-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4505
                           linux security update
                             21 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-28974 CVE-2020-27675 CVE-2020-27673
                   CVE-2020-25705 CVE-2020-25704 CVE-2020-25669
                   CVE-2020-25668 CVE-2020-25656 CVE-2020-25645
                   CVE-2020-14351 CVE-2020-8694 CVE-2020-0427

Reference:         ASB-2020.0018
                   ESB-2020.4410
                   ESB-2020.4391
                   ESB-2020.4377
                   ESB-2020.4375

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2494

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2494-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
December 18, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : linux
Version        : 4.9.246-2
CVE ID         : CVE-2020-0427 CVE-2020-8694 CVE-2020-14351 CVE-2020-25645
                 CVE-2020-25656 CVE-2020-25668 CVE-2020-25669 CVE-2020-25704
                 CVE-2020-25705 CVE-2020-27673 CVE-2020-27675 CVE-2020-28974

Several vulnerabilities have been discovered in the Linux kernel that
may lead to the execution of arbitrary code, privilege escalation,
denial of service or information leaks.

CVE-2020-0427

    Elena Petrova reported a bug in the pinctrl subsystem that can
    lead to a use-after-free after a device is renamed.  The security
    impact of this is unclear.

CVE-2020-8694

    Multiple researchers discovered that the powercap subsystem
    allowed all users to read CPU energy meters, by default.  On
    systems using Intel CPUs, this provided a side channel that could
    leak sensitive information between user processes, or from the
    kernel to user processes.  The energy meters are now readable only
    by root, by default.

    This issue can be mitigated by running:

        chmod go-r /sys/devices/virtual/powercap/*/*/energy_uj

    This needs to be repeated each time the system is booted with
    an unfixed kernel version.

CVE-2020-14351

    A race condition was discovered in the performance events
    subsystem, which could lead to a use-after-free.  A local user
    permitted to access performance events could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25645

    A flaw was discovered in the interface driver for GENEVE
    encapsulated traffic when combined with IPsec. If IPsec is
    configured to encrypt traffic for the specific UDP port used by the
    GENEVE tunnel, tunneled data isn't correctly routed over the
    encrypted link and sent unencrypted instead.

CVE-2020-25656

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with the CAP_SYS_TTY_CONFIG capability could use this
    to cause a denial of service (crash or memory corruption) or
    possibly for privilege escalation.

CVE-2020-25668

    Yuan Ming and Bodong Zhao discovered a race condition in the
    virtual terminal (vt) driver that could lead to a use-after-free.
    A local user with access to a virtual terminal, or with the
    CAP_SYS_TTY_CONFIG capability, could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.

CVE-2020-25669

    Bodong Zhao discovered a bug in the Sun keyboard driver (sunkbd)
    that could lead to a use-after-free.  On a system using this
    driver, a local user could use this to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-25704

    kiyin discovered a potential memory leak in the performance
    events subsystem.  A local user permitted to access performance
    events could use this to cause a denial of service (memory
    exhaustion).

    Debian's kernel configuration does not allow unprivileged users to
    access peformance events by default, which fully mitigates this
    issue.

CVE-2020-25705

    Keyu Man reported that strict rate-limiting of ICMP packet
    transmission provided a side-channel that could help networked
    attackers to carry out packet spoofing.  In particular, this made
    it practical for off-path networked attackers to "poison" DNS
    caches with spoofed responses ("SAD DNS" attack).

    This issue has been mitigated by randomising whether packets are
    counted against the rate limit.

CVE-2020-27673 / XSA-332

    Julien Grall from Arm discovered a bug in the Xen event handling
    code.  Where Linux was used in a Xen dom0, unprivileged (domU)
    guests could cause a denial of service (excessive CPU usage or
    hang) in dom0.

CVE-2020-27675 / XSA-331

    Jinoh Kang of Theori discovered a race condition in the Xen event
    handling code.  Where Linux was used in a Xen dom0, unprivileged
    (domU) guests could cause a denial of service (crash) in dom0.

