CentOS Errata and Security Advisory 2020:0630 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0630
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
209188ad9183f4721bb5b789f84d66a7bcd1962382237ffab062ddc0fc50dbf3 ppp-2.4.5-34.el7_7.x86_64.rpm
5889d4cf6725e690384aecf6581a904d47cd117548d140761b4ddc49106635f4 ppp-devel-2.4.5-34.el7_7.i686.rpm
3bd6ee211d8e51d58139aa2751c0be1ece76f1b4260c432be6ba9bc1622536b2 ppp-devel-2.4.5-34.el7_7.x86_64.rpm
Source:
54028e3616882b4f85013fc4614d8d4c785264e1177115d37f544d3d8ad66caa ppp-2.4.5-34.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Thursday, February 27, 2020
[CentOS-announce] CESA-2020:0632 Important CentOS 6 java-1.7.0-openjdk Security Update
CentOS Errata and Security Advisory 2020:0632 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0632
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
73954883d0d04f584d064e003f06b932a7e456432116bcb092f44f0a621d835f java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.i686.rpm
079999f5b4c30b6e5898cf81be7a22bd0aca364efa98d504b851054a1320a4d8 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el6_10.i686.rpm
208fb0508de643b5c9c7192106624b023de8d4de9911fe08fb6c356a13348317 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el6_10.i686.rpm
07762e6d97641fb86115e59b02f59764e38124d19287f7fd5df85acf7b2b57c9 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el6_10.noarch.rpm
d452560ee5183a0a221502bada86dac10ab27b3487f2168f5dfdbae647ed3a6a java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el6_10.i686.rpm
x86_64:
1780d0ad4ac087a69efc6d91ed4dc35b605e8eb8a62f782c109313e451dba247 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
18aa96296cbb828d8d6e3993ade6e0c15e5dbd9dbb7aa8df9c385fdcbec43230 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
a49ba59dd75a69c26430d4114af3b1e327437da5a31092944bc268ebd8616ef5 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
07762e6d97641fb86115e59b02f59764e38124d19287f7fd5df85acf7b2b57c9 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el6_10.noarch.rpm
83044acee34303d4d4cae9cf6a99da47672248597320fd953686764f6d038e0b java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
Source:
333c7d00d5c97bd896dc02c0f071492e26edb64ad93a85cb8cb1cda239a6fd6f java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0632
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
73954883d0d04f584d064e003f06b932a7e456432116bcb092f44f0a621d835f java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.i686.rpm
079999f5b4c30b6e5898cf81be7a22bd0aca364efa98d504b851054a1320a4d8 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el6_10.i686.rpm
208fb0508de643b5c9c7192106624b023de8d4de9911fe08fb6c356a13348317 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el6_10.i686.rpm
07762e6d97641fb86115e59b02f59764e38124d19287f7fd5df85acf7b2b57c9 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el6_10.noarch.rpm
d452560ee5183a0a221502bada86dac10ab27b3487f2168f5dfdbae647ed3a6a java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el6_10.i686.rpm
x86_64:
1780d0ad4ac087a69efc6d91ed4dc35b605e8eb8a62f782c109313e451dba247 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
18aa96296cbb828d8d6e3993ade6e0c15e5dbd9dbb7aa8df9c385fdcbec43230 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
a49ba59dd75a69c26430d4114af3b1e327437da5a31092944bc268ebd8616ef5 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
07762e6d97641fb86115e59b02f59764e38124d19287f7fd5df85acf7b2b57c9 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el6_10.noarch.rpm
83044acee34303d4d4cae9cf6a99da47672248597320fd953686764f6d038e0b java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el6_10.x86_64.rpm
Source:
333c7d00d5c97bd896dc02c0f071492e26edb64ad93a85cb8cb1cda239a6fd6f java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0631 Important CentOS 6 ppp Security Update
CentOS Errata and Security Advisory 2020:0631 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0631
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
dfc5e0ac7f70af3f157560b0821dd9c0e2a156fd8481dd7bf8c62954efa48400 ppp-2.4.5-11.el6_10.i686.rpm
5c9da723507a3b73e11d7ffa09c0b19557020eed33df53c479177aab84e68206 ppp-devel-2.4.5-11.el6_10.i686.rpm
x86_64:
effd49b932b555e4d1750fb74af48837c10ea2f25589746fb2e66a56a72821de ppp-2.4.5-11.el6_10.x86_64.rpm
5c9da723507a3b73e11d7ffa09c0b19557020eed33df53c479177aab84e68206 ppp-devel-2.4.5-11.el6_10.i686.rpm
7aacbb479fd7a4e8a77ae141fe8977882394d3fd221e2b53e6f2a8a244f46290 ppp-devel-2.4.5-11.el6_10.x86_64.rpm
Source:
3ace11d9189794efd7239ac27b481692b4e0f2939a9b471ced71c513801ef594 ppp-2.4.5-11.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0631
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
dfc5e0ac7f70af3f157560b0821dd9c0e2a156fd8481dd7bf8c62954efa48400 ppp-2.4.5-11.el6_10.i686.rpm
5c9da723507a3b73e11d7ffa09c0b19557020eed33df53c479177aab84e68206 ppp-devel-2.4.5-11.el6_10.i686.rpm
x86_64:
effd49b932b555e4d1750fb74af48837c10ea2f25589746fb2e66a56a72821de ppp-2.4.5-11.el6_10.x86_64.rpm
5c9da723507a3b73e11d7ffa09c0b19557020eed33df53c479177aab84e68206 ppp-devel-2.4.5-11.el6_10.i686.rpm
7aacbb479fd7a4e8a77ae141fe8977882394d3fd221e2b53e6f2a8a244f46290 ppp-devel-2.4.5-11.el6_10.x86_64.rpm
Source:
3ace11d9189794efd7239ac27b481692b4e0f2939a9b471ced71c513801ef594 ppp-2.4.5-11.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Wednesday, February 26, 2020
[CentOS-announce] CESA-2020:0574 Important CentOS 6 thunderbird Security Update
CentOS Errata and Security Advisory 2020:0574 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0574
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
0ecd700cd71a96565913e36ef8350995a5d00cccc830f3042f00fbebd833fdf2 thunderbird-68.5.0-1.el6.centos.i686.rpm
x86_64:
0f8583b47449d42711d8df5daeb3e9a2ec217c1304e771a711b8d775673f60f5 thunderbird-68.5.0-1.el6.centos.x86_64.rpm
Source:
bb00e7c71ec579f52dbb33f9fef9676a2b27b49250e451798f9a4c8ef765f927 thunderbird-68.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0574
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
0ecd700cd71a96565913e36ef8350995a5d00cccc830f3042f00fbebd833fdf2 thunderbird-68.5.0-1.el6.centos.i686.rpm
x86_64:
0f8583b47449d42711d8df5daeb3e9a2ec217c1304e771a711b8d775673f60f5 thunderbird-68.5.0-1.el6.centos.x86_64.rpm
Source:
bb00e7c71ec579f52dbb33f9fef9676a2b27b49250e451798f9a4c8ef765f927 thunderbird-68.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0576 Important CentOS 7 thunderbird Security Update
CentOS Errata and Security Advisory 2020:0576 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0576
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7d68665877df01b039d49ab94dfd049eeb2f0eb35c3bc4f8d48f853eb0d56fa3 thunderbird-68.5.0-1.el7.centos.x86_64.rpm
Source:
b60f4ca1059f7dacd5e38fa71b5456168e78fc4955e9127f064b89c8b837cbea thunderbird-68.5.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0576
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7d68665877df01b039d49ab94dfd049eeb2f0eb35c3bc4f8d48f853eb0d56fa3 thunderbird-68.5.0-1.el7.centos.x86_64.rpm
Source:
b60f4ca1059f7dacd5e38fa71b5456168e78fc4955e9127f064b89c8b837cbea thunderbird-68.5.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0568 Important CentOS 7 ksh Security Update
CentOS Errata and Security Advisory 2020:0568 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0568
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0987cea3cf687c71517c7e29b83521e818a9f811cee57df2375adac9b04e75d7 ksh-20120801-140.el7_7.x86_64.rpm
Source:
2ae6d7ccd138425b20e227033b0bf811ac0f1c92c7962368642e38c618c9d8d7 ksh-20120801-140.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0568
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0987cea3cf687c71517c7e29b83521e818a9f811cee57df2375adac9b04e75d7 ksh-20120801-140.el7_7.x86_64.rpm
Source:
2ae6d7ccd138425b20e227033b0bf811ac0f1c92c7962368642e38c618c9d8d7 ksh-20120801-140.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0578 Important CentOS 7 python-pillow Security Update
CentOS Errata and Security Advisory 2020:0578 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0578
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
10d0763e405aae51e7c80f9f1a0a4d60ccaffc7c5e3baa09ef8eda3c4d9bd805 python-pillow-2.0.0-20.gitd1c6db8.el7_7.i686.rpm
5315ecf80b6847a540d59697ce47c0a18b49494994dbd4f1010b591396fca1ca python-pillow-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
2493055e42d60e589c60321de254932992d14d999da734cb52163b30163ae455 python-pillow-devel-2.0.0-20.gitd1c6db8.el7_7.i686.rpm
2af1d74c965029b48878392480b2e52436fea0ab666e9bc362c66fd4f3b4c6de python-pillow-devel-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
ec5588c4d600ecc876cf8b9237376e3d0fc72c512a8d7cfeb17e8e21ebaf4498 python-pillow-doc-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
216c146772490caa86d5e64c46cd34f65d01596a2a1104d8d1860720923ffdba python-pillow-qt-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
b3b57a7090b5e581f5015d946336f3d4bccf3d6eff4196c08b24496daa8d9c3d python-pillow-sane-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
26767bd6254f64e52f0a6d14a4ab34f3e6e08476864535c13cd47cfcafa4bf2e python-pillow-tk-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
Source:
6f6aa7223ab73060ec98c82411c898a7f6c9b66acbb474a7c9bce5ccced0220a python-pillow-2.0.0-20.gitd1c6db8.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0578
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
10d0763e405aae51e7c80f9f1a0a4d60ccaffc7c5e3baa09ef8eda3c4d9bd805 python-pillow-2.0.0-20.gitd1c6db8.el7_7.i686.rpm
5315ecf80b6847a540d59697ce47c0a18b49494994dbd4f1010b591396fca1ca python-pillow-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
2493055e42d60e589c60321de254932992d14d999da734cb52163b30163ae455 python-pillow-devel-2.0.0-20.gitd1c6db8.el7_7.i686.rpm
2af1d74c965029b48878392480b2e52436fea0ab666e9bc362c66fd4f3b4c6de python-pillow-devel-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
ec5588c4d600ecc876cf8b9237376e3d0fc72c512a8d7cfeb17e8e21ebaf4498 python-pillow-doc-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
216c146772490caa86d5e64c46cd34f65d01596a2a1104d8d1860720923ffdba python-pillow-qt-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
b3b57a7090b5e581f5015d946336f3d4bccf3d6eff4196c08b24496daa8d9c3d python-pillow-sane-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
26767bd6254f64e52f0a6d14a4ab34f3e6e08476864535c13cd47cfcafa4bf2e python-pillow-tk-2.0.0-20.gitd1c6db8.el7_7.x86_64.rpm
Source:
6f6aa7223ab73060ec98c82411c898a7f6c9b66acbb474a7c9bce5ccced0220a python-pillow-2.0.0-20.gitd1c6db8.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0374 Important CentOS 7 kernel Security Update
CentOS Errata and Security Advisory 2020:0374 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0374
