Mageia alert MGASA-2020-0184 (kernel-linus)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2020-0184: Updated kernel-linus packages fix security vulnerabilities | |
| Date: | Sat, 25 Apr 2020 22:56:46 +0200 | |
| Message-ID: | <20200425205646.918109F63F@duvel.mageia.org> |
MGASA-2020-0184 - Updated kernel-linus packages fix security vulnerabilities Publication date: 25 Apr 2020 URL: https://advisories.mageia.org/MGASA-2020-0184.html Type: security Affected Mageia releases: 7 CVE: CVE-2019-19377, CVE-2020-11494, CVE-2020-11565, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668 Description: This provides an update to kernel 5.6 series, currently based on upstream 5.6.6 adding support for new hardware and features, and fixes atleast the following security issues: In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c (CVE-2019-19377). An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (CVE-2020-11494). An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing (CVE-2020-11565). An issue was discovered in the Linux kernel before 5.6.1. drivers/media/ usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (CVE-2020-11608). An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/ usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference (CVE-2020-11609). In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors (CVE-2020-11668). For other fixes and changes in this update, see the refenced changelogs. References: - https://bugs.mageia.org/show_bug.cgi?id=26526 - https://kernelnewbies.org/Linux_5.6 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.1 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.2 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.3 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.4 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.5 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.6 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1... SRPMS: - 7/core/kernel-linus-5.6.6-1.mga7