CVE-2020-28974

    Yuan Ming discovered a bug in the virtual terminal (vt) driver
    that could lead to an out-of-bounds read.  A local user with
    access to a virtual terminal, or with the CAP_SYS_TTY_CONFIG
    capability, could possibly use this to obtain sensitive
    information from the kernel or to cause a denial of service
    (crash).

    The specific ioctl operation affected by this bug
    (KD_FONT_OP_COPY) has been disabled, as it is not believed that
    any programs depended on it.

For Debian 9 stretch, these problems have been fixed in version
4.9.246-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Ben Hutchings - Debian developer, member of kernel, installer and LTS teams


- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl/cnQsACgkQ57/I7JWG
EQk3NBAAj5MCLkVMZRyFdhlukymD1hNBdUSScQ5c0j3wbVGMFqGzdUMSOldmgVpQ
SLy1R32kIDcgTiqBzZfLla/tUAIZMud3JY/Y37RXJMQaYoq1usyqNYyPnYiYZMZj
oCqxdjN/QzLV0ZMh6ayzZK7Monx0mzUnD/5AJwzu67HtABiQJ8XiWOG4q6OKBeKX
KWacTrnpi0XSGncuckolVUUm/v8bn8yqX1dUKwZB8MIzOTJRBiFmOwd0dtrsvdkU
05bDcdtXz0F565qm1+Z0Hvr85PMiGS9TCER+G8rZCxmjQY5j1bzf1D+I0ZZRe8eu
EnOdN/FO53osF60ZnKyvEtUAt4Y2zF9DaaZX7fzzJuuqlTvjitQXdtgvwiou8a+8
ALLFCWkfIeK8UhNr3qsrTp9K/ca1Lk4XxTxFQ2vmZjZ3picrITfjKZbUT689yLPF
hnlc/kcuV/X9JIeairtHDcTk5TIVQWInAQ4FL9kdMHfhzZbAlRY7wMcyfj9M4tuR
w5SNkDe7uL2DTX7Ax1WVx9jkCQeMDvPBu9tbxXZ47bgxwYKn901fh2c55PNsnNJ4
XEcoc7+gEZUyQQYvo7VdR7JHafJpKZjyoibLeGFvVFM1EQPJmmoK6YDtxTA/xYWJ
kv/L02caAuNV/3Z7q24kHLgYo62+OVejkufsp84DWAiAiYaJ/xk=
=LP1Q
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9/g6eNLKJtyKPYoAQhwhA//YqmKizc0QggUtJLuIEMnBx/75wkjEtL8
ErMOmmzSpM9gPZxjp8cAyP097CBjDivl+PtuEapP2ooa0d1eLfn6UTzYWBgQS3rW
DoOLeeRtjTPRQ99Fw+Xt/UYHrTZ3uKrlA+gIQDuOq/qW19KEeN0BgyUWPgMxbBEy
0G4xdILBtq+6svQNIFGCFtITa61FXaSN+0/9Wg3H82dQQaWtSyPDLKgVw9Fn/q8u
qvSZm7HPq9v576jPtjDnMLMMeKZ3ghwaU+KNKb3njg1NNpVP7cJzYv882u25ROO2
KuRsCd/ZDw3FrC4MV+QxqFcr3EsKD84BKISlQi4eKhTB2jH0GVJIgOFQze9IzYz+
DtaOcIk/lyBYg4g+0JN1J6vxeJfv+X++6AcELhrLEi57tRF8NPWdNdICvI6pTQOU
EfRmYk+P8OBJ3f0lu6vNCFMwDLUdyHAZY65lRMqeeyzA76VTgI+aykIDDwhfFhIw
CnBjOKTL8zDoGCXQJ0zr7y5nvgotC2VfhupXBkIdulfgjRvr+JOkF4oJlAJrNXNa
5DGtWdJ8CaRoCTUDCmJLHAajg9OSF/+g/hWi//lD9qYXsuQNlkRIaA/5wtPRP1Kh
Ein68LLy9ZSfBKKaFbds66767crDrH9ZZQ/Dd25X9b561wjdD4vWRNuJPzmG1QTj
SQch9bJCTg4=
=WM2o
-----END PGP SIGNATURE-----