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
823a3224138464ae405a87ef40428caa99f7bed4e0014ddbf0650d9eb0b7d314 bpftool-3.10.0-1062.12.1.el7.x86_64.rpm
b6a9f2c16aff89bb7fa364c61c1efecb2afb84e0c5e309aff644c7e198556523 kernel-3.10.0-1062.12.1.el7.x86_64.rpm
33d336117d15fe7d6d14ff88f013fa311c25b2db739bfaa193997cf87d5725c8 kernel-abi-whitelists-3.10.0-1062.12.1.el7.noarch.rpm
294bf893c42a86cae92bccf8246e65e9a2e1156f77bc7994d388634dbf980b7c kernel-debug-3.10.0-1062.12.1.el7.x86_64.rpm
6233e348a7183027f88e4164d5c978bb12de89ef246b6a93ca303eaf775573f8 kernel-debug-devel-3.10.0-1062.12.1.el7.x86_64.rpm
d0183b67d31d57fc7c58646e0d1c337169cab5d792538ae04116111f8398cd92 kernel-devel-3.10.0-1062.12.1.el7.x86_64.rpm
d58b7b9a6d64c9fd4f67b9859de2c71a2e6c959664582d2026428bc48f44df37 kernel-doc-3.10.0-1062.12.1.el7.noarch.rpm
d9d0bbbea0747ecfde0b657ee0cbe1fa49173d5151c264ab78862caeba4800d3 kernel-headers-3.10.0-1062.12.1.el7.x86_64.rpm
8ec5ea4586dd3997d3f65412766b958e45ac79843f41fd28c4b7c6fe5be24ccc kernel-tools-3.10.0-1062.12.1.el7.x86_64.rpm
60a2921ead8c26cf3937ebe81ac71006bb8ed724786aaf13235f85653cfd65e6 kernel-tools-libs-3.10.0-1062.12.1.el7.x86_64.rpm
2a1686c967c2bd0ead48b1883dcf6d662df25622dea3236c023f95cabf03d627 kernel-tools-libs-devel-3.10.0-1062.12.1.el7.x86_64.rpm
6cbb0603daf4dca9be7f6b2ee8208ffca490360b3f98661db878ac11ba181eab perf-3.10.0-1062.12.1.el7.x86_64.rpm
310a94c94acc848628da65728cb7b116303fdeb61efbdd4a742324b37ee941f6 python-perf-3.10.0-1062.12.1.el7.x86_64.rpm
Source:
d4e974016eb6f79cc3c65e8614be75d7aa2cfc423b10962db648f430b53016b0 kernel-3.10.0-1062.12.1.el7.centos.plus.src.rpm
1fadf666591312c708379616407db46c8d46866dce958447239a21627b6ca7a5 kernel-3.10.0-1062.12.1.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0374
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
823a3224138464ae405a87ef40428caa99f7bed4e0014ddbf0650d9eb0b7d314 bpftool-3.10.0-1062.12.1.el7.x86_64.rpm
b6a9f2c16aff89bb7fa364c61c1efecb2afb84e0c5e309aff644c7e198556523 kernel-3.10.0-1062.12.1.el7.x86_64.rpm
33d336117d15fe7d6d14ff88f013fa311c25b2db739bfaa193997cf87d5725c8 kernel-abi-whitelists-3.10.0-1062.12.1.el7.noarch.rpm
294bf893c42a86cae92bccf8246e65e9a2e1156f77bc7994d388634dbf980b7c kernel-debug-3.10.0-1062.12.1.el7.x86_64.rpm
6233e348a7183027f88e4164d5c978bb12de89ef246b6a93ca303eaf775573f8 kernel-debug-devel-3.10.0-1062.12.1.el7.x86_64.rpm
d0183b67d31d57fc7c58646e0d1c337169cab5d792538ae04116111f8398cd92 kernel-devel-3.10.0-1062.12.1.el7.x86_64.rpm
d58b7b9a6d64c9fd4f67b9859de2c71a2e6c959664582d2026428bc48f44df37 kernel-doc-3.10.0-1062.12.1.el7.noarch.rpm
d9d0bbbea0747ecfde0b657ee0cbe1fa49173d5151c264ab78862caeba4800d3 kernel-headers-3.10.0-1062.12.1.el7.x86_64.rpm
8ec5ea4586dd3997d3f65412766b958e45ac79843f41fd28c4b7c6fe5be24ccc kernel-tools-3.10.0-1062.12.1.el7.x86_64.rpm
60a2921ead8c26cf3937ebe81ac71006bb8ed724786aaf13235f85653cfd65e6 kernel-tools-libs-3.10.0-1062.12.1.el7.x86_64.rpm
2a1686c967c2bd0ead48b1883dcf6d662df25622dea3236c023f95cabf03d627 kernel-tools-libs-devel-3.10.0-1062.12.1.el7.x86_64.rpm
6cbb0603daf4dca9be7f6b2ee8208ffca490360b3f98661db878ac11ba181eab perf-3.10.0-1062.12.1.el7.x86_64.rpm
310a94c94acc848628da65728cb7b116303fdeb61efbdd4a742324b37ee941f6 python-perf-3.10.0-1062.12.1.el7.x86_64.rpm
Source:
d4e974016eb6f79cc3c65e8614be75d7aa2cfc423b10962db648f430b53016b0 kernel-3.10.0-1062.12.1.el7.centos.plus.src.rpm
1fadf666591312c708379616407db46c8d46866dce958447239a21627b6ca7a5 kernel-3.10.0-1062.12.1.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Tuesday, February 25, 2020
Fedora 32 Beta Freeze
Hi all,
Today's an important day on the Fedora 32 schedule[1], with several
significant cut-offs. First of all today is the Bodhi activation point
[2]. That means that from now on all Fedora 32 packages must be
submitted to updates-testing and pass the relevant requirements[3]
before they will be marked as 'stable' and moved to the fedora
repository.
Today is also the Beta freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain
in updates-testing until the Beta release is approved, at which point
the Beta freeze is lifted and packages can move to 'stable' as usual
until the Final freeze.
Finally, today is the '100% code complete deadline' Change
Checkpoint[5], meaning that Fedora 32 Changes must now be code
complete, meaning all the code required to enable the new change is
finished. The level of code completeness is reflected as tracker bug
state ON_QA. The change does not have to be fully tested by this
deadline'.
Finally, today is also the Software String freeze[7], which means that
strings marked for translation in Fedora-translated projects should
not now be changed for Fedora 32.
Mohan Boddu
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Today's an important day on the Fedora 32 schedule[1], with several
significant cut-offs. First of all today is the Bodhi activation point
[2]. That means that from now on all Fedora 32 packages must be
submitted to updates-testing and pass the relevant requirements[3]
before they will be marked as 'stable' and moved to the fedora
repository.
Today is also the Beta freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain
in updates-testing until the Beta release is approved, at which point
the Beta freeze is lifted and packages can move to 'stable' as usual
until the Final freeze.
Finally, today is the '100% code complete deadline' Change
Checkpoint[5], meaning that Fedora 32 Changes must now be code
complete, meaning all the code required to enable the new change is
finished. The level of code completeness is reflected as tracker bug
state ON_QA. The change does not have to be fully tested by this
deadline'.
Finally, today is also the Software String freeze[7], which means that
strings marked for translation in Fedora-translated projects should
not now be changed for Fedora 32.
Mohan Boddu
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
[announce] Next NYC*BUG: *Tuesday* March 3rd
Next NYC*BUG: *Tuesday * March 3rd
A DNS talk by Dr. Paul Vixie!
Operating Systems as Dumb Pipes,
by Dr. Paul Vixie
2020-03-03 @ 18:45 - NYU Tandon Engineering Building (new), 370 Jay St, Room 1013, 10th Floor, Brooklyn NY
More info and RSVP:
https://www.nycbug.org/index?action=view&id=10677
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org:8080/mailman/listinfo/announce
A DNS talk by Dr. Paul Vixie!
Operating Systems as Dumb Pipes,
by Dr. Paul Vixie
2020-03-03 @ 18:45 - NYU Tandon Engineering Building (new), 370 Jay St, Room 1013, 10th Floor, Brooklyn NY
More info and RSVP:
https://www.nycbug.org/index?action=view&id=10677
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org:8080/mailman/listinfo/announce
Monday, February 24, 2020
[USN-4292-1] rsync vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl5UgJ8ACgkQtGdj0GOh
2+zi/gf/Zhy8C7W1qoDv7q/g3hT+6unwLcT+fGR1+U2Em03VxVqwjHa1rHN5oUeT
N/N6R1FljnTRvbGtVmN2IM9zQbjt0Q/9n9ZTKA2IY0Je9t1tqWXtshWROYFTSIFS
XX/7p0LxTYIrSKSNp0dfDNrX7ZES7B4pDq6QB0Nxbskr2nSnUOQwGzaqBOWCI5lW
BJOQB5wlFRsWz2Zgf1HXYL5fJe7q9q4vHTOSoMaPJzadAHhY8/m2tMwGmtT/SlVM
aW/SqwipclYZw0oJtk9oanbw/U423St835QCT8Klryx9Zfz3dRXgWKbj8A62ou5d
7ReqTaXasj3HDVurz0rvGtFJ7ml3ug==
=5ZaG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4292-1
February 25, 2020
rsync vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
It was discovered that rsync incorrectly handled pointer arithmetic in zlib.
An attacker could use this issue to cause rsync to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-9840,
CVE-2016-9841)
It was discovered that rsync incorrectly handled vectors involving left shifts
of negative integers in zlib. An attacker could use this issue to cause rsync
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9842)
It was discovered that rsync incorrectly handled vectors involving big-endian
CRC calculation in zlib. An attacker could use this issue to cause rsync to
crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9843)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
rsync 3.1.2-2.1ubuntu1.1
Ubuntu 16.04 LTS:
rsync 3.1.1-3ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4292-1
CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.1.2-2.1ubuntu1.1
https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.3
iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl5UgJ8ACgkQtGdj0GOh
2+zi/gf/Zhy8C7W1qoDv7q/g3hT+6unwLcT+fGR1+U2Em03VxVqwjHa1rHN5oUeT
N/N6R1FljnTRvbGtVmN2IM9zQbjt0Q/9n9ZTKA2IY0Je9t1tqWXtshWROYFTSIFS
XX/7p0LxTYIrSKSNp0dfDNrX7ZES7B4pDq6QB0Nxbskr2nSnUOQwGzaqBOWCI5lW
BJOQB5wlFRsWz2Zgf1HXYL5fJe7q9q4vHTOSoMaPJzadAHhY8/m2tMwGmtT/SlVM
aW/SqwipclYZw0oJtk9oanbw/U423St835QCT8Klryx9Zfz3dRXgWKbj8A62ou5d
7ReqTaXasj3HDVurz0rvGtFJ7ml3ug==
=5ZaG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4292-1
February 25, 2020
rsync vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
It was discovered that rsync incorrectly handled pointer arithmetic in zlib.
An attacker could use this issue to cause rsync to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-9840,
CVE-2016-9841)
It was discovered that rsync incorrectly handled vectors involving left shifts
of negative integers in zlib. An attacker could use this issue to cause rsync
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9842)
It was discovered that rsync incorrectly handled vectors involving big-endian
CRC calculation in zlib. An attacker could use this issue to cause rsync to
crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9843)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
rsync 3.1.2-2.1ubuntu1.1
Ubuntu 16.04 LTS:
rsync 3.1.1-3ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4292-1
CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.1.2-2.1ubuntu1.1
https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.3
OpenBSD Errata: February 24th, 2020 (smtpd_envelope)
Errata patches for OpenSMTPD have been released for OpenBSD 6.5 and 6.6.
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata65.html
https://www.openbsd.org/errata66.html
After patching, restart the smtpd service.
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata65.html
https://www.openbsd.org/errata66.html
After patching, restart the smtpd service.
REMINDER: Fedora 32 Code complete (100% complete) deadline tomorrow
According to the Fedora 32 schedule[]1, the deadline for Changes to be
in a code complete (100% complete) state is *tomorrow* 25 February. At
this time, all Changes should be fully implemented and tracker bugs
set to the ON_QA state.
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
in a code complete (100% complete) state is *tomorrow* 25 February. At
this time, all Changes should be fully implemented and tracker bugs
set to the ON_QA state.
