Operating System:

[Debian]

Published:

15 May 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.1705 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1705
                           linux security update
                                15 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11091 CVE-2018-12130 CVE-2018-12127
                   CVE-2018-12126  

Reference:         ASB-2019.0138

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4444

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4444-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 14, 2019                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug     : 928125

Multiple researchers have discovered vulnerabilities in the way the
Intel processor designs have implemented speculative forwarding of data
filled into temporary microarchitectural structures (buffers). This
flaw could allow an attacker controlling an unprivileged process to
read sensitive information, including from the kernel and all other
processes running on the system or cross guest/host boundaries to read
host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode. An updated intel-microcode package (only
available in Debian non-free) will be provided via a separate DSA. The
updated CPU microcode may also be available as part of a system firmware
("BIOS") update.

In addition, this update includes a fix for a regression causing
deadlocks inside the loopback driver, which was introduced by the update
to 4.9.168 in the last Stretch point release.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzbK/hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RDbhAAkCG4A3Yx+lAGMIgm9lXWeacyTFQ7RhS0NzQ+7rewiQZti4JphoEnuub1
sq9GH041twKbQQKJiuRD7AvKIzt8hfziQVBvIs+Nojp3fOHU9TIDqqENmfBYflkQ
qvP/tP5vqXREMihV6zGAzK47lfIvEztAQYiZymD4zMzWF0QrY/9/uEQFgwgD5AaP
xvreR+M2tsWQR3MZOAfWlTbX9nSbyV2K7nULs5y+g0ko8sbJDxNhfKO/6yauSiHK
pq6I3Fg56PsNtse/r/II9jlGE9DYvC+cI9vRNEBZep9A0dmRqN8j3sk0jmNVfi/F
Tm3jWFgtRtaa6ANMeBHIBQzkGjML6GbE68Iyf0+EGZ7ZrXSeAIi4InYFCNJA7w5/
K0Nu2nCMAaxVwYPAO7mvNxAnKgOPLE+e7fYNlqztpHOO/nXNmOG7zknqstlkS+Vc
LfsjAiqtAGw6PubdXMSc5BVrdQQTmT3tvqg4BW2i3bWeaW43MyQRc1cizplVrNLt
KKgC1qNLGIvSZLejDF5KXX8VT50UEa05QshRHWu9Ckkvid2hedzipZkTsN5tsRoc
XuCtYsbZqawHmExfyryqtkhTc4pti2nvHPzcMpJtmXtdkkvxh3ZYXbTR0vsSwJHt
rLY3ms+Sw/DT0kdXgEb1gz4prezXcINgPhGDiP/hbRaQnsP2x7U=
=ukU9
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXNtU5WaOgq3Tt24GAQizyg//RaN8rVL5pGIylwMv2E+y4MNb2mBiqdQu
SRMymNgD8Rw1pKJEyrWEw2dOWCReJjf5Ed8LJ+GM2MNxXFHx00RWo0ySkvNCnTpt
qW49XCjJg9wQizVsoJp7tb4A6n2eD1osXKqpwbTDj9TIAeW7FF9ixnZvEPBG2aYu
he02fLcuDhdAGYRORwa3H2G88qL/U+mLVi+IfGHamoPG7PX9WUZM6M8RkTH2dDt9
pxhfZuYA7qJ0ROAh74nmfOGOdJfKVqDQFO0m6WWo1uCKPb4SjXJb5589oMsul3If
pY/5TfpNDOjBvHbZePr6xKp0tqNEMxFtrH1/Y8e0adIF3RcEABTLcR68TNrA8tHO
Wl8YXojEgJVi80DBsrcb4fCcKoyfqtvhFXlTwVjw0CXGVPqiWoexJ42kK/ZDn73C
gYHW7vkBLHtGPOVMFMlEujdKYdTIWSStOSMZrOWOjvA4Vuew7idWL5wAt9xuAf8g
xUpeqc6tFPpvVi4WilMLIaM51pWQlRHB8UiunElAuFGUFzACWwcg10jXoxZ/Qg26
wjXMUzusBAItPPzBdz+iJSh9LsEYRuhL72my6I4oUfA2DWq7lHTQGn4tHdZoD3XA
2+i0Pzqm1ZWkQOb3amVgwPJNPXvb/bDGkhp/XopNtY2wqx7GG2umCz3jw/N/P1W3
K6cxrP8+HnA=
=0yqf
-----END PGP SIGNATURE-----