notunderstood_response function |
41 |
in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target |
42 |
subsystem in the Linux kernel through 3.9.4 allows remote attackers to |
43 |
cause a denial of service (memory corruption and OOPS) or possibly execute |
44 |
arbitrary code via a long key that is not properly handled during |
45 |
construction of an error-response packet. |
46 |
A reproduction case requires patching open-iscsi to send overly large |
47 |
keys. Performing discovery in a loop will Oops the remote server. |
48 |
(CVE-2013-2850) |
49 |
|
50 |
Format string vulnerability in the b43_request_firmware function in |
51 |
drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in |
52 |
the Linux kernel through 3.9.4 allows local users to gain privileges by |
53 |
leveraging root access and including format string specifiers in an |
54 |
fwpostfix modprobe parameter, leading to improper construction of an |
55 |
error message. (CVE-2013-2852) |
56 |
|
57 |
Other fixes: |
58 |
- Fix up alx AR8161 breakage (mga #10079) |
59 |
- bcma: add support for BCM43142 (mga#9378, mga#10611) |
60 |
- net/tg3: Avoid delay during MMIO access |
61 |
- iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets |
62 |
- rtlwifi: rtl8723ae: Fix typo in firmware names |
63 |
- rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks |
64 |
- md/raid10: fix two bugs affecting RAID10 reshape |
65 |
- crypto: algboss - Hold ref count on larval |
66 |
- perf: Disable monitoring on setuid processes for regular users |
67 |
- netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling |
68 |
- enable X86_X2APIC, X86_REROUTE_FOR_BROKEN_BOOT_IRQS, FHANDLE |
69 |
- disable COMPAT_VDSO (not needed since glibc-2.3.3) |
70 |
|
71 |
For other fixes in the extended stable update, see the referenced shortlog |
72 |
references: |
73 |
- http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=refs/heads/linux-3.8.y;a=shortlog |
74 |
- https://bugs.mageia.org/show_bug.cgi?id=10696 |
75 |
ID: MGASA-2013-0213 |