ESB-2018.2445.2 - UPDATE [Debian] linux kernel: Access privileged data - Existing account 2018-08-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2445.2
                           linux security update
                              23 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3646 CVE-2018-3620 

Reference:         ESB-2018.2437
                   ESB-2018.2429
                   ESB-2018.2398
                   ESB-2018.2381

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4279

Revision History:  August 23 2018: Corrected regression issues
                   August 21 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 20, 2018                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-3620 CVE-2018-3646

Multiple researchers have discovered a vulnerability in the way the
Intel processor designs have implemented speculative execution of
instructions in combination with handling of page-faults. This flaw
could allow an attacker controlling an unprivileged process to read
memory from arbitrary (non-user controlled) addresses, including from
the kernel and all other processes running on the system or cross
guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode (only available in Debian non-free). Common server
class CPUs are covered in the update released as DSA 4273-1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt6p8ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TBJg//VmtxfP6VLm5Q2hHuOlUejrc2W4hOcNRR0Ud7DjJ0B5Gfb9y/u1k+RXBj
akX5/Csi6l+kLOWs4/amX3VAxdQRYFL6eEJBNZzlCkBasu1DpkvJdL9F0EP9gru7
Xd/StpSQs8GaBAlklQsckHtKqPzhB5D56gLosLupfmdNovlRKPhX282Ae5JCgjyf
BjQv7Oa5K+pUw7F4sZUsdTPZHvl3bZ14u2SDzkIYX6K0KSRi3r4kBNGlRkCnRUTd
AW8LpC2uWFX584LhVqJhnKhtd2lveadkwjX9TTRDJkJJOW88Yf2hDSyvWRAKS90D
65SEB2SIrgYiOTqCW4TQXPv5cNSn+LPimrkPus4likNyxJajbck5lB5GVLTTd0dp
X0WPp4uhNsISHERZzdJpT8Y3uu5VrPzgSxPay/aPh+n7vy/wFknliZ4IfBSZtOri
J5OrlN+Dal0M7eli1ojoByMLsH5Tzzd6/pfmOtWH/wNUFuMPdNwM/KuzcZRn+aMY
FZ6jk6Ge0UNgFoQQPb6ddu0YBlPQGK5t+jPS47qR8fEqV7VxBDFVQYKK5Lni9iwi
bIarRFTWQNj3nYZ44VOsk95QuyKe2Gw5NkjzlsEhQdQ318urQ6tpAAvjet/xbaHv
6SO/0r3APr5jxH2GGrLUvRRezbXYkBhEVhWOtcOQryXEzPAbcGc=
=Cd8P
- -----END PGP SIGNATURE-----

============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 22, 2018                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
Debian Bug     : 906769

The security update announced as DSA 4279-1 caused regressions on the ARM
architectures (boot failures on some systems). Updated packages are now
available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 4.9.110-3+deb9u4.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt9vElfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QK8BAAor9KlyD5w13q5VIwWuRx/y+wOuKsgr4fHKqoig/15moR3YaXQsGIsHRl
CHfZnjPv9jLeNg5CbNYNyZ4YvGL3yhMQZjAvhRLhx0/v+HIjGRitFk7qPIxUObBb
DRjtqhMYlf9fS2VS3XFt6HMmViyRSBS+bLYDI9Fvpj1oWbFwbcxPQ+FRVnFX3B8i
1jyR+qFVaPgbLHjSve3bqRWbh3BwSiroC4kLcKrvTuaJon8Lvxm2LY0fKWjAM4SS
UTCfYqpbyugivFPznc9a8N5UDBgfpei4zU4qQ2JpT+a3Vjh0riKqWMfF15kCK4Dm
WGKfpQmQDnvWJxKpc6qn4FFqzQ3KPhydeOC/pXzFA9qQMyXHClynFB4BgJIGtqF/
f4u6A4ZqmTTXxNtsicHFc2zLFcKper5qZ3sdd61PbKz1K2xaKN1lDb+RNy9rhIGd
ueNtLleGh2qmfmzgLP+2uKXzaHnhlwbXoQSbaF0tR8WvCPCnW9Cykx89Alj4SYxO
1gv7Ct7MAfoKSRoQehnOCLADq3M9dmZigI3G4NrH+uFnJ56lfNoLW+j4+Ghe5vvv
Su4gVIFFgKHRJ9oL3xtjZBx+y8Qd9XIGSFc5MFXQ9QeaLfR/Nqkef2aktVqVKKe0
qb2sruAtVYxhL4tGjQ+ojOxz/TEFCpIsbxai4nicjMqQxjWv0GU=
=KuqM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW34R02aOgq3Tt24GAQg2hBAAxSUGTbaL7BhEhWUHIeGCaXVJPKS9Crpi
dWcWMu0VD6Vlru2d0Yd6JcWPMipAoWNezRszbJHEVY7GWNMs8ovQbSqB/656ZRj3
NcHjojktZhz2IMNmxJ2Onb3nzuSj5C3ln2yMRvXUOh4EEe2235B9fjQZ4b9p23y+
cy/XynSX5vDnsyUGB9yTjx2He+q2jrlTDYMTM+6J8uebh40MbkDDCSZvZz4CHCJR
jN0T+8KyQZMXOWxg6lnrpUqJoabbp6yarOtwmLhfXkkTrtNeYqS9ly3ladAN6r9J
+mPVbFoYhJ6sPA4uOY9ZvyPGWsI4hgOSijfDJUnd06trT/1kGuCljyD1eRYZDBNA
05mKjoG5I8+iXM3bz2RuK3NXycDePGHGsWaPpZHui3BplVmktnIZ+2hIinQLpK/P
Fz5oMDrHGKk5BouxGrPVcEIHJmb8JtT1e1/hSOvIuafWSrECCgAIuGZ67hbg0Lb0
y8mOflDs9e66WHSNvgGtTYFrobmGA7iUUufN4GDiwiKCWWeqhkoax2Ek52r1oLHv
tkR4tHV5jXifsq493nuCLAZsIlAB/f4fGtxo+v8rLSVYfSZ9fxnmfhQ+Jwn6ZkO3
JcV9kxvfJjKO4yIJTWZGA7q0xIi4qPvYlYmvNEKdSyDkI/HgskTQJy9ldG4GrdHE
tkxDvmTuPrI=
=zeRc
-----END PGP SIGNATURE-----

« Back to bulletins