MGASA-2015-0070

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0070.html

Import Source

https://advisories.mageia.org/MGASA-2015-0070.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2015-0070

Related

Published

2015-02-17T18:38:13Z

Modified

2015-02-17T18:26:26Z

Summary

Updated kernel packages fix security vulnerabilities

Details

This kernel update is based on upstream -longterm 3.14.32 and fixes the following security issues:

The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c (CVE-2014-8989).

The batadvfragmerge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets (CVE-2014-9428).

Race condition in the keygcunused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key (CVE-2014-9529).

The parserockridgeinodeinternal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image (CVE-2014-9584).

The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD (CVE-2014-9585).

Linux Kernel 2.6.38 through 3.18 are affected by a flaw in the Crypto API that allows any local user to load any installed kernel module on systems where CONFIGCRYPTOUSERAPI=y by abusing the requestmodule() call (CVE-2013-7421, CVE-2014-9644).

When hitting an sctp INIT collision case during the 4WHS with AUTH enabled, it can create a local denial of service by triggerinf a panic on server side (CVE-2015-1421).

It was found that routing packets to too many different dsts/too fast can lead to a excessive resource consumption. A remote attacker can use this flaw to crash the system (CVE-2015-1465).

For other fixes in this update, see the referenced changelogs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:4 / kernel

Package

Name: kernel
Purl: pkg:rpm/mageia/kernel?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.14.32-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / kernel-userspace-headers

Package

Name: kernel-userspace-headers
Purl: pkg:rpm/mageia/kernel-userspace-headers?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.14.32-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / kmod-vboxadditions

Package

Name: kmod-vboxadditions
Purl: pkg:rpm/mageia/kmod-vboxadditions?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.20-5.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / kmod-virtualbox

Package

Name: kmod-virtualbox
Purl: pkg:rpm/mageia/kmod-virtualbox?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.20-5.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / kmod-xtables-addons

Package

Name: kmod-xtables-addons
Purl: pkg:rpm/mageia/kmod-xtables-addons?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5-11.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / kmod-broadcom-wl

Package

Name: kmod-broadcom-wl
Purl: pkg:rpm/mageia/kmod-broadcom-wl?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.30.223.141-47.mga4.nonfree

Ecosystem specific

{
    "section": "nonfree"
}

Mageia:4 / kmod-fglrx

Package

Name: kmod-fglrx
Purl: pkg:rpm/mageia/kmod-fglrx?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.010.1006-17.mga4.nonfree

Ecosystem specific

{
    "section": "nonfree"
}

Mageia:4 / kmod-nvidia173

Package

Name: kmod-nvidia173
Purl: pkg:rpm/mageia/kmod-nvidia173?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

173.14.39-31.mga4.nonfree

Ecosystem specific

{
    "section": "nonfree"
}

Mageia:4 / kmod-nvidia304

Package

Name: kmod-nvidia304
Purl: pkg:rpm/mageia/kmod-nvidia304?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

304.125-3.mga4.nonfree

Ecosystem specific

{
    "section": "nonfree"
}

Mageia:4 / kmod-nvidia-current

Package

Name: kmod-nvidia-current
Purl: pkg:rpm/mageia/kmod-nvidia-current?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

331.113-3.mga4.nonfree

Ecosystem specific

{
    "section": "nonfree"
}