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
[USN-4290-1] libpam-radius-auth vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5T8tkACgkQZWnYVadE
vpPmLRAAigAsEAgtAoVjxUlCsYBopI4rCvbVkWc+H38uYgQxSjp/IvmDvtgSelhX
Y8RQgfqn40GwCeV/oHDt4zbBsPq5M6+LzcnCUBLnWEcDlEYl4i0tvh9EKJVGkOLC
jSDO3wWZtvFpMVEnTAXWp/0CEIsJw3jf3Kz8ez2RC1Vwb//BMHIKmH5SVisSqYwh
SSFAYAYYqClHzQTVEnX0Ne6b46mg/i8X+l2lEWiDwHHCOcjGly2VI6zmTrsXbziB
toLCXG8LrXXVuGS08c00FHL7/T430mSLvxx72M50eN3EBTONrIKQf7BrxfqpMULH
CpXqZwzL2QHn7mL2e1I17dDoeJwSzUuMYnP2Ze7vo1gKUYPVTntHmm38Gv2DCjG5
kWYqWSebFs339MR+mw2ipm9uQUIOFy7JF9XEhB5MbRtaPuIME4rN5nDSetCR0hS2
rCFkn/xEa+Y8ayVW25qWg7t80C9h4ulcQFXpoyH8oZsv52AZcwz5YEryAqpvlYZw
cymTpJTFk6GSlObbbSEpvCzYBvYVktJJNRhv4rhawMrAVBmiEk5JiE9y/D5ADmfW
7Zu8MekD2GjHvGQonjBNSIMk7FfWzBbNuRP97l0iGvWAisALfDu/x7xNB3ZcxYeq
RbbrcOCLM0tz3FdRnpfMsXeR6Ji8FmOaqJHMs2xicZ/8c0H0d0w=
=luh8
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4290-1
February 24, 2020
libpam-radius-auth vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
libpam-radius-auth could be made to crash if it received specially crafted
network traffic.
Software Description:
- libpam-radius-auth: The PAM RADIUS authentication module
Details:
It was discovered that libpam-radius-auth incorrectly handled certain long
passwords. A remote attacker could possibly use this issue to cause
libpam-radius-auth to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
libpam-radius-auth 1.3.17-0ubuntu5.19.10.1
Ubuntu 18.04 LTS:
libpam-radius-auth 1.3.17-0ubuntu5.18.04.1
Ubuntu 16.04 LTS:
libpam-radius-auth 1.3.17-0ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4290-1
CVE-2015-9542
Package Information:
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu5.19.10.1
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu5.18.04.1
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu4.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5T8tkACgkQZWnYVadE
vpPmLRAAigAsEAgtAoVjxUlCsYBopI4rCvbVkWc+H38uYgQxSjp/IvmDvtgSelhX
Y8RQgfqn40GwCeV/oHDt4zbBsPq5M6+LzcnCUBLnWEcDlEYl4i0tvh9EKJVGkOLC
jSDO3wWZtvFpMVEnTAXWp/0CEIsJw3jf3Kz8ez2RC1Vwb//BMHIKmH5SVisSqYwh
SSFAYAYYqClHzQTVEnX0Ne6b46mg/i8X+l2lEWiDwHHCOcjGly2VI6zmTrsXbziB
toLCXG8LrXXVuGS08c00FHL7/T430mSLvxx72M50eN3EBTONrIKQf7BrxfqpMULH
CpXqZwzL2QHn7mL2e1I17dDoeJwSzUuMYnP2Ze7vo1gKUYPVTntHmm38Gv2DCjG5
kWYqWSebFs339MR+mw2ipm9uQUIOFy7JF9XEhB5MbRtaPuIME4rN5nDSetCR0hS2
rCFkn/xEa+Y8ayVW25qWg7t80C9h4ulcQFXpoyH8oZsv52AZcwz5YEryAqpvlYZw
cymTpJTFk6GSlObbbSEpvCzYBvYVktJJNRhv4rhawMrAVBmiEk5JiE9y/D5ADmfW
7Zu8MekD2GjHvGQonjBNSIMk7FfWzBbNuRP97l0iGvWAisALfDu/x7xNB3ZcxYeq
RbbrcOCLM0tz3FdRnpfMsXeR6Ji8FmOaqJHMs2xicZ/8c0H0d0w=
=luh8
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4290-1
February 24, 2020
libpam-radius-auth vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
libpam-radius-auth could be made to crash if it received specially crafted
network traffic.
Software Description:
- libpam-radius-auth: The PAM RADIUS authentication module
Details:
It was discovered that libpam-radius-auth incorrectly handled certain long
passwords. A remote attacker could possibly use this issue to cause
libpam-radius-auth to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
libpam-radius-auth 1.3.17-0ubuntu5.19.10.1
Ubuntu 18.04 LTS:
libpam-radius-auth 1.3.17-0ubuntu5.18.04.1
Ubuntu 16.04 LTS:
libpam-radius-auth 1.3.17-0ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4290-1
CVE-2015-9542
Package Information:
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu5.19.10.1
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu5.18.04.1
https://launchpad.net/ubuntu/+source/libpam-radius-auth/1.3.17-0ubuntu4.1
[USN-4291-1] mod-auth-mellon vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5T8uoACgkQZWnYVadE
vpMduBAAvUARoheXJPNuzzVWbFXxzvs5n4+Rv/DhaY6sV9NGbCbejMmZM/e3HcmY
SQK27uhz2X1UA5uO5iIL4Cyf7diCoScql51mOGBYWaBwBH7qbUrUQyTVgpAG/dOl
6DxHSz7yTD3wj/IRx7S7zapuqA1uOgZ2fE8i4pnrDeEVn3bPQrivjVP18XbNCADP
8jLkLW55N4SqTdam4BstowKtdGrWyAMuN0wGCGbB+F5fDE3T6FWEzFoUNWNqRa+d
KwjdanyX0/+XMtj+QvX36VYZbLN4ZzPfbakIVLL5kmHK1j4rj0m+lqclYuhbzfPs
kErnx3UXTQq8D9wF9xL7W1Zx/dqdjhVPvMBqMGMO7X0z8sQEvMZ0IBMa3k3YPbrI
en7esRJB3fu60byI18JznpiVq0pDJFFK8MbeZxOwsfjF8zzw4T44D8AYe3xTWiqh
h568fpP4jOnrpCILci+S5FRjMA+prQI0z22Wz+uXBUm2C4OI9vnbUGI26DN6HVar
96fr7j3PTlX2TUoOs6wVAENVdn9+Js9tn+ZP1t9xYDGxQgu0IypMWwOOfCHa8f94
FOcR14FUidwH7mT+agfo92R05sc71F3s+G68neiHdb/Es4951DovnQMkKRtzXrqu
YBPIPe/AOcT/E8e/lIqhZhRYVaDXFCwZspLGQWJTu4F1Ty5bNnw=
=LXLp
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4291-1
February 24, 2020
libapache2-mod-auth-mellon vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
Summary:
libapache2-mod-auth-mellon could be made to redirect users to malicious
sites.
Software Description:
- libapache2-mod-auth-mellon: SAML 2.0 authentication module for Apache
Details:
It was discovered that mod_auth_mellon incorrectly handled certain
requests. An attacker could possibly use this issue to redirect a user to a
malicious URL.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
libapache2-mod-auth-mellon 0.14.2-1ubuntu1.19.10.1
Ubuntu 18.04 LTS:
libapache2-mod-auth-mellon 0.13.1-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4291-1
CVE-2019-13038
Package Information:
https://launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/0.14.2-1ubuntu1.19.10.1
https://launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/0.13.1-1ubuntu0.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5T8uoACgkQZWnYVadE
vpMduBAAvUARoheXJPNuzzVWbFXxzvs5n4+Rv/DhaY6sV9NGbCbejMmZM/e3HcmY
SQK27uhz2X1UA5uO5iIL4Cyf7diCoScql51mOGBYWaBwBH7qbUrUQyTVgpAG/dOl
6DxHSz7yTD3wj/IRx7S7zapuqA1uOgZ2fE8i4pnrDeEVn3bPQrivjVP18XbNCADP
8jLkLW55N4SqTdam4BstowKtdGrWyAMuN0wGCGbB+F5fDE3T6FWEzFoUNWNqRa+d
KwjdanyX0/+XMtj+QvX36VYZbLN4ZzPfbakIVLL5kmHK1j4rj0m+lqclYuhbzfPs
kErnx3UXTQq8D9wF9xL7W1Zx/dqdjhVPvMBqMGMO7X0z8sQEvMZ0IBMa3k3YPbrI
en7esRJB3fu60byI18JznpiVq0pDJFFK8MbeZxOwsfjF8zzw4T44D8AYe3xTWiqh
h568fpP4jOnrpCILci+S5FRjMA+prQI0z22Wz+uXBUm2C4OI9vnbUGI26DN6HVar
96fr7j3PTlX2TUoOs6wVAENVdn9+Js9tn+ZP1t9xYDGxQgu0IypMWwOOfCHa8f94
FOcR14FUidwH7mT+agfo92R05sc71F3s+G68neiHdb/Es4951DovnQMkKRtzXrqu
YBPIPe/AOcT/E8e/lIqhZhRYVaDXFCwZspLGQWJTu4F1Ty5bNnw=
=LXLp
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4291-1
February 24, 2020
libapache2-mod-auth-mellon vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
Summary:
libapache2-mod-auth-mellon could be made to redirect users to malicious
sites.
Software Description:
- libapache2-mod-auth-mellon: SAML 2.0 authentication module for Apache
Details:
It was discovered that mod_auth_mellon incorrectly handled certain
requests. An attacker could possibly use this issue to redirect a user to a
malicious URL.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
libapache2-mod-auth-mellon 0.14.2-1ubuntu1.19.10.1
Ubuntu 18.04 LTS:
libapache2-mod-auth-mellon 0.13.1-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4291-1
CVE-2019-13038
Package Information:
https://launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/0.14.2-1ubuntu1.19.10.1
https://launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/0.13.1-1ubuntu0.2
[arch-announce] The Future of the Arch Linux Project Leader
Hello everyone,
Some of you may know me from the days when I was much more involved in Arch, but most of you probably just know me as a name on the website. I've been with Arch for some time, taking the leadership of this beast over from Judd back in 2007. But, as these things often go, my involvement has slid down to minimal levels over time. It's high time that changes.
Arch Linux needs involved leadership to make hard decisions and direct the project where it needs to go. And I am not in a position to do this.
In a team effort, the Arch Linux staff devised a new process for determining future leaders. From now on, leaders will be elected by the staff for a term length of two years. Details of this new process can be found [here](https://wiki.archlinux.org/index.php/DeveloperWiki:Project_Leader)
In the first official vote with Levente Polyak (anthraxx), Gaetan Bisson (vesath), Giancarlo Razzolini (grazzolini), and Sven-Hendrik Haase (svenstaro) as candidates, and through 58 verified votes, a winner was chosen:
**Levente Polyak (anthraxx) will be taking over the reins of this ship. Congratulations!**
*Thanks for everything over all these years,
Aaron Griffin (phrakture)*
URL: https://www.archlinux.org/news/the-future-of-the-arch-linux-project-leader/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
Saturday, February 22, 2020
[arch-announce] Planet Arch Linux migration
The software behind planet.archlinux.org was implemented in Python 2 and is no longer maintained upstream. This functionality has now been implemented in archlinux.org's archweb backend which is actively maintained but offers a slightly different experience.
The most notable changes are the offered feeds and the feed location. Archweb only offers an Atom feed which is located at [here](https://archlinux.org/feeds/planet).
URL: https://www.archlinux.org/news/planet-arch-linux-migration/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
The most notable changes are the offered feeds and the feed location. Archweb only offers an Atom feed which is located at [here](https://archlinux.org/feeds/planet).
URL: https://www.archlinux.org/news/planet-arch-linux-migration/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
Thursday, February 20, 2020
New Release Freeze Times
Hi all,
It has been brought to our attention that release freezes starting at
00:00 UTC has been confusing for a lot of people. So, we decided to
change it to 14:00 UTC.
The freeze dates are not going to change, just the time when freeze
starts is going to change. Fedora 32 schedule [1] has been updated to
reflect the changed time.
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
Thanks,
Mohan Boddu.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
It has been brought to our attention that release freezes starting at
00:00 UTC has been confusing for a lot of people. So, we decided to
change it to 14:00 UTC.
