Bug 29236

Summary: Update request: kernel-linus-5.10.48-1.mga8
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: kernel-linus CVE:
Status comment:

Description Thomas Backlund 2021-07-07 20:42:02 CEST 
security and bugfixes...


SRPM:
kernel-linus-5.10.48-1.mga8.src.rpm


i586:
kernel-linus-5.10.48-1.mga8-1-1.mga8.i586.rpm
kernel-linus-devel-5.10.48-1.mga8-1-1.mga8.i586.rpm
kernel-linus-devel-latest-5.10.48-1.mga8.i586.rpm
kernel-linus-doc-5.10.48-1.mga8.noarch.rpm
kernel-linus-latest-5.10.48-1.mga8.i586.rpm
kernel-linus-source-5.10.48-1.mga8-1-1.mga8.noarch.rpm
kernel-linus-source-latest-5.10.48-1.mga8.noarch.rpm


x86_64:
kernel-linus-5.10.48-1.mga8-1-1.mga8.x86_64.rpm
kernel-linus-devel-5.10.48-1.mga8-1-1.mga8.x86_64.rpm
kernel-linus-devel-latest-5.10.48-1.mga8.x86_64.rpm
kernel-linus-doc-5.10.48-1.mga8.noarch.rpm
kernel-linus-latest-5.10.48-1.mga8.x86_64.rpm
kernel-linus-source-5.10.48-1.mga8-1-1.mga8.noarch.rpm
kernel-linus-source-latest-5.10.48-1.mga8.noarch.rpm
Comment 1 Thomas Backlund 2021-07-09 20:52:13 CEST 
Advisory, added to svn:

type: security
subject: Updated kernel-linus packages fix security vulnerabilities
CVE:
 - CVE-2020-26541
 - CVE-2021-22543
 - CVE-2021-35039
src:
  8:
   core:
     - kernel-linus-5.10.48-1.mga8
description: |
  This kernel-linus update is based on upstream 5.10.48 and fixes atleast the
  following security issues:

  The Linux kernel through 5.8.13 does not properly enforce the Secure Boot
  Forbidden Signature Database (aka dbx) protection mechanism. This affects
  certs/blacklist.c and certs/system_keyring.c (CVE-2020-26541).

  An issue was discovered in Linux: KVM through Improper handling of VM_IO|
  VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being
  freed while still accessible by the VMM and guest. This allows users with
  the ability to start and control a VM to read/write random pages of memory
  and can result in local privilege escalation (CVE-2021-22543).

  kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature
  Verification. Without CONFIG_MODULE_SIG, verification that a kernel module
  is signed, for loading via init_module, does not occur for a
  module.sig_enforce=1 command-line argument (CVE-2021-35039).

  For other upstream fixes, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29236
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.47
 - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.48

Keywords: (none) => advisory

Comment 2 Aurelien Oudelet 2021-07-12 21:03:44 CEST 
$ inxi -SGxx
System:    Host: mageia.local Kernel: 5.10.48-1.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 
           Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 
Graphics:  Device-1: NVIDIA TU116 [GeForce GTX 1660 Ti] vendor: Gigabyte driver: nvidia v: 460.84 
           bus ID: 01:00.0 chip ID: 10de:2182 
           Display: x11 server: Mageia X.org 1.20.11 compositor: kwin_x11 driver: modesetting,nvidia,v4l 
           resolution: 1: 1920x1080~60Hz 2: 1920x1080 s-dpi: 80 
           OpenGL: renderer: GeForce GTX 1660 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 460.84 direct render: Yes


All running fine for 4 days.

CC: (none) => ouaurelien

Thomas Backlund 2021-07-12 21:13:03 CEST

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2021-07-12 22:28:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED