MGASA-2018-0107

This kernel update is based on the upstream 4.4.114 and and fixes several security issues.

The most important fixes in this update is for the security issue named "Spectre, variant 2 (CVE-2017-5715)" that is partly mitigated by enabling retpoline support. For full retpoline mitigation, kernel needs to be built with a retpoline-aware cpmpiler, something that wont happend in Mga5 as Mageia 5 has reached End of Support at December 31st, 2017 (even if we have been providing some extended support due to Meltdown/Spectre issues. If you want to receive further fixes regarding theese issues, you really need to upgrade to Mageia 6.

The BPF interpreter has been used as part of the spectre 2 attack CVE-2017-5715. To make attacker job harder introduce BPFJITALWAYS_ON config option that removes interpreter from the kernel in favor of JIT-only mode. Note: In Mageia 5 we have BPF disabled by default, so it's not really an issue, but the fixes are still needed in case someone enables it

KVM on x86 gained a memory barrier on vmcs field lookup as part of mitigating Spectre variant 2 (CVE-2017-5753).

Other security fixes in this update:

The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (CVE-2017-16911).

The "getpipe()" function (drivers/usb/usbip/stubrx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (CVE-2017-16912).

The "stubrecvcmdsubmit()" function (drivers/usb/usbip/stubrx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (CVE-2017-16913).

The "stubsendretsubmit()" function (drivers/usb/usbip/stubtx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (CVE-2017-16914).

Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner (CVE-2017-1000410).

The dccpdisconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AFUNSPEC connect system call during the DCCP_LISTEN state (CVE-2017-8824).

For other fixes, see the referenced changelogs.