Lucene search

K
mageiaGentoo FoundationMGASA-2018-0078
HistoryJan 13, 2018 - 5:28 p.m.

Updated kernel-linus packages fix security vulnerabilities

2018-01-1317:28:36
Gentoo Foundation
advisories.mageia.org
26

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.974

Percentile

99.9%

This kernel-linus update provided the upstream 4.14.13 and and fixes several security issues. The most important fix in this update is for the security issue named “Meltdown” that is fixed in theese kernels by enabling kernel Page Table Isolation (KTPI). Note that according to AMD, this issue does not effect Amd processors, so it is not enabled by default on systems using Amd CPU. The list of known security fixes and mitigations in this kernel: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache (CVE-2017-5754, “Meltdown”). A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely (CVE-2017-15129). The kernels are also fixed to allow loading cpu microcode for Amd family 17 (Zen) processors. For more info about Meltdown, Spectre and other fixes in this update, see the refences.

OSVersionArchitecturePackageVersionFilename
Mageia6noarchkernel-linus< 4.14.13-1kernel-linus-4.14.13-1.mga6

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.974

Percentile

99.9%