The freeze dates are not going to change, just the time when freeze
starts is going to change. Fedora 32 schedule [1] has been updated to
reflect the changed time.
[1] https://fedorapeople.org/groups/schedule/f-32/f-32-key-tasks.html
Thanks,
Mohan Boddu.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
[CentOS-announce] CESA-2020:0550 Important CentOS 7 openjpeg2 Security Update
CentOS Errata and Security Advisory 2020:0550 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0550
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
62531e53dd42a38ffb4462a435c693d5acaac00b31db4387e7cecc100518b57e openjpeg2-2.3.1-3.el7_7.i686.rpm
b29b8912e5a83589e7860ce99dd4d83830710245ffcb7d6846ca0bcb5f61d1de openjpeg2-2.3.1-3.el7_7.x86_64.rpm
f938ba6cf59d8d2620fdb3badf02c11c205ffafc4d5f3832b4fbe3bcf4d19038 openjpeg2-devel-2.3.1-3.el7_7.i686.rpm
f06d2b1b8c1d85904896c567ffdfbb33d46ab29f3de2b3d6c1b0d6053b4fe88f openjpeg2-devel-2.3.1-3.el7_7.x86_64.rpm
30438a1c778d164a9fbea5da66dc77097af6adedc7ea8a7eef4872e45906c71c openjpeg2-devel-docs-2.3.1-3.el7_7.noarch.rpm
d3710e60ba45ef3127e9f118eecea89d6695ea949e743ceee179b7abd1cb4144 openjpeg2-tools-2.3.1-3.el7_7.i686.rpm
cb91d18fb7f2dd08f5551bbd30bb00b3f0278ee98111551c9d1fe973c3ed2908 openjpeg2-tools-2.3.1-3.el7_7.x86_64.rpm
Source:
a8aff69e4e8ffde39e16fd40a5354162b499fdce3023381378805911af76b080 openjpeg2-2.3.1-3.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0550
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
62531e53dd42a38ffb4462a435c693d5acaac00b31db4387e7cecc100518b57e openjpeg2-2.3.1-3.el7_7.i686.rpm
b29b8912e5a83589e7860ce99dd4d83830710245ffcb7d6846ca0bcb5f61d1de openjpeg2-2.3.1-3.el7_7.x86_64.rpm
f938ba6cf59d8d2620fdb3badf02c11c205ffafc4d5f3832b4fbe3bcf4d19038 openjpeg2-devel-2.3.1-3.el7_7.i686.rpm
f06d2b1b8c1d85904896c567ffdfbb33d46ab29f3de2b3d6c1b0d6053b4fe88f openjpeg2-devel-2.3.1-3.el7_7.x86_64.rpm
30438a1c778d164a9fbea5da66dc77097af6adedc7ea8a7eef4872e45906c71c openjpeg2-devel-docs-2.3.1-3.el7_7.noarch.rpm
d3710e60ba45ef3127e9f118eecea89d6695ea949e743ceee179b7abd1cb4144 openjpeg2-tools-2.3.1-3.el7_7.i686.rpm
cb91d18fb7f2dd08f5551bbd30bb00b3f0278ee98111551c9d1fe973c3ed2908 openjpeg2-tools-2.3.1-3.el7_7.x86_64.rpm
Source:
a8aff69e4e8ffde39e16fd40a5354162b499fdce3023381378805911af76b080 openjpeg2-2.3.1-3.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-4289-1] Squid vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5Oo4QACgkQZWnYVadE
vpMTfA/+ObzZO5nPDpDdPW7eTF6T+HOpXB8s3E6KW6os8A+HZIby1Tt7UZhGA7dJ
xtWKzR9hL/28BZR5uAwVgv8aPoooQEjEoks2zw7VBq0792N8XpjjXJAnWbvzf5ZH
vEXCxSbcpPCfT68rzHsNDj3Bq3rcY7k6g2V8/l2Ov26U7UKZQVUh94Ma71i8Dc7k
fCXs6KaH2NSISMIxyQk8iqwHIlVheOevhpR+XCJ88+WcY37HSL2v7woobVhHKnTA
gH+VK939AaBA+JO4A528SgjT32YfjfQ8xO1sO4glIUiwvDSbLOxcjWn3p3kGtZAc
mnCiD1KxstYQPlr07Ag0edclhcPqUM6tKBqjocOP1jQIuZt9JbmCa9ROFxj4C49w
Oq8zahjrJyqQpFtIb6jfU4GL4HlwfiVsorkftk/uYpPW9WZqPyxT/ZVk7zHKE98M
ooO9V09reePT/87RkL65A9ZSTHs+TyeOlR4+q64nJOC+Eol9p49uyQ5EuQl/n0nE
ocOrOk7Ow9YyKtauSXP+K5ClyJHlGFYekc0MHZvSQc2Isb6BL2BJfzX7lEK+ZeQX
DQNziDoMUFvtRk3Ij1Cd6GKZ/wBbgFqiHFnTQM3/7YFtmu43x59T3ScLdBjemuqH
v/kLnb50HHFTRMGNfJmNUo1cAIZwiPDNoEpOaFAg7RCYqJ5ZoEU=
=588+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4289-1
February 20, 2020
squid, squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Jeriko One discovered that Squid incorrectly handled memory when connected
to an FTP server. A remote attacker could possibly use this issue to obtain
sensitive information from Squid memory. (CVE-2019-12528)
Regis Leroy discovered that Squid incorrectly handled certain HTTP
requests. A remote attacker could possibly use this issue to access server
resources prohibited by earlier security filters. (CVE-2020-8449)
Guido Vranken discovered that Squid incorrectly handled certain buffer
operations when acting as a reverse proxy. A remote attacker could use
this issue to cause Squid to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2020-8450)
Aaron Costello discovered that Squid incorrectly handled certain NTLM
authentication credentials. A remote attacker could possibly use this issue
to cause Squid to crash, resulting in a denial of service. (CVE-2020-8517)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
squid 4.8-1ubuntu2.2
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.5
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.10
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4289-1
CVE-2019-12528, CVE-2020-8449, CVE-2020-8450, CVE-2020-8517
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.8-1ubuntu2.2
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.5
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.10
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5Oo4QACgkQZWnYVadE
vpMTfA/+ObzZO5nPDpDdPW7eTF6T+HOpXB8s3E6KW6os8A+HZIby1Tt7UZhGA7dJ
xtWKzR9hL/28BZR5uAwVgv8aPoooQEjEoks2zw7VBq0792N8XpjjXJAnWbvzf5ZH
vEXCxSbcpPCfT68rzHsNDj3Bq3rcY7k6g2V8/l2Ov26U7UKZQVUh94Ma71i8Dc7k
fCXs6KaH2NSISMIxyQk8iqwHIlVheOevhpR+XCJ88+WcY37HSL2v7woobVhHKnTA
gH+VK939AaBA+JO4A528SgjT32YfjfQ8xO1sO4glIUiwvDSbLOxcjWn3p3kGtZAc
mnCiD1KxstYQPlr07Ag0edclhcPqUM6tKBqjocOP1jQIuZt9JbmCa9ROFxj4C49w
Oq8zahjrJyqQpFtIb6jfU4GL4HlwfiVsorkftk/uYpPW9WZqPyxT/ZVk7zHKE98M
ooO9V09reePT/87RkL65A9ZSTHs+TyeOlR4+q64nJOC+Eol9p49uyQ5EuQl/n0nE
ocOrOk7Ow9YyKtauSXP+K5ClyJHlGFYekc0MHZvSQc2Isb6BL2BJfzX7lEK+ZeQX
DQNziDoMUFvtRk3Ij1Cd6GKZ/wBbgFqiHFnTQM3/7YFtmu43x59T3ScLdBjemuqH
v/kLnb50HHFTRMGNfJmNUo1cAIZwiPDNoEpOaFAg7RCYqJ5ZoEU=
=588+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4289-1
February 20, 2020
squid, squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Jeriko One discovered that Squid incorrectly handled memory when connected
to an FTP server. A remote attacker could possibly use this issue to obtain
sensitive information from Squid memory. (CVE-2019-12528)
Regis Leroy discovered that Squid incorrectly handled certain HTTP
requests. A remote attacker could possibly use this issue to access server
resources prohibited by earlier security filters. (CVE-2020-8449)
Guido Vranken discovered that Squid incorrectly handled certain buffer
operations when acting as a reverse proxy. A remote attacker could use
this issue to cause Squid to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2020-8450)
Aaron Costello discovered that Squid incorrectly handled certain NTLM
authentication credentials. A remote attacker could possibly use this issue
to cause Squid to crash, resulting in a denial of service. (CVE-2020-8517)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
squid 4.8-1ubuntu2.2
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.5
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.10
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4289-1
CVE-2019-12528, CVE-2020-8449, CVE-2020-8450, CVE-2020-8517
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.8-1ubuntu2.2
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.5
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.10
[USN-4288-1] ppp vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5OoucACgkQZWnYVadE
vpNm/Q//ZJpirYJH5ySdLOEP4PxJBDwWHv3YBBg3BCHqh0+J3EU6ASkXQbhrj8r2
HlT6W4nWtX1XxUDl3G4RkCSpPQlKSjBp+U15VsjGdoyqL+k/UvKPVGk4rXeM92Lo
pzvCxzxeGOvD+xA8WS8xcNZUuoD3Yjaswe0GNeRTlE+oXz7DCrfXvAZE0ICrQT0w
Rg2vrwlIWljAuBU+UbGKQW6V3lloFE/zSXCCc5AE/ZwpAhJy6Jjp6kmDNhmSLwMC
Jg2n+WvrTW+XhZ67inQxxfRv/bzd5qS9NEFul3qWkcml2ktfyVLKX1xeQp7VYUXy
Qd9gLZd7ysLL8uVfnC0P3S3Z/WRoeS57Wh2o+8fDaxEHqvPa7xqxBqvGbO3xRkeA
vwf/6UB89bjf92AsumnuBdPMtjTngdqOCjcn/s2hslsTqSjrib+S4sDnO8IbmYfq
9Yxakx6lt5yuYtUwLXllXAc1NuYe0iiRGvepRG2S/cU7UliVzIcB26x7/8XaQkHo
9l6lbe3wX+Gfg1Cb1ZCzBIhLssGIC5PbKE4mAw42W1Gam1/+cCEXvxZqcPLYwNzI
givCJveKFTOf3L9VKm6Grwa1Lhz7hSOpc4h0Vkx6fWQ209gqNnZWOsnJ4tcv6yL2
+wpjUEldBn3cX5iKukKXZpCU3gsk8vWpkdIdkX6w+2oPJ6C7fkc=
=joiS
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4288-1
February 20, 2020
ppp vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
ppp could be made to crash or run programs if it received specially crafted
network traffic.
