-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2499
                   kernel-rt security and bug fix update
                               22 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel-rt
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Root Compromise                 -- Existing Account            
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Denial of Service               -- Existing Account            
                   Reduced Security                -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12888 CVE-2020-12654 CVE-2020-12653
                   CVE-2020-10768 CVE-2020-10767 CVE-2020-10766
                   CVE-2020-10757 CVE-2019-19807 CVE-2019-3016

Reference:         ESB-2020.2180
                   ESB-2020.0052.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3016

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update
Advisory ID:       RHSA-2020:3016-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3016
Issue date:        2020-07-21
CVE Names:         CVE-2019-3016 CVE-2019-19807 CVE-2020-10757 
                   CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 
                   CVE-2020-12653 CVE-2020-12654 CVE-2020-12888 
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 8) - x86_64
Red Hat Enterprise Linux Real Time for NFV (v. 8) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)

* kernel: kernel: DAX hugepages not considered during mremap
(CVE-2020-10757)

* kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug
allows an attacker to turn off the SSBD protection. (CVE-2020-10766)

* kernel: Indirect Branch Prediction Barrier is force-disabled when STIBP
is unavailable or enhanced IBRS is available. (CVE-2020-10767)

* kernel: Indirect branch speculation can be enabled after it was
force-disabled by the PR_SPEC_FORCE_DISABLE prctl command. (CVE-2020-10768)

* kernel: buffer overflow in mwifiex_cmd_append_vsie_tlv function in
drivers/net/wireless/marvell/mwifiex/scan.c (CVE-2020-12653)

* kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_status function
in drivers/net/wireless/marvell/mwifiex/wmm.c (CVE-2020-12654)

* Kernel: vfio: access to disabled MMIO space of some devices may lead to
DoS scenario (CVE-2020-12888)

* kernel: kvm: Information leak within a KVM guest (CVE-2019-3016)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the RHEL-8.2.z2 source tree
(BZ#1829582)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1786078 - CVE-2019-19807 kernel: use-after-free in sound/core/timer.c
1792167 - CVE-2019-3016 kernel: kvm: Information leak within a KVM guest
1831868 - CVE-2020-12653 kernel: buffer overflow in mwifiex_cmd_append_vsie_tlv function in drivers/net/wireless/marvell/mwifiex/scan.c
1832530 - CVE-2020-12654 kernel: heap-based buffer overflow in mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c
1836244 - CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario
1842525 - CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
1845840 - CVE-2020-10766 kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection.
1845867 - CVE-2020-10767 kernel: Indirect Branch Prediction Barrier is force-disabled when STIBP is unavailable or enhanced IBRS is available.
1845868 - CVE-2020-10768 kernel: Indirect branch speculation can be enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command.

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 8):

Source:
kernel-rt-4.18.0-193.13.2.rt13.65.el8_2.src.rpm

x86_64:
kernel-rt-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-core-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-core-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-devel-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-kvm-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-modules-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debuginfo-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-devel-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-kvm-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-modules-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-modules-extra-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 8):

Source:
kernel-rt-4.18.0-193.13.2.rt13.65.el8_2.src.rpm

x86_64:
kernel-rt-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-core-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-core-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-devel-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-modules-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debuginfo-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-devel-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-modules-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm
kernel-rt-modules-extra-4.18.0-193.13.2.rt13.65.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-3016
https://access.redhat.com/security/cve/CVE-2019-19807
https://access.redhat.com/security/cve/CVE-2020-10757
https://access.redhat.com/security/cve/CVE-2020-10766
https://access.redhat.com/security/cve/CVE-2020-10767
https://access.redhat.com/security/cve/CVE-2020-10768
https://access.redhat.com/security/cve/CVE-2020-12653
https://access.redhat.com/security/cve/CVE-2020-12654
https://access.redhat.com/security/cve/CVE-2020-12888
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXxbQY9zjgjWX9erEAQgiAA/8D64Llp5eLf+q6+1VKtw2I3yRaNevBoOB
paZeoGORlNIXtzpKjjHlVF+9qm8NvVwFOSBpO/2fW/DKxlzebhWpoqrL0rgzA2pK
EJMY7J3raGGU9aeLaRLAT9+qD0czwRIxTrjt0/ReiwOfI8clo+xD+uF6S1I+CPdI
bWOEro3a3MNLATQuJrHkeMLQC87Pu7U7P4h9XVVTLAEkStKuUHIR2UtEzz7YRnt1
Q4o7Yw/Gk4xCvErRrFtVD/cm8o+5NzsTcHdDHaz4C3ECxfsm2diPtlX075m2I1rl
UPycCX2ONPzYQrmin+YxndNzd46A6r7/Tblbsoy2REXudhtv/dLnxm2v7M9TvbkK
V3fb1UlL8sihIYC8Y6fq76tBcmogye1u5m2ZHVJHqhZWMMWLh3TQsn0x8oOBKQre
W75EJkBOljLLVVY5OxHk6kznC+hvQ2hfgZ1oAA8PqLOwI1Oq63e6I54wHoui73I/
olaGCqaUOf+BmWnDtCoECoh7JnCOMuYaybu72e6SyLJ7NY7VEYzxDKgfqNJYRBNs
3ttI7g98vEAPc5y99FusFEqM2WSQYSSZIpHrQsKmnZ1o7gnXdjFQKrxcGXokAokw
Wf7kko9WYBPASXh6DbDUWX4AMExXnZAENR+DVd+HCUD/K5sXJFeV3Mo6drin/UtX
QWUH7/Ydpus=
=wpvt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXxfVzuNLKJtyKPYoAQgXag//R/vqaIlQxiudGgB02I7kPd82sFEHpaij
TPCsilvuNx8pRR5IfaErvxsROD7ffbUXeuyNlhzoSzEAPEaxmGrip7NhMMnJwrJw
/qXFukjZnhzuQ1ykVb986E1Us27OR72PBeQaGQPXbtAQ+siQTPYs4YHYqqoBHpIS
TVw1jn4wMCSQVCYzG0mRsxoXZpbMLHggg9akgKH2aYT8SdGFzSePLwGqt0G1XUmi
X6kQTBPsTW9HvMiPOTRqB31EHsNNYQB98G6sH0uNPEi7plOgmvf6AwB54r1kYvYh
2cH4yV/wsMZKa6Nt1nWNFIclRKfbBv1QECR0fOPNfvXdZ++u/6LFav2V3Diu2VF+
NHO8OdivoyN8xITn9rm+rBmaskXY0Q609J7woJLkJUjo7cg+8n5F/d4hmJFYwOda
7GPx6j4pyJPPN3j/MS8sCF/tJCgvpNCqiAAMpM7MPy6clo/CRZ8julNaGTO29gBe
cyaRaT5fuGnseshsoAf2Q5qv/eCbAXu1Bgzb0Rl6G9nr3cm5KKC8yLtsSQTkTgTn
ulEVNcW16oAfocb4Ps0xSrJTcQTr7zxoGtEpVXFIbknXiXGp+Lf2hN6m4/1ZpJ6u
aYAYm647CoY2MDITSe4sQAlLWCT533Kuix2hoTtnsNedAlNVU2ThrOrS25iKdyph
64ETZCXHHvs=
=5/vH
-----END PGP SIGNATURE-----