Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                         linux-4.9 security update
                               18 March 2019


        AusCERT Security Bulletin Summary

Product:           linux-4.9
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Denial of Service      -- Remote/Unauthenticated
                   Access Privileged Data -- Existing Account      
                   Increased Privileges   -- Existing Account      
                   Reduced Security       -- Unknown/Unspecified   
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19407 CVE-2018-18710 CVE-2018-18690
                   CVE-2018-18281 CVE-2018-17972 CVE-2018-16862
                   CVE-2018-15471 CVE-2018-14616 CVE-2018-14614
                   CVE-2018-14613 CVE-2018-14612 CVE-2018-14611
                   CVE-2018-14610 CVE-2018-13406 CVE-2018-13100
                   CVE-2018-13097 CVE-2018-13096 CVE-2018-13053
                   CVE-2018-12896 CVE-2018-6554 CVE-2018-5848
                   CVE-2018-5391 CVE-2018-3639 CVE-2018-1129
                   CVE-2018-1128 CVE-2017-18249 

Reference:         ESB-2019.0675

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : linux-4.9
Version        : 4.9.144-3.1~deb8u1
CVE ID         : CVE-2017-18249 CVE-2018-1128 CVE-2018-1129 CVE-2018-3639
                 CVE-2018-5391 CVE-2018-5848 CVE-2018-6554 CVE-2018-12896
                 CVE-2018-13053 CVE-2018-13096 CVE-2018-13097 CVE-2018-13100
                 CVE-2018-13406 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612
                 CVE-2018-14613 CVE-2018-14614 CVE-2018-14616 CVE-2018-15471
                 CVE-2018-16862 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690
                 CVE-2018-18710 CVE-2018-19407
Debian Bug     : 890034 896911 907581 915229 915231

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information


    A race condition was discovered in the disk space allocator of
    F2FS. A user with access to an F2FS volume could use this to cause
    a denial of service or other security impact.

CVE-2018-1128, CVE-2018-1129

    The cephx authentication protocol used by Ceph was susceptible to
    replay attacks, and calculated signatures incorrectly. These
    vulnerabilities in the server required changes to authentication
    that are incompatible with existing clients. The kernel's client
    code has now been updated to be compatible with the fixed server.

CVE-2018-3639 (SSB)

    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to
    read sensitive information from another context. In particular,
    code in a software sandbox may be able to read sensitive
    information from outside the sandbox. This issue is also known as
    Spectre variant 4.

    This update adds a further mitigation for this issue in the eBPF
    (Extended Berkeley Packet Filter) implementation.

CVE-2018-5391 (FragmentSmack)

    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker can take advantage of this flaw to trigger time and
    calculation expensive fragment reassembly algorithms by sending
    specially crafted packets, leading to remote denial of service.

    This was previously mitigated by reducing the default limits on
    memory usage for incomplete fragmented packets. This update
    replaces that mitigation with a more complete fix.


    The wil6210 wifi driver did not properly validate lengths in scan
    and connection requests, leading to a possible buffer overflow.
    On systems using this driver, a local user with the CAP_NET_ADMIN
    capability could use this for denial of service (memory corruption
    or crash) or potentially for privilege escalation.

CVE-2018-12896, CVE-2018-13053

    Team OWL337 reported possible integer overflows in the POSIX
    timer implementation. These might have some security impact.

CVE-2018-13096, CVE-2018-13097, CVE-2018-13100, CVE-2018-14614,

    Wen Xu from SSLab at Gatech reported that crafted F2FS volumes
    could trigger a crash (BUG, Oops, or division by zero) and/or
    out-of-bounds memory access. An attacker able to mount such a
    volume could use this to cause a denial of service or possibly for
    privilege escalation.


    Dr Silvio Cesare of InfoSect reported a potential integer overflow
    in the uvesafb driver. A user with permission to access such a
    device might be able to use this for denial of service or
    privilege escalation.

CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613

    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes
    could trigger a crash (Oops) and/or out-of-bounds memory access.
    An attacker able to mount such a volume could use this to cause a
    denial of service or possibly for privilege escalation.

CVE-2018-15471 ((XSA-270)

    Felix Wilhelm of Google Project Zero discovered a flaw in the hash
    handling of the xen-netback Linux kernel module. A malicious or
    buggy frontend may cause the (usually privileged) backend to make
    out of bounds memory accesses, potentially resulting in privilege
    escalation, denial of service, or information leaks.



    Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
    discovered that the cleancache memory management feature did not
    invalidate cached data for deleted files. On Xen guests using the
    tmem driver, local users could potentially read data from other
    users' deleted files if they were able to create new files on the
    same volume.


    Jann Horn reported that the /proc/*/stack files in procfs leaked
    sensitive data from the kernel. These files are now only readable
    by users with the CAP_SYS_ADMIN capability (usually only root)


    Jann Horn reported a race condition in the virtual memory manager
    that can result in a process briefly having access to memory after
    it is freed and reallocated. A local user could possibly exploit
    this for denial of service (memory corruption) or for privilege


    Kanda Motohiro reported that XFS did not correctly handle some
    xattr (extended attribute) writes that require changing the disk
    format of the xattr. A user with access to an XFS volume could use
    this for denial of service.


    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_SELECT_DISC ioctl. A user with
    access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service


    Wei Wu reported a potential crash (Oops) in the KVM implementation
    for x86 processors. A user with access to /dev/kvm could use this
    for denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.144-3.1~deb8u1.  This version also includes fixes for Debian bugs
#890034, #896911, #907581, #915229, and #915231; and other fixes
included in upstream stable updates.

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967