MGASA-2021-0204

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0204.html

Import Source

https://advisories.mageia.org/MGASA-2021-0204.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0204

Related

Published

2021-05-02T16:29:10Z

Modified

2022-02-17T18:21:47Z

Summary

Updated kernel packages fix security vulnerabilities

Details

This kernel update is based on upstream 5.10.33 and fixes at least the following security issues:

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctpdestroysock is called without socknet(sk)->sctp.addrwqlock then an element is removed from the autoasconfsplist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPFCGROUPINETSOCK_CREATE is attached which denies creation of some SCTP socket (CVE-2021-23133).

An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/ verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (CVE-2021-29155).

This update also contains the following: - xtables-addons has been updated to 3.18 (only in Mageia 8) - wireguard-tools has been updated to v1.0.20210424-1.mga8

For other upstream fixes, see the referenced changelogs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / kernel

Package

Name: kernel
Purl: pkg:rpm/mageia/kernel?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.33-1.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / kmod-virtualbox

Package

Name: kmod-virtualbox
Purl: pkg:rpm/mageia/kmod-virtualbox?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.20-2.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / kmod-xtables-addons

Package

Name: kmod-xtables-addons
Purl: pkg:rpm/mageia/kmod-xtables-addons?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13-21.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:7 / wireguard-tools

Package

Name: wireguard-tools
Purl: pkg:rpm/mageia/wireguard-tools?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.20210424-1.mga7

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / kernel

Package

Name: kernel
Purl: pkg:rpm/mageia/kernel?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.33-1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / kmod-virtualbox

Package

Name: kmod-virtualbox
Purl: pkg:rpm/mageia/kmod-virtualbox?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.20-3.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / kmod-xtables-addons

Package

Name: kmod-xtables-addons
Purl: pkg:rpm/mageia/kmod-xtables-addons?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.18-1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / xtables-addons

Package

Name: xtables-addons
Purl: pkg:rpm/mageia/xtables-addons?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.18-1.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / wireguard-tools

Package

Name: wireguard-tools
Purl: pkg:rpm/mageia/wireguard-tools?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.20210424-1.mga8

Ecosystem specific

{
    "section": "core"
}