Software Description:
- ppp: Point-to-Point Protocol (PPP)
Details:
It was discovered that ppp incorrectly handled certain rhostname values. A
remote attacker could use this issue to cause ppp to crash, resulting in a
denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
ppp 2.4.7-2+4.1ubuntu4.1
Ubuntu 18.04 LTS:
ppp 2.4.7-2+2ubuntu1.2
Ubuntu 16.04 LTS:
ppp 2.4.7-1+2ubuntu1.16.04.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4288-1
CVE-2020-8597
Package Information:
https://launchpad.net/ubuntu/+source/ppp/2.4.7-2+4.1ubuntu4.1
https://launchpad.net/ubuntu/+source/ppp/2.4.7-2+2ubuntu1.2
https://launchpad.net/ubuntu/+source/ppp/2.4.7-1+2ubuntu1.16.04.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5OoucACgkQZWnYVadE
vpNm/Q//ZJpirYJH5ySdLOEP4PxJBDwWHv3YBBg3BCHqh0+J3EU6ASkXQbhrj8r2
HlT6W4nWtX1XxUDl3G4RkCSpPQlKSjBp+U15VsjGdoyqL+k/UvKPVGk4rXeM92Lo
pzvCxzxeGOvD+xA8WS8xcNZUuoD3Yjaswe0GNeRTlE+oXz7DCrfXvAZE0ICrQT0w
Rg2vrwlIWljAuBU+UbGKQW6V3lloFE/zSXCCc5AE/ZwpAhJy6Jjp6kmDNhmSLwMC
Jg2n+WvrTW+XhZ67inQxxfRv/bzd5qS9NEFul3qWkcml2ktfyVLKX1xeQp7VYUXy
Qd9gLZd7ysLL8uVfnC0P3S3Z/WRoeS57Wh2o+8fDaxEHqvPa7xqxBqvGbO3xRkeA
vwf/6UB89bjf92AsumnuBdPMtjTngdqOCjcn/s2hslsTqSjrib+S4sDnO8IbmYfq
9Yxakx6lt5yuYtUwLXllXAc1NuYe0iiRGvepRG2S/cU7UliVzIcB26x7/8XaQkHo
9l6lbe3wX+Gfg1Cb1ZCzBIhLssGIC5PbKE4mAw42W1Gam1/+cCEXvxZqcPLYwNzI
givCJveKFTOf3L9VKm6Grwa1Lhz7hSOpc4h0Vkx6fWQ209gqNnZWOsnJ4tcv6yL2
+wpjUEldBn3cX5iKukKXZpCU3gsk8vWpkdIdkX6w+2oPJ6C7fkc=
=joiS
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4288-1
February 20, 2020
ppp vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
ppp could be made to crash or run programs if it received specially crafted
network traffic.
Software Description:
- ppp: Point-to-Point Protocol (PPP)
Details:
It was discovered that ppp incorrectly handled certain rhostname values. A
remote attacker could use this issue to cause ppp to crash, resulting in a
denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
ppp 2.4.7-2+4.1ubuntu4.1
Ubuntu 18.04 LTS:
ppp 2.4.7-2+2ubuntu1.2
Ubuntu 16.04 LTS:
ppp 2.4.7-1+2ubuntu1.16.04.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4288-1
CVE-2020-8597
Package Information:
https://launchpad.net/ubuntu/+source/ppp/2.4.7-2+4.1ubuntu4.1
https://launchpad.net/ubuntu/+source/ppp/2.4.7-2+2ubuntu1.2
https://launchpad.net/ubuntu/+source/ppp/2.4.7-1+2ubuntu1.16.04.2
Wednesday, February 19, 2020
[USN-4279-2] PHP regression
==========================================================================
Ubuntu Security Notice USN-4279-2
February 19, 2020
php7.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
USN-4279-1 introduced a regression in PHP.
Software Description:
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS.
(CVE-2015-9253)
It was discovered that PHP incorrectly handled certain inputs. An attacker
could possibly use this issue to expose sensitive information.
(CVE-2020-7059)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS
and Ubuntu 19.10. (CVE-2020-7060)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.12
php7.0-cgi 7.0.33-0ubuntu0.16.04.12
php7.0-cli 7.0.33-0ubuntu0.16.04.12
php7.0-fpm 7.0.33-0ubuntu0.16.04.12
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4279-2
https://usn.ubuntu.com/4279-1
CVE-2015-9253
Package Information:
https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.12
Ubuntu Security Notice USN-4279-2
February 19, 2020
php7.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
USN-4279-1 introduced a regression in PHP.
Software Description:
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS.
(CVE-2015-9253)
It was discovered that PHP incorrectly handled certain inputs. An attacker
could possibly use this issue to expose sensitive information.
(CVE-2020-7059)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS
and Ubuntu 19.10. (CVE-2020-7060)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.12
php7.0-cgi 7.0.33-0ubuntu0.16.04.12
php7.0-cli 7.0.33-0ubuntu0.16.04.12
php7.0-fpm 7.0.33-0ubuntu0.16.04.12
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4279-2
https://usn.ubuntu.com/4279-1
CVE-2015-9253
Package Information:
https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.12
[LSN-0063-1] Linux kernel vulnerability
==========================================================================
Kernel Live Patch Security Notice 0063-1
February 19, 2020
Kernel Live Patch Security Notice 0063-1
February 19, 2020
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu:
| Series | Base kernel | Arch | flavors |
|------------------+--------------+----------+------------------|
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | aws |
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | generic |
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | lowlatency |
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | oem |
| Ubuntu 18.04 LTS | 5.0.0 | amd64 | azure |
| Ubuntu 18.04 LTS | 5.0.0 | amd64 | gcp |
| Ubuntu 14.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 14.04 LTS | 4.4.0 | amd64 | lowlatency |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | aws |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency |
| Ubuntu 16.04 LTS | 4.15.0 | amd64 | azure |
| Ubuntu 16.04 LTS | 4.15.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.15.0 | amd64 | lowlatency |
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19050)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
Update instructions:
The problem can be corrected by updating your livepatches to the following
versions:
| Kernel | Version | flavors |
|--------------------------+----------+--------------------------|
| 4.4.0-168.197 | 63.1 | generic, lowlatency |
| 4.4.0-168.197~14.04.1 | 63.1 | lowlatency, generic |
| 4.4.0-169.198 | 63.1 | generic, lowlatency |
| 4.4.0-169.198~14.04.1 | 63.1 | lowlatency, generic |
| 4.4.0-170.199 | 63.1 | lowlatency, generic |
| 4.4.0-170.199~14.04.1 | 63.1 | lowlatency, generic |
| 4.4.0-171.200 | 63.1 | lowlatency, generic |
| 4.4.0-171.200~14.04.1 | 63.1 | generic, lowlatency |
| 4.4.0-173.203 | 63.1 | generic, lowlatency |
| 4.4.0-1098.109 | 63.1 | aws |
| 4.4.0-1099.110 | 63.1 | aws |
| 4.4.0-1100.111 | 63.1 | aws |
| 4.4.0-1101.112 | 63.1 | aws |
| 4.15.0-69.78 | 63.1 | generic, lowlatency |
| 4.15.0-69.78~16.04.1 | 63.1 | lowlatency, generic |
| 4.15.0-70.79 | 63.1 | lowlatency, generic |
| 4.15.0-70.79~16.04.1 | 63.1 | generic, lowlatency |
| 4.15.0-72.81 | 63.1 | generic, lowlatency |
| 4.15.0-72.81~16.04.1 | 63.1 | generic, lowlatency |
| 4.15.0-74.83~16.04.1 | 63.1 | lowlatency, generic |
| 4.15.0-74.84 | 63.1 | generic, lowlatency |
| 4.15.0-76.86 | 63.1 | generic, lowlatency |
| 4.15.0-76.86~16.04.1 | 63.1 | lowlatency, generic |
| 4.15.0-1054.56 | 63.1 | aws |
| 4.15.0-1056.58 | 63.1 | aws |
| 4.15.0-1057.59 | 63.1 | aws |
| 4.15.0-1058.60 | 63.1 | aws |
| 4.15.0-1063.68 | 63.1 | azure |
| 4.15.0-1063.72 | 63.1 | oem |
| 4.15.0-1064.69 | 63.1 | azure |
| 4.15.0-1064.73 | 63.1 | oem |
| 4.15.0-1065.75 | 63.1 | oem |
| 4.15.0-1066.71 | 63.1 | azure |
| 4.15.0-1066.76 | 63.1 | oem |
| 4.15.0-1067.72 | 63.1 | azure |
| 4.15.0-1067.77 | 63.1 | oem |
| 5.0.0-1025.26~18.04.1 | 63.1 | gcp |
| 5.0.0-1025.27~18.04.1 | 63.1 | azure |
| 5.0.0-1026.27~18.04.1 | 63.1 | gcp |
| 5.0.0-1027.29~18.04.1 | 63.1 | azure |
| 5.0.0-1028.29~18.04.1 | 63.1 | gcp |
| 5.0.0-1028.30~18.04.1 | 63.1 | azure |
| 5.0.0-1029.30~18.04.1 | 63.1 | gcp |
| 5.0.0-1029.31~18.04.1 | 63.1 | azure |
Support Information:
Kernels older than the levels listed below do not receive livepatch
updates. Please upgrade your kernel as soon as possible.
| Series | Version | Flavors |
|------------------+------------------+--------------------------|
| Ubuntu 18.04 LTS | 4.15.0-1054 | aws |
| Ubuntu 16.04 LTS | 4.4.0-1098 | aws |
| Ubuntu 18.04 LTS | 5.0.0-1025 | azure |
| Ubuntu 16.04 LTS | 4.15.0-1063 | azure |
| Ubuntu 18.04 LTS | 4.15.0-69 | generic lowlatency |
| Ubuntu 18.04 LTS | 5.0.0-1025 | gcp |
| Ubuntu 16.04 LTS | 4.15.0-69 | generic lowlatency |
| Ubuntu 14.04 LTS | 4.4.0-168 | generic lowlatency |
| Ubuntu 18.04 LTS | 4.15.0-1063 | oem |
| Ubuntu 16.04 LTS | 4.4.0-168 | generic lowlatency |
References:
CVE-2019-5108, CVE-2019-14615, CVE-2019-19050, CVE-2019-20096,
CVE-2020-7053
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Tuesday, February 18, 2020
[CentOS-announce] CESA-2020:0540 Important CentOS 7 sudo Security Update
CentOS Errata and Security Advisory 2020:0540 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0540
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0b16241f174a79ef2ea31283a5e80ea9988e61a9a55e9ac92bda0a3194884341 sudo-1.8.23-4.el7_7.2.x86_64.rpm
0426b76a0384baa6e5e6468f6ca13daf8b9a2183640e0edcfab4344af3bc60dd sudo-devel-1.8.23-4.el7_7.2.i686.rpm
414ce69b8c36398980c743d5935c255a47dad04f9e00cfe74d6b96da32b949d0 sudo-devel-1.8.23-4.el7_7.2.x86_64.rpm
Source:
35152b61efed27551102dc09051870aeccb1d65ef82ee393195beae4d9635ac2 sudo-1.8.23-4.el7_7.2.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0540
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0b16241f174a79ef2ea31283a5e80ea9988e61a9a55e9ac92bda0a3194884341 sudo-1.8.23-4.el7_7.2.x86_64.rpm
0426b76a0384baa6e5e6468f6ca13daf8b9a2183640e0edcfab4344af3bc60dd sudo-devel-1.8.23-4.el7_7.2.i686.rpm
414ce69b8c36398980c743d5935c255a47dad04f9e00cfe74d6b96da32b949d0 sudo-devel-1.8.23-4.el7_7.2.x86_64.rpm
Source:
35152b61efed27551102dc09051870aeccb1d65ef82ee393195beae4d9635ac2 sudo-1.8.23-4.el7_7.2.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0541 Important CentOS 7 java-1.7.0-openjdk Security Update
CentOS Errata and Security Advisory 2020:0541 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0541
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7ccac31a20eab804358cb7c553b075ff9f5a300262c4aa2c9f296125de67c450 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
eb646678be3d37c16ccd39579a10a467ba7dd876ddc0053ea1e534c75a28377b java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
e971fbcc7df4cf4163c9202e05a3d5caaacfe883a75b12385f34673e0c2de388 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
a523046069f991a1502a7ca9038dd026a6021b31c25ff73e6488a8db8033b9b7 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
3b5fa3921cfbaedaae0ebbe3d9a8f3edb45ba1633e833f9d1a0de6f05173db69 java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
6ea98165a303975ffbb5ff65047e35edcbf6591ea94e33d5e8a56d29d8953b70 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm
d91fa4acea0080dbaf53e951619da4c3e399431b98ee3bcee01e13fcd86e40f2 java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
Source:
8269ca9f1035bba4c25eb23f0d351e74f4c165681a733a66bdebf71579a0b1e9 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0541
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7ccac31a20eab804358cb7c553b075ff9f5a300262c4aa2c9f296125de67c450 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
eb646678be3d37c16ccd39579a10a467ba7dd876ddc0053ea1e534c75a28377b java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
e971fbcc7df4cf4163c9202e05a3d5caaacfe883a75b12385f34673e0c2de388 java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
a523046069f991a1502a7ca9038dd026a6021b31c25ff73e6488a8db8033b9b7 java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
3b5fa3921cfbaedaae0ebbe3d9a8f3edb45ba1633e833f9d1a0de6f05173db69 java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
6ea98165a303975ffbb5ff65047e35edcbf6591ea94e33d5e8a56d29d8953b70 java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm
d91fa4acea0080dbaf53e951619da4c3e399431b98ee3bcee01e13fcd86e40f2 java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm
Source:
8269ca9f1035bba4c25eb23f0d351e74f4c165681a733a66bdebf71579a0b1e9 java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2020:0520 Important CentOS 7 firefox Security Update
CentOS Errata and Security Advisory 2020:0520 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0520
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
cabd0f607b8b426403c5f833334f15cb36b727b8792d122f3bb2547d4d965618 firefox-68.5.0-2.el7.centos.i686.rpm
11046ce36b466eeb0619c65b9df1ed10137bb07f3f01eba9a97d05648a04d714 firefox-68.5.0-2.el7.centos.x86_64.rpm
Source:
377fa5d423b415ca61552036614942832b1570258973ad8541056292981425b4 firefox-68.5.0-2.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2020:0520
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
cabd0f607b8b426403c5f833334f15cb36b727b8792d122f3bb2547d4d965618 firefox-68.5.0-2.el7.centos.i686.rpm
11046ce36b466eeb0619c65b9df1ed10137bb07f3f01eba9a97d05648a04d714 firefox-68.5.0-2.el7.centos.x86_64.rpm
Source:
377fa5d423b415ca61552036614942832b1570258973ad8541056292981425b4 firefox-68.5.0-2.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-4287-2] Linux kernel (Azure) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4287-2
February 18, 2020
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
USN-4287-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 ESM.
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that the btrfs file system in the Linux kernel did not
properly validate metadata, leading to a NULL pointer dereference. An
attacker could use this to specially craft a file system image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-18885)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19062)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
Dan Carpenter discovered that the AppleTalk networking subsystem of the
Linux kernel did not properly handle certain error conditions, leading to a
NULL pointer dereference. A local attacker could use this to cause a denial
of service (system crash). (CVE-2019-19227)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.15.0-1069-azure 4.15.0-1069.74~14.04.1
linux-image-azure 4.15.0.1069.55
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4287-2
https://usn.ubuntu.com/4287-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18809,
CVE-2019-18885, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19078, CVE-2019-19082, CVE-2019-19227,
CVE-2019-19332, CVE-2019-19767, CVE-2019-19965, CVE-2019-20096,
CVE-2019-5108, CVE-2020-7053
Ubuntu Security Notice USN-4287-2
February 18, 2020
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
USN-4287-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 ESM.
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that the btrfs file system in the Linux kernel did not
properly validate metadata, leading to a NULL pointer dereference. An
attacker could use this to specially craft a file system image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-18885)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19062)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
Dan Carpenter discovered that the AppleTalk networking subsystem of the
Linux kernel did not properly handle certain error conditions, leading to a
NULL pointer dereference. A local attacker could use this to cause a denial
of service (system crash). (CVE-2019-19227)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.15.0-1069-azure 4.15.0-1069.74~14.04.1
linux-image-azure 4.15.0.1069.55
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4287-2
https://usn.ubuntu.com/4287-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18809,
CVE-2019-18885, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19078, CVE-2019-19082, CVE-2019-19227,
CVE-2019-19332, CVE-2019-19767, CVE-2019-19965, CVE-2019-20096,
CVE-2019-5108, CVE-2020-7053
[USN-4286-2] Linux kernel (Xenial HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4286-2
February 18, 2020
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-4286-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 ESM.
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that a race condition existed in the Softmac USB Prism54
device driver in the Linux kernel. A physically proximate attacker could
use this to cause a denial of service (system crash). (CVE-2019-15220)
Julien Grall discovered that the Xen balloon memory driver in the Linux
kernel did not properly restrict the amount of memory set aside for page
mappings in some situations. An attacker could use this to cause a denial
of service (kernel memory exhaustion). (CVE-2019-17351)
It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did
not properly deallocate memory in certain situations. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19051)
It was discovered that the Marvell Wi-Fi device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19056)
It was discovered that the Brocade BFA Fibre Channel device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19066)
It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19068)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)
It was discovered that the Line 6 POD USB device driver in the Linux kernel
did not properly validate data size information from the device. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2019-15221)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.4.0-1062-aws 4.4.0-1062.66
linux-image-4.4.0-174-generic 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-generic-lpae 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-lowlatency 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc-e500mc 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc-smp 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc64-emb 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc64-smp 4.4.0-174.204~14.04.1
linux-image-aws 4.4.0.1062.63
linux-image-generic-lpae-lts-xenial 4.4.0.174.153
linux-image-generic-lts-xenial 4.4.0.174.153
linux-image-lowlatency-lts-xenial 4.4.0.174.153
linux-image-powerpc-e500mc-lts-xenial 4.4.0.174.153
linux-image-powerpc-smp-lts-xenial 4.4.0.174.153
linux-image-powerpc64-emb-lts-xenial 4.4.0.174.153
linux-image-powerpc64-smp-lts-xenial 4.4.0.174.153
linux-image-virtual-lts-xenial 4.4.0.174.153
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4286-2
https://usn.ubuntu.com/4286-1
CVE-2019-14615, CVE-2019-15217, CVE-2019-15220, CVE-2019-15221,
CVE-2019-17351, CVE-2019-19051, CVE-2019-19056, CVE-2019-19066,
CVE-2019-19068, CVE-2019-19965, CVE-2019-20096, CVE-2019-5108
Ubuntu Security Notice USN-4286-2
February 18, 2020
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-4286-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 ESM.
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that a race condition existed in the Softmac USB Prism54
device driver in the Linux kernel. A physically proximate attacker could
use this to cause a denial of service (system crash). (CVE-2019-15220)
Julien Grall discovered that the Xen balloon memory driver in the Linux
kernel did not properly restrict the amount of memory set aside for page
mappings in some situations. An attacker could use this to cause a denial
of service (kernel memory exhaustion). (CVE-2019-17351)
It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did
not properly deallocate memory in certain situations. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19051)
It was discovered that the Marvell Wi-Fi device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19056)
It was discovered that the Brocade BFA Fibre Channel device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19066)
It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19068)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)
It was discovered that the Line 6 POD USB device driver in the Linux kernel
did not properly validate data size information from the device. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2019-15221)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.4.0-1062-aws 4.4.0-1062.66
linux-image-4.4.0-174-generic 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-generic-lpae 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-lowlatency 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc-e500mc 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc-smp 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc64-emb 4.4.0-174.204~14.04.1
linux-image-4.4.0-174-powerpc64-smp 4.4.0-174.204~14.04.1
linux-image-aws 4.4.0.1062.63
linux-image-generic-lpae-lts-xenial 4.4.0.174.153
linux-image-generic-lts-xenial 4.4.0.174.153
linux-image-lowlatency-lts-xenial 4.4.0.174.153
linux-image-powerpc-e500mc-lts-xenial 4.4.0.174.153
linux-image-powerpc-smp-lts-xenial 4.4.0.174.153
linux-image-powerpc64-emb-lts-xenial 4.4.0.174.153
linux-image-powerpc64-smp-lts-xenial 4.4.0.174.153
linux-image-virtual-lts-xenial 4.4.0.174.153
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4286-2
https://usn.ubuntu.com/4286-1
CVE-2019-14615, CVE-2019-15217, CVE-2019-15220, CVE-2019-15221,
CVE-2019-17351, CVE-2019-19051, CVE-2019-19056, CVE-2019-19066,
CVE-2019-19068, CVE-2019-19965, CVE-2019-20096, CVE-2019-5108
[USN-4287-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4287-1
February 18, 2020
linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15,
linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke-4.15: Linux kernel for Google Container Engine (GKE) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that the btrfs file system in the Linux kernel did not
properly validate metadata, leading to a NULL pointer dereference. An
attacker could use this to specially craft a file system image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-18885)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19062)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
Dan Carpenter discovered that the AppleTalk networking subsystem of the
Linux kernel did not properly handle certain error conditions, leading to a
NULL pointer dereference. A local attacker could use this to cause a denial
of service (system crash). (CVE-2019-19227)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1033-oracle 4.15.0-1033.36
linux-image-4.15.0-1052-gke 4.15.0-1052.55
linux-image-4.15.0-1053-kvm 4.15.0-1053.53
linux-image-4.15.0-1055-raspi2 4.15.0-1055.59
linux-image-4.15.0-1060-aws 4.15.0-1060.62
linux-image-4.15.0-1072-snapdragon 4.15.0-1072.79
linux-image-4.15.0-88-generic 4.15.0-88.88
linux-image-4.15.0-88-generic-lpae 4.15.0-88.88
linux-image-4.15.0-88-lowlatency 4.15.0-88.88
linux-image-aws 4.15.0.1060.61
linux-image-aws-lts-18.04 4.15.0.1060.61
linux-image-generic 4.15.0.88.80
linux-image-generic-lpae 4.15.0.88.80
linux-image-gke 4.15.0.1052.56
linux-image-gke-4.15 4.15.0.1052.56
linux-image-kvm 4.15.0.1053.53
linux-image-lowlatency 4.15.0.88.80
linux-image-oracle 4.15.0.1033.38
linux-image-oracle-lts-18.04 4.15.0.1033.38
linux-image-powerpc-e500mc 4.15.0.88.80
linux-image-powerpc-smp 4.15.0.88.80
linux-image-powerpc64-emb 4.15.0.88.80
linux-image-powerpc64-smp 4.15.0.88.80
linux-image-raspi2 4.15.0.1055.53
linux-image-snapdragon 4.15.0.1072.75
linux-image-virtual 4.15.0.88.80
Ubuntu 16.04 LTS:
linux-image-4.15.0-1033-oracle 4.15.0-1033.36~16.04.1
linux-image-4.15.0-1055-gcp 4.15.0-1055.59
linux-image-4.15.0-1060-aws 4.15.0-1060.62~16.04.1
linux-image-4.15.0-1071-azure 4.15.0-1071.76
linux-image-4.15.0-88-generic 4.15.0-88.88~16.04.1
linux-image-4.15.0-88-generic-lpae 4.15.0-88.88~16.04.1
linux-image-4.15.0-88-lowlatency 4.15.0-88.88~16.04.1
linux-image-aws-hwe 4.15.0.1060.60
linux-image-azure 4.15.0.1071.74
linux-image-gcp 4.15.0.1055.69
linux-image-generic-hwe-16.04 4.15.0.88.98
linux-image-generic-lpae-hwe-16.04 4.15.0.88.98
linux-image-gke 4.15.0.1055.69
linux-image-lowlatency-hwe-16.04 4.15.0.88.98
linux-image-oem 4.15.0.88.98
linux-image-oracle 4.15.0.1033.26
linux-image-virtual-hwe-16.04 4.15.0.88.98
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4287-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18809,
CVE-2019-18885, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19078, CVE-2019-19082, CVE-2019-19227,
CVE-2019-19332, CVE-2019-19767, CVE-2019-19965, CVE-2019-20096,
CVE-2019-5108, CVE-2020-7053
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-88.88
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1060.62
https://launchpad.net/ubuntu/+source/linux-gke-4.15/4.15.0-1052.55
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1053.53
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1033.36
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1055.59
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1072.79
https://launchpad.net/ubuntu/+source/linux-aws-hwe/4.15.0-1060.62~16.04.1
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1071.76
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1055.59
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-88.88~16.04.1
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1033.36~16.04.1
Ubuntu Security Notice USN-4287-1
February 18, 2020
linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15,
linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke-4.15: Linux kernel for Google Container Engine (GKE) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that the btrfs file system in the Linux kernel did not
properly validate metadata, leading to a NULL pointer dereference. An
attacker could use this to specially craft a file system image that, when
mounted, could cause a denial of service (system crash). (CVE-2019-18885)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19062)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
Dan Carpenter discovered that the AppleTalk networking subsystem of the
Linux kernel did not properly handle certain error conditions, leading to a
NULL pointer dereference. A local attacker could use this to cause a denial
of service (system crash). (CVE-2019-19227)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1033-oracle 4.15.0-1033.36
linux-image-4.15.0-1052-gke 4.15.0-1052.55
linux-image-4.15.0-1053-kvm 4.15.0-1053.53
linux-image-4.15.0-1055-raspi2 4.15.0-1055.59
linux-image-4.15.0-1060-aws 4.15.0-1060.62
linux-image-4.15.0-1072-snapdragon 4.15.0-1072.79
linux-image-4.15.0-88-generic 4.15.0-88.88
