| 1 |
type: security |
| 2 |
subject: Updated kernel-linus packages fixes security vulnerabilities |
| 3 |
CVE: |
| 4 |
- CVE-2018-12126 |
| 5 |
- CVE-2018-12127 |
| 6 |
- CVE-2018-12130 |
| 7 |
- CVE-2018-1000026 |
| 8 |
- CVE-2019-3882 |
| 9 |
- CVE-2019-7308 |
| 10 |
- CVE-2019-9213 |
| 11 |
- CVE-2019-11091 |
| 12 |
- CVE-2019-11486 |
| 13 |
- CVE-2019-11599 |
| 14 |
src: |
| 15 |
6: |
| 16 |
core: |
| 17 |
- kernel-linus-4.14.119-1.mga6 |
| 18 |
description: | |
| 19 |
This kernel update provides the upstream 4.14.119 that adds the kernel side |
| 20 |
mitigations for the Microarchitectural Data Sampling (MDS, also called |
| 21 |
ZombieLoad attack) vulnerabilities in Intel processors that can allow |
| 22 |
attackers to retrieve data being processed inside a CPU. To complete the |
| 23 |
mitigations new microcode is also needed, either by installing the |
| 24 |
microcode-0.20190514-1.mga6 package, or get an updated bios / uefi |
| 25 |
firmware from the motherboard vendor. |
| 26 |
|
| 27 |
The fixed / mitigated issues are: |
| 28 |
|
| 29 |
Modern Intel microprocessors implement hardware-level micro-optimizations |
| 30 |
to improve the performance of writing data back to CPU caches. The write |
| 31 |
operation is split into STA (STore Address) and STD (STore Data) |
| 32 |
sub-operations. These sub-operations allow the processor to hand-off |
| 33 |
address generation logic into these sub-operations for optimized writes. |
| 34 |
Both of these sub-operations write to a shared distributed processor |
| 35 |
structure called the 'processor store buffer'. As a result, an |
| 36 |
unprivileged attacker could use this flaw to read private data resident |
| 37 |
within the CPU's processor store buffer. (CVE-2018-12126) |
| 38 |
|
| 39 |
Microprocessors use a ‘load port’ subcomponent to perform load operations |
| 40 |
from memory or IO. During a load operation, the load port receives data |
| 41 |
from the memory or IO subsystem and then provides the data to the CPU |
| 42 |
registers and operations in the CPU’s pipelines. Stale load operations |
| 43 |
results are stored in the 'load port' table until overwritten by newer |
| 44 |
operations. Certain load-port operations triggered by an attacker can be |
| 45 |
used to reveal data about previous stale requests leaking data back to the |
| 46 |
attacker via a timing side-channel. (CVE-2018-12127) |
| 47 |
|
| 48 |
A flaw was found in the implementation of the "fill buffer", a mechanism |
| 49 |
used by modern CPUs when a cache-miss is made on L1 CPU cache. If an |
| 50 |
attacker can generate a load operation that would create a page fault, |
| 51 |
the execution will continue speculatively with incorrect data from the |
| 52 |
fill buffer while the data is fetched from higher level caches. This |
| 53 |
response time can be measured to infer data in the fill buffer. |
| 54 |
(CVE-2018-12130) |
| 55 |
|
| 56 |
Uncacheable memory on some microprocessors utilizing speculative execution |
| 57 |
may allow an authenticated user to potentially enable information disclosure |
| 58 |
via a side channel with local access. (CVE-2019-11091) |
| 59 |
|
| 60 |
|
| 61 |
It also fixes atleast the following security issues: |
| 62 |
|
| 63 |
Linux Linux kernel version at least v4.8 onwards, probably well before |
| 64 |
contains a Insufficient input validation vulnerability in bnx2x network |
| 65 |
card driver that can result in DoS: Network card firmware assertion takes |
| 66 |
card off-line. This attack appear to be exploitable via An attacker on a |
| 67 |
must pass a very large, specially crafted packet to the bnx2x card. |
| 68 |
This can be done from an untrusted guest VM (CVE-2018-1000026) |
| 69 |
|
| 70 |
A flaw was found in the Linux kernel's vfio interface implementation that |
| 71 |
permits violation of the user's locked memory limit. If a device is bound |
| 72 |
to a vfio driver, such as vfio-pci, and the local attacker is |
| 73 |
administratively granted ownership of the device, it may cause a system |
| 74 |
memory exhaustion and thus a denial of service (DoS) (CVE-2019-3882). |
| 75 |
|
| 76 |
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable |
| 77 |
out-of-bounds speculation on pointer arithmetic in various cases, including |
| 78 |
cases of different branches with different state or limits to sanitize, |
| 79 |
leading to side-channel attacks (CVE-2019-7308). |
| 80 |
|
| 81 |
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks |
| 82 |
a check for the mmap minimum address, which makes it easier for attackers |
| 83 |
to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is |
| 84 |
related to a capability check for the wrong task (CVE-2019-9213). |
| 85 |
|
| 86 |
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the |
| 87 |
Linux kernel before 5.0.8 has multiple race conditions (CVE-2019-11486). |
| 88 |
|
| 89 |
The coredump implementation in the Linux kernel before 5.0.10 does not use |
| 90 |
locking or other mechanisms to prevent vma layout or vma flags changes while |
| 91 |
it runs, which allows local users to obtain sensitive information, cause a |
| 92 |
denial of service, or possibly have unspecified other impact by triggering |
| 93 |
a race condition with mmget_not_zero or get_task_mm calls (CVE-2019-11599). |
| 94 |
|
| 95 |
It also fixes signal handling issues causing powertop to crash and some |
| 96 |
tracing tools to fail on execve tests. |
| 97 |
|
| 98 |
For other uptstream fixes in this update, see the referenced changelogs. |
| 99 |
references: |
| 100 |
- https://bugs.mageia.org/show_bug.cgi?id=24775 |
| 101 |
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html |
| 102 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.101 |
| 103 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.102 |
| 104 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.103 |
| 105 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.104 |
| 106 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105 |
| 107 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.106 |
| 108 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.107 |
| 109 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.108 |
| 110 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.109 |
| 111 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.110 |
| 112 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.111 |
| 113 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.112 |
| 114 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.113 |
| 115 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114 |
| 116 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.115 |
| 117 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.116 |
| 118 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.117 |
| 119 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.118 |
| 120 |
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.119 |
| 121 |
ID: MGASA-2019-0172 |
Parent Directory
| 
Revision Log