Advisory coming... SRPMS: kernel-vserver-3.10.58-0.vs2.3.6.8.1.mga3.src.rpm i586: kernel-vserver-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.i586.rpm kernel-vserver-devel-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.i586.rpm kernel-vserver-devel-latest-3.10.58-0.vs2.3.6.8.1.mga3.i586.rpm kernel-vserver-doc-3.10.58-0.vs2.3.6.8.1.mga3.noarch.rpm kernel-vserver-latest-3.10.58-0.vs2.3.6.8.1.mga3.i586.rpm kernel-vserver-source-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.noarch.rpm kernel-vserver-source-latest-3.10.58-0.vs2.3.6.8.1.mga3.noarch.rpm x86_64: kernel-vserver-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.x86_64.rpm kernel-vserver-devel-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.x86_64.rpm kernel-vserver-devel-latest-3.10.58-0.vs2.3.6.8.1.mga3.x86_64.rpm kernel-vserver-doc-3.10.58-0.vs2.3.6.8.1.mga3.noarch.rpm kernel-vserver-latest-3.10.58-0.vs2.3.6.8.1.mga3.x86_64.rpm kernel-vserver-source-3.10.58-0.vs2.3.6.8.1.mga3-1-1.mga3.noarch.rpm kernel-vserver-source-latest-3.10.58-0.vs2.3.6.8.1.mga3.noarch.rpm Reproducible: Steps to Reproduce:
On real hardware, M3, KDE, 32-bit Package(s) under test: kernel-vserver-latest default install of: kernel-vserver-latest [root@localhost wilcal]# uname -a Linux localhost 3.10.51-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Wed Aug 6 17:00:51 UTC 2014 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi kernel-vserver-latest Package kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga3.i586 is already installed System boots to a working desktop. Common apps work. Screen sizes are correct. install: kernel-tmb-latest cpupower xtables-addons-kernel-desktop-latest from updates_testing [root@localhost wilcal]# uname -a Linux localhost 3.10.58-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Thu Oct 16 16:56:12 UTC 2014 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi kernel-vserver-latest Package kernel-vserver-latest-3.10.58-0.vs2.3.6.8.1.mga3.i586 is already installed System boots to a working desktop. Common apps work. Screen sizes are correct. Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G Pro F4 i915G LGA 775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) Kingston 4GB (2 x 2GB) DDR400 PC-3200 250GB Seagate Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray Sony CD/DVD-RW DWQ120AB2
CC: (none) => wilcal.int
Advisory: This kernel-vserver update is based on upstream -longterm 3.10.58 and fixes the following security issues: The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages (CVE-2014-3601). The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation (CVE-2014-3631). The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call (CVE-2014-7970). The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call (CVE-2014-7975). For other fixes included in this update, read the referenced changelogs. References: https://bugs.mageia.org/show_bug.cgi?id=14309 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.52 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.53 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.54 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.55 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.56 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.57 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.58
Advisory uploaded.
Whiteboard: (none) => advisory
Could someone please test this on x86_64?
Whiteboard: advisory => MGA3-32-OK advisory
(In reply to David Walser from comment #4) > Could someone please test this on x86_64? Will do, currently updating an old 64bits Mga3 that hasn't been updated in two months... will test as soon as it is up-to-date
CC: (none) => marja11
Created attachment 5604 [details] journalctl -b (In reply to Marja van Waes from comment #5) > (In reply to David Walser from comment #4) > > Could someone please test this on x86_64? > > Will do, currently updating an old 64bits Mga3 that hasn't been updated in > two months... will test as soon as it is up-to-date After having updated and rebooted and adding the updates_testing media, I had problems with urpmi.update, after running it the vserver packages didn't seem available. I finally manually downloaded the and installed the 7 vserver packages. Then there was a problem with the Mageia 4 os-prober not showing a vserver entry on the Mageia 3 partition (I think cauldron os-prober would have seen it), I worked around that by letting Mga3 grub2 overwrite the bootloader in the MBR. Booting with the vserver kernel then worked fine into RL3, but I'm not sure ipv6 shorewall failed before (saw that message while booting). I need to leave now, will attach journalctl -b and systemctl -a output
Created attachment 5605 [details] systemctl -a
Based on the discussion on IRC, validating this now. Please push this to updates. Thanks.
Keywords: (none) => validated_updateWhiteboard: MGA3-32-OK advisory => MGA3-32-OK MGA3-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0479.html
Status: NEW => RESOLVEDResolution: (none) => FIXED