linux-image-4.15.0-88-generic-lpae 4.15.0-88.88
linux-image-4.15.0-88-lowlatency 4.15.0-88.88
linux-image-aws 4.15.0.1060.61
linux-image-aws-lts-18.04 4.15.0.1060.61
linux-image-generic 4.15.0.88.80
linux-image-generic-lpae 4.15.0.88.80
linux-image-gke 4.15.0.1052.56
linux-image-gke-4.15 4.15.0.1052.56
linux-image-kvm 4.15.0.1053.53
linux-image-lowlatency 4.15.0.88.80
linux-image-oracle 4.15.0.1033.38
linux-image-oracle-lts-18.04 4.15.0.1033.38
linux-image-powerpc-e500mc 4.15.0.88.80
linux-image-powerpc-smp 4.15.0.88.80
linux-image-powerpc64-emb 4.15.0.88.80
linux-image-powerpc64-smp 4.15.0.88.80
linux-image-raspi2 4.15.0.1055.53
linux-image-snapdragon 4.15.0.1072.75
linux-image-virtual 4.15.0.88.80
Ubuntu 16.04 LTS:
linux-image-4.15.0-1033-oracle 4.15.0-1033.36~16.04.1
linux-image-4.15.0-1055-gcp 4.15.0-1055.59
linux-image-4.15.0-1060-aws 4.15.0-1060.62~16.04.1
linux-image-4.15.0-1071-azure 4.15.0-1071.76
linux-image-4.15.0-88-generic 4.15.0-88.88~16.04.1
linux-image-4.15.0-88-generic-lpae 4.15.0-88.88~16.04.1
linux-image-4.15.0-88-lowlatency 4.15.0-88.88~16.04.1
linux-image-aws-hwe 4.15.0.1060.60
linux-image-azure 4.15.0.1071.74
linux-image-gcp 4.15.0.1055.69
linux-image-generic-hwe-16.04 4.15.0.88.98
linux-image-generic-lpae-hwe-16.04 4.15.0.88.98
linux-image-gke 4.15.0.1055.69
linux-image-lowlatency-hwe-16.04 4.15.0.88.98
linux-image-oem 4.15.0.88.98
linux-image-oracle 4.15.0.1033.26
linux-image-virtual-hwe-16.04 4.15.0.88.98
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4287-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18809,
CVE-2019-18885, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19078, CVE-2019-19082, CVE-2019-19227,
CVE-2019-19332, CVE-2019-19767, CVE-2019-19965, CVE-2019-20096,
CVE-2019-5108, CVE-2020-7053
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-88.88
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1060.62
https://launchpad.net/ubuntu/+source/linux-gke-4.15/4.15.0-1052.55
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1053.53
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1033.36
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1055.59
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1072.79
https://launchpad.net/ubuntu/+source/linux-aws-hwe/4.15.0-1060.62~16.04.1
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1071.76
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1055.59
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-88.88~16.04.1
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1033.36~16.04.1
[USN-4286-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4286-1
February 18, 2020
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that a race condition existed in the Softmac USB Prism54
device driver in the Linux kernel. A physically proximate attacker could
use this to cause a denial of service (system crash). (CVE-2019-15220)
Julien Grall discovered that the Xen balloon memory driver in the Linux
kernel did not properly restrict the amount of memory set aside for page
mappings in some situations. An attacker could use this to cause a denial
of service (kernel memory exhaustion). (CVE-2019-17351)
It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did
not properly deallocate memory in certain situations. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19051)
It was discovered that the Marvell Wi-Fi device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19056)
It was discovered that the Brocade BFA Fibre Channel device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19066)
It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19068)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)
It was discovered that the Line 6 POD USB device driver in the Linux kernel
did not properly validate data size information from the device. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2019-15221)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1066-kvm 4.4.0-1066.73
linux-image-4.4.0-1102-aws 4.4.0-1102.113
linux-image-4.4.0-1129-raspi2 4.4.0-1129.138
linux-image-4.4.0-1133-snapdragon 4.4.0-1133.141
linux-image-4.4.0-174-generic 4.4.0-174.204
linux-image-4.4.0-174-generic-lpae 4.4.0-174.204
linux-image-4.4.0-174-lowlatency 4.4.0-174.204
linux-image-4.4.0-174-powerpc-e500mc 4.4.0-174.204
linux-image-4.4.0-174-powerpc-smp 4.4.0-174.204
linux-image-4.4.0-174-powerpc64-emb 4.4.0-174.204
linux-image-4.4.0-174-powerpc64-smp 4.4.0-174.204
linux-image-aws 4.4.0.1102.106
linux-image-generic 4.4.0.174.182
linux-image-generic-lpae 4.4.0.174.182
linux-image-kvm 4.4.0.1066.66
linux-image-lowlatency 4.4.0.174.182
linux-image-powerpc-e500mc 4.4.0.174.182
linux-image-powerpc-smp 4.4.0.174.182
linux-image-powerpc64-emb 4.4.0.174.182
linux-image-powerpc64-smp 4.4.0.174.182
linux-image-raspi2 4.4.0.1129.129
linux-image-snapdragon 4.4.0.1133.125
linux-image-virtual 4.4.0.174.182
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4286-1
CVE-2019-14615, CVE-2019-15217, CVE-2019-15220, CVE-2019-15221,
CVE-2019-17351, CVE-2019-19051, CVE-2019-19056, CVE-2019-19066,
CVE-2019-19068, CVE-2019-19965, CVE-2019-20096, CVE-2019-5108
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-174.204
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1102.113
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1066.73
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1129.138
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1133.141
Ubuntu Security Notice USN-4286-1
February 18, 2020
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that a race condition existed in the Softmac USB Prism54
device driver in the Linux kernel. A physically proximate attacker could
use this to cause a denial of service (system crash). (CVE-2019-15220)
Julien Grall discovered that the Xen balloon memory driver in the Linux
kernel did not properly restrict the amount of memory set aside for page
mappings in some situations. An attacker could use this to cause a denial
of service (kernel memory exhaustion). (CVE-2019-17351)
It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did
not properly deallocate memory in certain situations. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19051)
It was discovered that the Marvell Wi-Fi device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19056)
It was discovered that the Brocade BFA Fibre Channel device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19066)
It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19068)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that ZR364XX Camera USB device driver for the Linux
kernel did not properly initialize memory. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2019-15217)
It was discovered that the Line 6 POD USB device driver in the Linux kernel
did not properly validate data size information from the device. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2019-15221)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1066-kvm 4.4.0-1066.73
linux-image-4.4.0-1102-aws 4.4.0-1102.113
linux-image-4.4.0-1129-raspi2 4.4.0-1129.138
linux-image-4.4.0-1133-snapdragon 4.4.0-1133.141
linux-image-4.4.0-174-generic 4.4.0-174.204
linux-image-4.4.0-174-generic-lpae 4.4.0-174.204
linux-image-4.4.0-174-lowlatency 4.4.0-174.204
linux-image-4.4.0-174-powerpc-e500mc 4.4.0-174.204
linux-image-4.4.0-174-powerpc-smp 4.4.0-174.204
linux-image-4.4.0-174-powerpc64-emb 4.4.0-174.204
linux-image-4.4.0-174-powerpc64-smp 4.4.0-174.204
linux-image-aws 4.4.0.1102.106
linux-image-generic 4.4.0.174.182
linux-image-generic-lpae 4.4.0.174.182
linux-image-kvm 4.4.0.1066.66
linux-image-lowlatency 4.4.0.174.182
linux-image-powerpc-e500mc 4.4.0.174.182
linux-image-powerpc-smp 4.4.0.174.182
linux-image-powerpc64-emb 4.4.0.174.182
linux-image-powerpc64-smp 4.4.0.174.182
linux-image-raspi2 4.4.0.1129.129
linux-image-snapdragon 4.4.0.1133.125
linux-image-virtual 4.4.0.174.182
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4286-1
CVE-2019-14615, CVE-2019-15217, CVE-2019-15220, CVE-2019-15221,
CVE-2019-17351, CVE-2019-19051, CVE-2019-19056, CVE-2019-19066,
CVE-2019-19068, CVE-2019-19965, CVE-2019-20096, CVE-2019-5108
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-174.204
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1102.113
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1066.73
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1129.138
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1133.141
[USN-4285-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4285-1
February 18, 2020
linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-5.0: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.0: Linux kernel for Google Container Engine (GKE) systems
- linux-oracle-5.0: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory)
(CVE-2019-18786).
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-5.0.0-1011-oracle 5.0.0-1011.16
linux-image-5.0.0-1025-aws 5.0.0-1025.28
linux-image-5.0.0-1030-gke 5.0.0-1030.31
linux-image-5.0.0-1031-gcp 5.0.0-1031.32
linux-image-5.0.0-1032-azure 5.0.0-1032.34
linux-image-azure 5.0.0.1032.43
linux-image-gcp 5.0.0.1031.35
linux-image-gke-5.0 5.0.0.1030.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4285-1
CVE-2019-14615, CVE-2019-16229, CVE-2019-16232, CVE-2019-18786,
CVE-2019-18809, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947,
CVE-2019-19965, CVE-2019-20096, CVE-2019-5108, CVE-2020-7053
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-5.0/5.0.0-1025.28
https://launchpad.net/ubuntu/+source/linux-azure/5.0.0-1032.34
https://launchpad.net/ubuntu/+source/linux-gcp/5.0.0-1031.32
https://launchpad.net/ubuntu/+source/linux-gke-5.0/5.0.0-1030.31
https://launchpad.net/ubuntu/+source/linux-oracle-5.0/5.0.0-1011.16
Ubuntu Security Notice USN-4285-1
February 18, 2020
linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-5.0: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.0: Linux kernel for Google Container Engine (GKE) systems
- linux-oracle-5.0: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory)
(CVE-2019-18786).
It was discovered that the Afatech AF9005 DVB-T USB device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-18809)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the Datagram Congestion Control Protocol (DCCP)
implementation in the Linux kernel did not properly deallocate memory in
certain error conditions. An attacker could possibly use this to cause a
denial of service (kernel memory exhaustion). (CVE-2019-20096)
Mitchell Frank discovered that the Wi-Fi implementation in the Linux kernel
when used as an access point would send IAPP location updates for stations
before client authentication had completed. A physically proximate attacker
could use this to cause a denial of service. (CVE-2019-5108)
It was discovered that a race condition can lead to a use-after-free while
destroying GEM contexts in the i915 driver for the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-7053)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-5.0.0-1011-oracle 5.0.0-1011.16
linux-image-5.0.0-1025-aws 5.0.0-1025.28
linux-image-5.0.0-1030-gke 5.0.0-1030.31
linux-image-5.0.0-1031-gcp 5.0.0-1031.32
linux-image-5.0.0-1032-azure 5.0.0-1032.34
linux-image-azure 5.0.0.1032.43
linux-image-gcp 5.0.0.1031.35
linux-image-gke-5.0 5.0.0.1030.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4285-1
CVE-2019-14615, CVE-2019-16229, CVE-2019-16232, CVE-2019-18786,
CVE-2019-18809, CVE-2019-19057, CVE-2019-19063, CVE-2019-19947,
CVE-2019-19965, CVE-2019-20096, CVE-2019-5108, CVE-2020-7053
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-5.0/5.0.0-1025.28
https://launchpad.net/ubuntu/+source/linux-azure/5.0.0-1032.34
https://launchpad.net/ubuntu/+source/linux-gcp/5.0.0-1031.32
https://launchpad.net/ubuntu/+source/linux-gke-5.0/5.0.0-1030.31
https://launchpad.net/ubuntu/+source/linux-oracle-5.0/5.0.0-1011.16
[USN-4284-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4284-1
February 18, 2020
linux, linux-aws, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe,
linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-azure-5.3: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp-5.3: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-raspi2-5.3: Linux kernel for Raspberry Pi 2
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Sound Open Firmware (SOF) driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-18811)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19050, CVE-2019-19062)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Broadcom Netxtreme HCA device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19077)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
It was discovered that the IO uring implementation in the Linux kernel did
not properly perform credentials checks in certain situations. A local
attacker could possibly use this to gain administrative privileges.
