MGASA-2018-0263

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0263.html

Import Source

https://advisories.mageia.org/MGASA-2018-0263.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2018-0263

Related

Published

2018-05-31T20:34:08Z

Modified

2022-02-17T18:21:47Z

Summary

Updated kernel packages fix security vulnerabilities

Details

This kernel update is based on the upstream 4.14.44 and fixes at least the following security issues:

By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (CVE-2018-1120).

Speculative Store Bypass (SSB) â also known as Spectre Variant 4. Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (CVE-2018-3639). NOTE! This fix only apply to Amd hardware so far as Intel CPUs need a fixed microcode update in order for the fix to get activated. At the time of this release we dont yet know when Intel will release new microcode.

A flaw was found in the Linux kernel where an out of memory (oom) killing of a process that has large spans of mlocked memory can result in deferencing a NULL pointer, leading to denial of service (CVE-2018-1000200).

Note! In this kernel update we have for now reverted the security fix: 'Predictable Random Number Generator Weakness (CVE-2018-1108)' that was part of the MGASA-2018-0249 security update as it caused several systems to stop booting properly (mga#23060).

WireGuard has been updated to 0.0.20180519.

For other fixes in this update, see the referenced changelogs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / kernel

Package

Name: kernel
Purl: pkg:rpm/mageia/kernel?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.44-2.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / kernel-userspace-headers

Package

Name: kernel-userspace-headers
Purl: pkg:rpm/mageia/kernel-userspace-headers?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.44-2.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / kmod-vboxadditions

Package

Name: kmod-vboxadditions
Purl: pkg:rpm/mageia/kmod-vboxadditions?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.12-2.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / kmod-virtualbox

Package

Name: kmod-virtualbox
Purl: pkg:rpm/mageia/kmod-virtualbox?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.12-2.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / kmod-xtables-addons

Package

Name: kmod-xtables-addons
Purl: pkg:rpm/mageia/kmod-xtables-addons?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13-38.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / wireguard-tools

Package

Name: wireguard-tools
Purl: pkg:rpm/mageia/wireguard-tools?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.20180519-1.mga6

Ecosystem specific

{
    "section": "core"
}