[SECURITY] [DLA 1990-1] linux-4.9 security update

[Ben Hutchings]

Package: linux-4.9
Version: 4.9.189-3+deb9u2~deb8u1
CVE ID : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2018-12207

It was discovered that on Intel CPUs supporting hardware
virtualisation with Extended Page Tables (EPT), a guest VM may
manipulate the memory management hardware to cause a Machine Check
Error (MCE) and denial of service (hang or crash).

The guest triggers this error by changing page tables without a
TLB flush, so that both 4 KB and 2 MB entries for the same virtual
address are loaded into the instruction TLB (iTLB).  This update
implements a mitigation in KVM that prevents guest VMs from
loading 2 MB entries into the iTLB.  This will reduce performance
of guest VMs.

Further information on the mitigation can be found at

or in the linux-doc-4.9 package.

Intel's explanation of the issue can be found at

;.

CVE-2019-0154

Intel discovered that on their 8th and 9th generation GPUs,
reading certain registers while the GPU is in a low-power state
can cause a system hang.  A local user permitted to use the GPU
can use this for denial of service.

This update mitigates the issue through changes to the i915
driver.

The affected chips (gen8 and gen9) are listed at

;.

CVE-2019-0155

Intel discovered that their 9th generation and newer GPUs are
missing a security check in the Blitter Command Streamer (BCS).  A
local user permitted to use the GPU could use this to access any
memory that the GPU has access to, which could result in a denial
of service (memory corruption or crash), a leak of sensitive
information, or privilege escalation.

This update mitigates the issue by adding the security check to
the i915 driver.

The affected chips (gen9 onward) are listed at

;.

CVE-2019-11135

It was discovered that on Intel CPUs supporting transactional
memory (TSX), a transaction that is going to be aborted may
continue to execute speculatively, reading sensitive data from
internal buffers and leaking it through dependent operations.
Intel calls this "TSX Asynchronous Abort" (TAA).

For CPUs affected by the previously published Microarchitectural
Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127,
CVE-2018-12130, CVE-2019-11091), the existing mitigation also
mitigates this issue.

For processors that are vulnerable to TAA but not MDS, this update
disables TSX by default.  This mitigation requires updated CPU
microcode.  An updated intel-microcode package (only available in
Debian non-free) will be provided via a future DLA.  The updated
CPU microcode may also be available as part of a system firmware
("BIOS") update.

Further information on the mitigation can be found at


or in the linux-doc-4.9 package.

Intel's explanation of the issue can be found at

;.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.189-3+deb9u2~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams


signature.asc
Description: This is a digitally signed message part

Accepted linux-4.9 4.9.189-3+deb9u2~deb8u1 (all source) into oldoldstable

[Ben Hutchings]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Nov 2019 22:05:49 +
Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common 
linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 
linux-support-4.9.0-0.bpo.11
Source: linux-4.9
Architecture: all source
Version: 4.9.189-3+deb9u2~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team 
Changed-By: Ben Hutchings 
Description: 
 linux-doc-4.9 - Linux kernel specific documentation for version 4.9
 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 
4.9.0-0.bpo.11
 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 
4.9.0-0.bpo.11-rt
 linux-manual-4.9 - Linux kernel API manual pages for version 4.9
 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches
 linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9
Changes:
 linux-4.9 (4.9.189-3+deb9u2~deb8u1) jessie-security; urgency=medium
 .
   * Backport to jessie; no further changes required
 .
 linux (4.9.189-3+deb9u2) stretch-security; urgency=high
 .
   * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
 - KVM: x86: use Intel speculation bugs and features as derived in generic
   x86 code
 - x86/msr: Add the IA32_TSX_CTRL MSR
 - x86/cpu: Add a helper function x86_read_arch_cap_msr()
 - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
 - x86/speculation/taa: Add mitigation for TSX Async Abort
 - x86/speculation/taa: Add sysfs reporting for TSX Async Abort
 - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
 - x86/tsx: Add "auto" option to the tsx= cmdline parameter
 - x86/speculation/taa: Add documentation for TSX Async Abort
 - x86/tsx: Add config options to set tsx=on|off|auto
 - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
 TSX is now disabled by default; see
 Documentation/hw-vuln/tsx_async_abort.rst
   * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
 (aka iTLB multi-hit, CVE-2018-12207):
 - KVM: x86: simplify ept_misconfig
 - KVM: x86: extend usage of RET_MMIO_PF_* constants
 - KVM: MMU: drop vcpu param in gpte_access
 - kvm: Convert kvm_lock to a mutex
 - kvm: x86: Do not release the page inside mmu_set_spte()
 - KVM: x86: make FNAME(fetch) and __direct_map more similar
 - KVM: x86: remove now unneeded hugepage gfn adjustment
 - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
 - KVM: x86: Add is_executable_pte()
 - KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
 - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
 - x86/bugs: Add ITLB_MULTIHIT bug infrastructure
 - cpu/speculation: Uninline and export CPU mitigations helpers
 - kvm: mmu: ITLB_MULTIHIT mitigation
 - kvm: Add helper function for creating VM worker threads
 - kvm: x86: mmu: Recovery of shattered NX large pages
 - Documentation: Add ITLB_MULTIHIT documentation
   * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155):
 - drm/i915: kick out cmd_parser specific structs from i915_drv.h
 - drm/i915: cleanup use of INSTR_CLIENT_MASK
 - drm/i915: return EACCES for check_cmd() failures
 - drm/i915: don't whitelist oacontrol in cmd parser
 - drm/i915: Use the precomputed value for whether to enable command parsing
 - drm/i915/cmdparser: Limit clflush to active cachelines
 - drm/i915/gtt: Add read only pages to gen8_pte_encode
 - drm/i915/gtt: Read-only pages for insert_entries on bdw+
 - drm/i915/gtt: Disable read-only support under GVT
 - drm/i915: Prevent writing into a read-only object via a GGTT mmap
 - drm/i915/cmdparser: Check reg_table_count before derefencing.
 - drm/i915/cmdparser: Do not check past the cmd length.
 - drm/i915: Silence smatch for cmdparser
 - drm/i915: Move engine->needs_cmd_parser to engine->flags
 - drm/i915: Rename gen7 cmdparser tables
 - drm/i915: Disable Secure Batches for gen6+
 - drm/i915: Remove Master tables from cmdparser
 - drm/i915: Add support for mandatory cmdparsing
 - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
 - drm/i915: Allow parsing of unsized batches
 - drm/i915: Add gen9 BCS cmdparsing
 - drm/i915/cmdparser: Use explicit goto for error paths
 - drm/i915/cmdparser: Add support for backward jumps
 - drm/i915/cmdparser: Ignore Length operands during command matching
 - drm/i915/cmdparser: Fix jump whitelist clearing
   * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
 - drm/i915: Lower RM timeout to avoid DSI hard hangs
 - drm/i915/gen8+: Add RC6 CTX corruption WA
   * drm/i915: Avoid ABI change for CVE-2019-0155
Checksums-Sha1: 
 4168501c46e22ef35ff11ea9c6512a7c53f39642 15751 
linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc
 

