Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2445.2 linux security update 23 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-3646 CVE-2018-3620 Reference: ESB-2018.2437 ESB-2018.2429 ESB-2018.2398 ESB-2018.2381 Original Bulletin: http://www.debian.org/security/2018/dsa-4279 Revision History: August 23 2018: Corrected regression issues August 21 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4279-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 20, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-3620 CVE-2018-3646 Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt6p8ZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TBJg//VmtxfP6VLm5Q2hHuOlUejrc2W4hOcNRR0Ud7DjJ0B5Gfb9y/u1k+RXBj akX5/Csi6l+kLOWs4/amX3VAxdQRYFL6eEJBNZzlCkBasu1DpkvJdL9F0EP9gru7 Xd/StpSQs8GaBAlklQsckHtKqPzhB5D56gLosLupfmdNovlRKPhX282Ae5JCgjyf BjQv7Oa5K+pUw7F4sZUsdTPZHvl3bZ14u2SDzkIYX6K0KSRi3r4kBNGlRkCnRUTd AW8LpC2uWFX584LhVqJhnKhtd2lveadkwjX9TTRDJkJJOW88Yf2hDSyvWRAKS90D 65SEB2SIrgYiOTqCW4TQXPv5cNSn+LPimrkPus4likNyxJajbck5lB5GVLTTd0dp X0WPp4uhNsISHERZzdJpT8Y3uu5VrPzgSxPay/aPh+n7vy/wFknliZ4IfBSZtOri J5OrlN+Dal0M7eli1ojoByMLsH5Tzzd6/pfmOtWH/wNUFuMPdNwM/KuzcZRn+aMY FZ6jk6Ge0UNgFoQQPb6ddu0YBlPQGK5t+jPS47qR8fEqV7VxBDFVQYKK5Lni9iwi bIarRFTWQNj3nYZ44VOsk95QuyKe2Gw5NkjzlsEhQdQ318urQ6tpAAvjet/xbaHv 6SO/0r3APr5jxH2GGrLUvRRezbXYkBhEVhWOtcOQryXEzPAbcGc= =Cd8P - -----END PGP SIGNATURE----- ============================================================================ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4279-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 22, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux Debian Bug : 906769 The security update announced as DSA 4279-1 caused regressions on the ARM architectures (boot failures on some systems). Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 4.9.110-3+deb9u4. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt9vElfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QK8BAAor9KlyD5w13q5VIwWuRx/y+wOuKsgr4fHKqoig/15moR3YaXQsGIsHRl CHfZnjPv9jLeNg5CbNYNyZ4YvGL3yhMQZjAvhRLhx0/v+HIjGRitFk7qPIxUObBb DRjtqhMYlf9fS2VS3XFt6HMmViyRSBS+bLYDI9Fvpj1oWbFwbcxPQ+FRVnFX3B8i 1jyR+qFVaPgbLHjSve3bqRWbh3BwSiroC4kLcKrvTuaJon8Lvxm2LY0fKWjAM4SS UTCfYqpbyugivFPznc9a8N5UDBgfpei4zU4qQ2JpT+a3Vjh0riKqWMfF15kCK4Dm WGKfpQmQDnvWJxKpc6qn4FFqzQ3KPhydeOC/pXzFA9qQMyXHClynFB4BgJIGtqF/ f4u6A4ZqmTTXxNtsicHFc2zLFcKper5qZ3sdd61PbKz1K2xaKN1lDb+RNy9rhIGd ueNtLleGh2qmfmzgLP+2uKXzaHnhlwbXoQSbaF0tR8WvCPCnW9Cykx89Alj4SYxO 1gv7Ct7MAfoKSRoQehnOCLADq3M9dmZigI3G4NrH+uFnJ56lfNoLW+j4+Ghe5vvv Su4gVIFFgKHRJ9oL3xtjZBx+y8Qd9XIGSFc5MFXQ9QeaLfR/Nqkef2aktVqVKKe0 qb2sruAtVYxhL4tGjQ+ojOxz/TEFCpIsbxai4nicjMqQxjWv0GU= =KuqM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW34R02aOgq3Tt24GAQg2hBAAxSUGTbaL7BhEhWUHIeGCaXVJPKS9Crpi dWcWMu0VD6Vlru2d0Yd6JcWPMipAoWNezRszbJHEVY7GWNMs8ovQbSqB/656ZRj3 NcHjojktZhz2IMNmxJ2Onb3nzuSj5C3ln2yMRvXUOh4EEe2235B9fjQZ4b9p23y+ cy/XynSX5vDnsyUGB9yTjx2He+q2jrlTDYMTM+6J8uebh40MbkDDCSZvZz4CHCJR jN0T+8KyQZMXOWxg6lnrpUqJoabbp6yarOtwmLhfXkkTrtNeYqS9ly3ladAN6r9J +mPVbFoYhJ6sPA4uOY9ZvyPGWsI4hgOSijfDJUnd06trT/1kGuCljyD1eRYZDBNA 05mKjoG5I8+iXM3bz2RuK3NXycDePGHGsWaPpZHui3BplVmktnIZ+2hIinQLpK/P Fz5oMDrHGKk5BouxGrPVcEIHJmb8JtT1e1/hSOvIuafWSrECCgAIuGZ67hbg0Lb0 y8mOflDs9e66WHSNvgGtTYFrobmGA7iUUufN4GDiwiKCWWeqhkoax2Ek52r1oLHv tkR4tHV5jXifsq493nuCLAZsIlAB/f4fGtxo+v8rLSVYfSZ9fxnmfhQ+Jwn6ZkO3 JcV9kxvfJjKO4yIJTWZGA7q0xIi4qPvYlYmvNEKdSyDkI/HgskTQJy9ldG4GrdHE tkxDvmTuPrI= =zeRc -----END PGP SIGNATURE-----