Mageia alert MGASA-2017-0149 (kernel)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0149: Updated kernel packages fixes security vulnerabilities 
Date:
    	     
 
Fri, 26 May 2017 08:55:31 +0200
Message-ID:
    	     
 
<20170526065531.D11869F856@duvel.mageia.org>
MGASA-2017-0149 - Updated kernel packages fixes security vulnerabilities

Publication date: 26 May 2017
URL: http://advisories.mageia.org/MGASA-2017-0149.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2017-7645,
     CVE-2017-7875

Description:
This kernel update is based on upstream 4.4.68 and fixes atleast
the following security issues:

The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
4.10.11 allows remote attackers to cause a denial of service (system crash)
via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
fs/nfsd/nfsxdr.c (CVE-2017-7645).

The NFSv2 and NFSv3 server implementations in the Linux kernel through
4.10.13 lack certain checks for the end of a buffer, which allows remote
attackers to trigger pointer-arithmetic errors or possibly have unspecified
other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and
fs/nfsd/nfsxdr.c (CVE-2017-7895).

For other upstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=20861
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7875

SRPMS:
- 5/core/kernel-4.4.68-1.mga5
- 5/core/kernel-userspace-headers-4.4.68-1.mga5
- 5/core/kmod-vboxadditions-5.1.22-3.mga5
- 5/core/kmod-virtualbox-5.1.22-3.mga5
- 5/core/kmod-xtables-addons-2.10-38.mga5