[SECURITY] [DLA 1991-1] libssh2 security update

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libssh2
Version: 1.4.3-4.1+deb8u6
CVE ID : CVE-2019-17498
Debian Bug : 943562


In libssh2, SSH_MSG_DISCONNECT logic in packet.c has an integer
overflow in a bounds check, enabling an attacker to specify an
arbitrary (out-of-bounds) offset for a subsequent memory read. A
crafted SSH server may be able to disclose sensitive information or
cause a denial of service condition on the client system when a user
connects to the server

For Debian 8 "Jessie", this problem has been fixed in version
1.4.3-4.1+deb8u6.

We recommend that you upgrade your libssh2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl3MGQYACgkQhj1N8u2c
KO/U/g//Utbl1kntCYxixgzsuUTht2zIldluvSsHXDSLGqavA8WVdECv35oDc+kE
bMzu42MptkEP4O55cS5vMLAuGl2zbhuEbDMbPaBYZ1oHd1OTMg7Pl9hCL7W6IuVI
WIjLClh6W++4O6Gk9VKsFOUOU+8awhvLX9+co9md6ZWADmYonE3BdyshW5XwSjn+
OIfVOwPtFvIMmwnOeqUj72pIs7GTpwx7o0+9qUyNkunmKpp5rFTqNEzK8vAQgpti
Ec03RP/zdVgNxNF1oAZMdj7J5aOv2UBUH+dqMMrhJmYsJ2igthPEOCgRrPFkukfB
XCsEw/bQDBQQk41/1TKs83QzMpBwYZDHkuyDxAnKL9Yu+qSWkp1VMJ2fxQdY9OZS
+DSIn+z0lwj/1C6KzufMYdHahGRup3H83HV/+7lwhFFLolCL8JVFLWzJHy1jHCUP
80U8oZiQDpbpsVin6l8wjuwMToMZtCCqT2/0S5ZPkmxSBV+bRfKcSXfdkVDXw6xx
qrWTtrdLzZdkuG3Bz9JTxezgy9lMjmYWorJCbWNEvHNHcQ2sw4UQ9IxqnUNsRK1a
X5SzyUMVQgpUX9pS7qEVSQkX1TEkwKzCPaOgbKyw+KE5NyutHlVBqZvCPTal85cc
A6C5wQf0K9OF7W5E7938hTSDLiDh+jM4270vxTf6fHu/XJ4vBpI=
=F0/Z
-END PGP SIGNATURE-

Re: Drop support for libqb?

[Roberto C . Sánchez]

On Wed, Nov 13, 2019 at 12:45:02PM +0100, Markus Koschany wrote:
> 
> Am 13.11.19 um 05:28 schrieb Roberto C. Sánchez:
> > On Tue, Nov 12, 2019 at 06:53:19PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> Am 12.11.19 um 18:11 schrieb Roberto C. Sánchez:
> >> [...]
> >>> With that in mind, does this seem like a package for which we should
> >>> declare the end of support?
> >>
> >> That sounds reasonable to me.
> >>
> > Is it as simple as updating the debian-security-support package?  Do we
> > customarily send out a DLA when a package is dropped from support?
> 
> We usually mark affected CVE as  in data/CVE/list and just
> add the package to security-support-ended.deb8 in
> debian-security-support. We then upload new versions of the package
> periodically and announce it via DLA. I believe now is a good time to do it.
> 
Thanks for the information.  I will start working on it today.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Drop support for libqb?

[Markus Koschany]

Am 13.11.19 um 05:28 schrieb Roberto C. Sánchez:
> On Tue, Nov 12, 2019 at 06:53:19PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> Am 12.11.19 um 18:11 schrieb Roberto C. Sánchez:
>> [...]
>>> With that in mind, does this seem like a package for which we should
>>> declare the end of support?
>>
>> That sounds reasonable to me.
>>
> Is it as simple as updating the debian-security-support package?  Do we
> customarily send out a DLA when a package is dropped from support?

We usually mark affected CVE as  in data/CVE/list and just
add the package to security-support-ended.deb8 in
debian-security-support. We then upload new versions of the package
periodically and announce it via DLA. I believe now is a good time to do it.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature