Mageia alert MGASA-2022-0478 (kernel-linus)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2022-0478: Updated kernel-linus packages fix security vulnerabilities | |
| Date: | Sun, 18 Dec 2022 00:56:59 +0100 | |
| Message-ID: | <20221217235659.A02E49FA99@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2022-0478 - Updated kernel-linus packages fix security vulnerabilities Publication date: 17 Dec 2022 URL: https://advisories.mageia.org/MGASA-2022-0478.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-3169, CVE-2022-3344, CVE-2022-3521, CVE-2022-3643, CVE-2022-4139, CVE-2022-4378, CVE-2022-45869 Description: This kernel-linus update is based on upstream 5.15.82 and fixes atleast the following security issues: A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect (CVE-2022-3169). A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0) (CVE-2022-3344). A vulnerability has been found in Linux Kernel function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race condition (CVE-2022-3521). An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system (CVE-2022-4139). A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system (CVE-2022-4378). A race condition in the x86 KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled (CVE-2022-45869). For other upstream fixes in this update, see the referenced changelogs. References: - https://bugs.mageia.org/show_bug.cgi?id=31261 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.... - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.... - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3169 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3344 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3521 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3643 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4139 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4378 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4... SRPMS: - 8/core/kernel-linus-5.15.82-1.mga8