MGASA-2023-0237

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2023-0237.html

Import Source

https://advisories.mageia.org/MGASA-2023-0237.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2023-0237

Related

Published

2023-07-19T19:53:31Z

Modified

2023-07-26T20:17:56Z

Summary

Updated kernel packages fix security vulnerabilities

Details

This kernel update is based on upstream 5.15.120 and fixes atleast the following security issues:

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system. This is fixed by removing DECnet support (CVE-2023-3338).

A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nftablesapi.c. Mishandled error handling with NFTMSGNEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue (CVE-2023-3390).

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; nftchainlookupbyid() failed to check whether a chain was active and CAPNET_ADMIN is in any user or network namespace (CVE-2023-31248).

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nftbyteorder poorly handled vm register contents when CAPNET_ADMIN is in any user or network namespace (CVE-2023-35001).

NOTE!! This kernel also contains a fix for dkms builds hanging / stalling during upgrade to Mageia 9 (mga#31982) due to the new make 4.4 series utility ending up in a loop processing Makefile in kernel-devel packages. So if you use dkms packaged drivers, you need to be running this kernel (or any later released ones) before you do an online upgrade to avoid the upgrade stalling / hanging.

For other upstream fixes in this update, see the referenced changelogs.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / kernel

Package

Name: kernel
Purl: pkg:rpm/mageia/kernel?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.120-2.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / kmod-virtualbox

Package

Name: kmod-virtualbox
Purl: pkg:rpm/mageia/kmod-virtualbox?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.8-1.12.mga8

Ecosystem specific

{
    "section": "core"
}

Mageia:8 / kmod-xtables-addons

Package

Name: kmod-xtables-addons
Purl: pkg:rpm/mageia/kmod-xtables-addons?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.23-1.22.mga8

Ecosystem specific

{
    "section": "core"
}