Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3341 linux-4.19 security update 29 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux kernel Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-26088 CVE-2020-25641 CVE-2020-25285 CVE-2020-25284 CVE-2020-25212 CVE-2020-16166 CVE-2020-14390 CVE-2020-14386 CVE-2020-14385 CVE-2020-14356 CVE-2020-14331 CVE-2020-14314 CVE-2020-12888 CVE-2020-10781 CVE-2020-2528 CVE-2020-1439 CVE-2020-1433 CVE-2019-19816 CVE-2019-19813 CVE-2019-19448 CVE-2019-3874 Reference: ESB-2020.3236 ESB-2020.3125 ESB-2020.3067 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2385-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Ben Hutchings September 28, 2020 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : linux-4.19 Version : 4.19.146-1~deb9u1 CVE ID : CVE-2019-3874 CVE-2019-19448 CVE-2019-19813 CVE-2019-19816 CVE-2020-10781 CVE-2020-12888 CVE-2020-14314 CVE-2020-1433= 1 CVE-2020-14356 CVE-2020-14385 CVE-2020-14386 CVE-2020-1439= 0 CVE-2020-16166 CVE-2020-25212 CVE-2020-25284 CVE-2020-2528= 5 CVE-2020-25641 CVE-2020-26088 Debian Bug : 966846 966917 968567 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2019-3874 Kernel buffers allocated by the SCTP network protocol were not limited by the memory cgroup controller. A local user could potentially use this to evade container memory limits and to cause a denial of service (excessive memory use). CVE-2019-19448, CVE-2019-19813, CVE-2019-19816 "Team bobfuzzer" reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-10781 Luca Bruno of Red Hat discovered that the zram control file /sys/class/zram-control/hot_add was readable by all users. On a system with zram enabled, a local user could use this to cause a denial of service (memory exhaustion). CVE-2020-12888 It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash). CVE-2020-14314 A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2020-14331 A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14356 A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14385 A bug was discovered in XFS, which could lead to an extended attribute (xattr) wrongly being detected as invalid. A local user with access to an XFS filesystem could use this to cause a denial of service (filesystem shutdown). CVE-2020-14386 Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14390 Minh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. The scrollback feature has been disabled for now, as no other fix was available for this issue. CVE-2020-16166 Amit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking. CVE-2020-25212 A bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client. CVE-2020-25284 It was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root. CVE-2020-25285 A race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this. CVE-2020-25641 The syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang). CVE-2020-26088 It was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy. For Debian 9 stretch, these problems have been fixed in version 4.19.146-1~deb9u1. This update additionally fixes Debian bugs #966846, #966917, and #968567; and includes many more bug fixes from stable updates 4.19.133-4.19.146 inclusive. We recommend that you upgrade your linux-4.19 packages. For the detailed security status of linux-4.19 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-4.19 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl9x5aoACgkQ57/I7JWG EQmB1xAAsRxLiholmKradR/ed+YYOTCenZyKNw1XMm8Snad+OJhxryovqBi2a6NF XBdCYuxQni/oODtNbjexzlqPQ7YIeOt+gHJe4x8bI7IBtUfxh9Ww1RfUyOMxPmv/ fMfG1D51XGCUD0/gXcej5RtNqxa6FneL5EYEJKEmM8bnbGP/poaA1Qb2DKfBJ99C GgFhcv/fjfliwAg0xMBk9fJRvmxUdA2Jhm6uUt0eXRKs53TiGbY82rSLjuauA10V rf4aa4oad+ZgHyLfiiX4WYJyAi7T9E7ZMHFB+eourPSXLOsw1aCQEEw++Ow622jK ZEHspR9NF20ekiektQpklwxI+cmdDIUCTS554/WV0VKYbEr1161bsnGv+NNHx1Kn MS6lqwwS/a0QjUAPXJVzYB8wpcMOfzyOlOZDK/C4p2v4FYPp/VN5TZ8MHUWmhIo/ MPO5LtE7tQKeNmkyjI45Au7DcxsFu9uktTE9etg0Ve5TX+VmPSyzejkB2b5xXDdH LGMsfxAW+KDHOI4LGyWBmzH7cg6dzNfrtRiUpXc9vpiVhyoaIzCmIwz5qJI/y3m8 iY97Uhdobe+/I6XC+85wmYj1QYVxlVjyjQATICKDzeZ577e2f749jFEXj1220Gby 9KMtWhB0CbhFCWx1ynQAe0ELRf9CXI1OTTKY81jG51Dd1BqpejY= =DXWu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3KbveNLKJtyKPYoAQhHTBAAhP/YZEgagUkqH8rbMWwKCaCsX573KX5I rO+DO5zkaI4Zdk1ImgAh85lJZTK1CjWX7wiCxTv5uqXMx3XprUSKkcbtHAj0iQoU 93Q0kvi1II+97aDmNOyERWzAIoltWjRxL+s4q1DIyCIW5+3OWe5Qiq3Eh4T3Z5/A DlUUNNnnFvHvpNZG/EN203HkOhSyFlKPhaMDyyIZr2vE9wBgCccl4mr7UUNSbJ8K XAK6qyFX/phiAIclY4qH8BqXeWa4eYgqAbS2CW97jFMB8EO6FuWDhp/qJJFqkhRm Dy4sb5uvkY7KD2IC7Ifnxy8J5CSIBu4qFmzN5cBsXY7yt+2r4oiCLh2y2+2kcExP jcvKUtdPHVfOikDMO16BAbDsPaQO09bwveXWhJ8DkMq1tIFum62U5xnHi/jeAohk /qa7UXek1FEaMObhe2zsDGBCzhzEl+Bjm+UOCY1qoAwIDJvTJrrukffVUzzHQodK NThFNSF1FUW3E5QSRXIdsGdJkXvQb4po97pDBlOgVYoXK1JfZfpj094TA31DzYmT YplJ4FQmar2CI4Xezd7vNoaPR5ZusAw0v/Amc5yUB2SmfwNkdEwxEtbUJWCecCFp skkbZO/y/YqvTM38bUfWbCMW8eZneKpY1+nEpbgpV8iva/lM+Nwuk8q3PgLmM7Pe mfEsiEH6eRo= =F0zd -----END PGP SIGNATURE-----