(CVE-2019-19241)
Or Cohen discovered that the virtual console subsystem in the Linux kernel
did not properly restrict writes to unimplemented vcsu (unicode) devices. A
local attacker could possibly use this to cause a denial of service (system
crash) or have other unspecified impacts. (CVE-2019-19252)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that a race condition existed in the Linux kernel on x86
platforms when keeping track of which process was assigned control of the
FPU. A local attacker could use this to cause a denial of service (memory
corruption) or possibly gain administrative privileges. (CVE-2019-19602)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
linux-image-5.3.0-1009-oracle 5.3.0-1009.10
linux-image-5.3.0-1010-kvm 5.3.0-1010.11
linux-image-5.3.0-1011-aws 5.3.0-1011.12
linux-image-5.3.0-1012-gcp 5.3.0-1012.13
linux-image-5.3.0-1018-raspi2 5.3.0-1018.20
linux-image-5.3.0-40-generic 5.3.0-40.32
linux-image-5.3.0-40-generic-lpae 5.3.0-40.32
linux-image-5.3.0-40-lowlatency 5.3.0-40.32
linux-image-5.3.0-40-snapdragon 5.3.0-40.32
linux-image-aws 5.3.0.1011.13
linux-image-gcp 5.3.0.1012.13
linux-image-generic 5.3.0.40.34
linux-image-generic-lpae 5.3.0.40.34
linux-image-gke 5.3.0.1012.13
linux-image-kvm 5.3.0.1010.12
linux-image-lowlatency 5.3.0.40.34
linux-image-oracle 5.3.0.1009.10
linux-image-raspi2 5.3.0.1018.15
linux-image-snapdragon 5.3.0.40.34
linux-image-virtual 5.3.0.40.34
Ubuntu 18.04 LTS:
linux-image-5.3.0-1012-gcp 5.3.0-1012.13~18.04.1
linux-image-5.3.0-1013-azure 5.3.0-1013.14~18.04.1
linux-image-5.3.0-1018-raspi2 5.3.0-1018.20~18.04.1
linux-image-5.3.0-40-generic 5.3.0-40.32~18.04.1
linux-image-5.3.0-40-generic-lpae 5.3.0-40.32~18.04.1
linux-image-5.3.0-40-lowlatency 5.3.0-40.32~18.04.1
linux-image-azure-edge 5.3.0.1013.13
linux-image-gcp-edge 5.3.0.1012.11
linux-image-generic-hwe-18.04 5.3.0.40.97
linux-image-generic-lpae-hwe-18.04 5.3.0.40.97
linux-image-lowlatency-hwe-18.04 5.3.0.40.97
linux-image-raspi2-hwe-18.04 5.3.0.1018.7
linux-image-snapdragon-hwe-18.04 5.3.0.40.97
linux-image-virtual-hwe-18.04 5.3.0.40.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4284-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18811,
CVE-2019-19050, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19077, CVE-2019-19078, CVE-2019-19082,
CVE-2019-19241, CVE-2019-19252, CVE-2019-19332, CVE-2019-19602,
CVE-2019-19767, CVE-2019-19947, CVE-2019-19965
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.3.0-40.32
https://launchpad.net/ubuntu/+source/linux-aws/5.3.0-1011.12
https://launchpad.net/ubuntu/+source/linux-gcp/5.3.0-1012.13
https://launchpad.net/ubuntu/+source/linux-kvm/5.3.0-1010.11
https://launchpad.net/ubuntu/+source/linux-oracle/5.3.0-1009.10
https://launchpad.net/ubuntu/+source/linux-raspi2/5.3.0-1018.20
https://launchpad.net/ubuntu/+source/linux-azure-5.3/5.3.0-1013.14~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.3/5.3.0-1012.13~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/5.3.0-40.32~18.04.1
https://launchpad.net/ubuntu/+source/linux-raspi2-5.3/5.3.0-1018.20~18.04.1
Ubuntu Security Notice USN-4284-1
February 18, 2020
linux, linux-aws, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-hwe,
linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-azure-5.3: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp-5.3: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-raspi2-5.3: Linux kernel for Raspberry Pi 2
Details:
It was discovered that the Linux kernel did not properly clear data
structures on context switches for certain Intel graphics processors. A
local attacker could use this to expose sensitive information.
(CVE-2019-14615)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2019-15099)
It was discovered that the HSA Linux kernel driver for AMD GPU devices did
not properly check for errors in certain situations, leading to a NULL
pointer dereference. A local attacker could possibly use this to cause a
denial of service. (CVE-2019-16229)
It was discovered that the Marvell 8xxx Libertas WLAN device driver in the
Linux kernel did not properly check for errors in certain situations,
leading to a NULL pointer dereference. A local attacker could possibly use
this to cause a denial of service. (CVE-2019-16232)
It was discovered that a race condition existed in the Virtual Video Test
Driver in the Linux kernel. An attacker with write access to /dev/video0 on
a system with the vivid module loaded could possibly use this to gain
administrative privileges. (CVE-2019-18683)
It was discovered that the Renesas Digital Radio Interface (DRIF) driver in
the Linux kernel did not properly initialize data. A local attacker could
possibly use this to expose sensitive information (kernel memory).
(CVE-2019-18786)
It was discovered that the Sound Open Firmware (SOF) driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-18811)
It was discovered that the crypto subsystem in the Linux kernel did not
properly deallocate memory in certain error conditions. A local attacker
could use this to cause a denial of service (kernel memory exhaustion).
(CVE-2019-19050, CVE-2019-19062)
It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex
Driver for the Linux kernel. A local attacker could possibly use this to
cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)
It was discovered that the Realtek rtlwifi USB device driver in the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker could possibly use this to cause a denial of service (kernel
memory exhaustion). (CVE-2019-19063)
It was discovered that the RSI 91x WLAN device driver in the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (kernel memory
exhaustion). (CVE-2019-19071)
It was discovered that the Broadcom Netxtreme HCA device driver in the
Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19077)
It was discovered that the Atheros 802.11ac wireless USB device driver in
the Linux kernel did not properly deallocate memory in certain error
conditions. A local attacker could possibly use this to cause a denial of
service (kernel memory exhaustion). (CVE-2019-19078)
It was discovered that the AMD GPU device drivers in the Linux kernel did
not properly deallocate memory in certain error conditions. A local
attacker could use this to possibly cause a denial of service (kernel
memory exhaustion). (CVE-2019-19082)
It was discovered that the IO uring implementation in the Linux kernel did
not properly perform credentials checks in certain situations. A local
attacker could possibly use this to gain administrative privileges.
(CVE-2019-19241)
Or Cohen discovered that the virtual console subsystem in the Linux kernel
did not properly restrict writes to unimplemented vcsu (unicode) devices. A
local attacker could possibly use this to cause a denial of service (system
crash) or have other unspecified impacts. (CVE-2019-19252)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle ioctl requests to get emulated CPUID
features. An attacker with access to /dev/kvm could use this to cause a
denial of service (system crash). (CVE-2019-19332)
It was discovered that a race condition existed in the Linux kernel on x86
platforms when keeping track of which process was assigned control of the
FPU. A local attacker could use this to cause a denial of service (memory
corruption) or possibly gain administrative privileges. (CVE-2019-19602)
It was discovered that the ext4 file system implementation in the Linux
kernel did not properly handle certain conditions. An attacker could use
this to specially craft an ext4 file system that, when mounted, could cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-19767)
It was discovered that the Kvaser CAN/USB driver in the Linux kernel did
not properly initialize memory in certain situations. A local attacker
could possibly use this to expose sensitive information (kernel memory).
(CVE-2019-19947)
Gao Chuan discovered that the SAS Class driver in the Linux kernel
contained a race condition that could lead to a NULL pointer dereference. A
local attacker could possibly use this to cause a denial of service (system
crash). (CVE-2019-19965)
It was discovered that the B2C2 FlexCop USB device driver in the Linux
kernel did not properly validate device metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2019-15291)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
linux-image-5.3.0-1009-oracle 5.3.0-1009.10
linux-image-5.3.0-1010-kvm 5.3.0-1010.11
linux-image-5.3.0-1011-aws 5.3.0-1011.12
linux-image-5.3.0-1012-gcp 5.3.0-1012.13
linux-image-5.3.0-1018-raspi2 5.3.0-1018.20
linux-image-5.3.0-40-generic 5.3.0-40.32
linux-image-5.3.0-40-generic-lpae 5.3.0-40.32
linux-image-5.3.0-40-lowlatency 5.3.0-40.32
linux-image-5.3.0-40-snapdragon 5.3.0-40.32
linux-image-aws 5.3.0.1011.13
linux-image-gcp 5.3.0.1012.13
linux-image-generic 5.3.0.40.34
linux-image-generic-lpae 5.3.0.40.34
linux-image-gke 5.3.0.1012.13
linux-image-kvm 5.3.0.1010.12
linux-image-lowlatency 5.3.0.40.34
linux-image-oracle 5.3.0.1009.10
linux-image-raspi2 5.3.0.1018.15
linux-image-snapdragon 5.3.0.40.34
linux-image-virtual 5.3.0.40.34
Ubuntu 18.04 LTS:
linux-image-5.3.0-1012-gcp 5.3.0-1012.13~18.04.1
linux-image-5.3.0-1013-azure 5.3.0-1013.14~18.04.1
linux-image-5.3.0-1018-raspi2 5.3.0-1018.20~18.04.1
linux-image-5.3.0-40-generic 5.3.0-40.32~18.04.1
linux-image-5.3.0-40-generic-lpae 5.3.0-40.32~18.04.1
linux-image-5.3.0-40-lowlatency 5.3.0-40.32~18.04.1
linux-image-azure-edge 5.3.0.1013.13
linux-image-gcp-edge 5.3.0.1012.11
linux-image-generic-hwe-18.04 5.3.0.40.97
linux-image-generic-lpae-hwe-18.04 5.3.0.40.97
linux-image-lowlatency-hwe-18.04 5.3.0.40.97
linux-image-raspi2-hwe-18.04 5.3.0.1018.7
linux-image-snapdragon-hwe-18.04 5.3.0.40.97
linux-image-virtual-hwe-18.04 5.3.0.40.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/4284-1
CVE-2019-14615, CVE-2019-15099, CVE-2019-15291, CVE-2019-16229,
CVE-2019-16232, CVE-2019-18683, CVE-2019-18786, CVE-2019-18811,
CVE-2019-19050, CVE-2019-19057, CVE-2019-19062, CVE-2019-19063,
CVE-2019-19071, CVE-2019-19077, CVE-2019-19078, CVE-2019-19082,
CVE-2019-19241, CVE-2019-19252, CVE-2019-19332, CVE-2019-19602,
CVE-2019-19767, CVE-2019-19947, CVE-2019-19965
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.3.0-40.32
https://launchpad.net/ubuntu/+source/linux-aws/5.3.0-1011.12
https://launchpad.net/ubuntu/+source/linux-gcp/5.3.0-1012.13
https://launchpad.net/ubuntu/+source/linux-kvm/5.3.0-1010.11
https://launchpad.net/ubuntu/+source/linux-oracle/5.3.0-1009.10
https://launchpad.net/ubuntu/+source/linux-raspi2/5.3.0-1018.20
https://launchpad.net/ubuntu/+source/linux-azure-5.3/5.3.0-1013.14~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.3/5.3.0-1012.13~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/5.3.0-40.32~18.04.1
https://launchpad.net/ubuntu/+source/linux-raspi2-5.3/5.3.0-1018.20~18.04.1
Subscribe to:
Posts (Atom)