Starting over with this as the old report got long and messy... Last round: SRPMS: dracut-038-21.mga5.src.rpm kernel-4.4.13-1.mga5.src.rpm kernel-userspace-headers-4.4.13-1.mga5.src.rpm kmod-vboxadditions-5.0.16-6.mga5.src.rpm kmod-virtualbox-5.0.16-6.mga5.src.rpm kmod-xtables-addons-2.10-7.mga5.src.rpm i586: dracut-038-21.mga5.i586.rpm cpupower-4.4.13-1.mga5.i586.rpm cpupower-devel-4.4.13-1.mga5.i586.rpm kernel-desktop-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-devel-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-devel-latest-4.4.13-1.mga5.i586.rpm kernel-desktop586-latest-4.4.13-1.mga5.i586.rpm kernel-desktop-devel-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-desktop-devel-latest-4.4.13-1.mga5.i586.rpm kernel-desktop-latest-4.4.13-1.mga5.i586.rpm kernel-doc-4.4.13-1.mga5.noarch.rpm kernel-server-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-server-devel-4.4.13-1.mga5-1-1.mga5.i586.rpm kernel-server-devel-latest-4.4.13-1.mga5.i586.rpm kernel-server-latest-4.4.13-1.mga5.i586.rpm kernel-source-4.4.13-1.mga5-1-1.mga5.noarch.rpm kernel-source-latest-4.4.13-1.mga5.noarch.rpm kernel-userspace-headers-4.4.13-1.mga5.i586.rpm perf-4.4.13-1.mga5.i586.rpm vboxadditions-kernel-4.4.13-desktop-1.mga5-5.0.16-6.mga5.i586.rpm vboxadditions-kernel-4.4.13-desktop586-1.mga5-5.0.16-6.mga5.i586.rpm vboxadditions-kernel-4.4.13-server-1.mga5-5.0.16-6.mga5.i586.rpm vboxadditions-kernel-desktop586-latest-5.0.16-6.mga5.i586.rpm vboxadditions-kernel-desktop-latest-5.0.16-6.mga5.i586.rpm vboxadditions-kernel-server-latest-5.0.16-6.mga5.i586.rpm virtualbox-kernel-4.4.13-desktop-1.mga5-5.0.16-6.mga5.i586.rpm virtualbox-kernel-4.4.13-desktop586-1.mga5-5.0.16-6.mga5.i586.rpm virtualbox-kernel-4.4.13-server-1.mga5-5.0.16-6.mga5.i586.rpm virtualbox-kernel-desktop586-latest-5.0.16-6.mga5.i586.rpm virtualbox-kernel-desktop-latest-5.0.16-6.mga5.i586.rpm virtualbox-kernel-server-latest-5.0.16-6.mga5.i586.rpm xtables-addons-kernel-4.4.13-desktop-1.mga5-2.10-7.mga5.i586.rpm xtables-addons-kernel-4.4.13-desktop586-1.mga5-2.10-7.mga5.i586.rpm xtables-addons-kernel-4.4.13-server-1.mga5-2.10-7.mga5.i586.rpm xtables-addons-kernel-desktop586-latest-2.10-7.mga5.i586.rpm xtables-addons-kernel-desktop-latest-2.10-7.mga5.i586.rpm xtables-addons-kernel-server-latest-2.10-7.mga5.i586.rpm x86_64: dracut-038-21.mga5.x86_64.rpm cpupower-4.4.13-1.mga5.x86_64.rpm cpupower-devel-4.4.13-1.mga5.x86_64.rpm kernel-desktop-4.4.13-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-4.4.13-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-latest-4.4.13-1.mga5.x86_64.rpm kernel-desktop-latest-4.4.13-1.mga5.x86_64.rpm kernel-doc-4.4.13-1.mga5.noarch.rpm kernel-server-4.4.13-1.mga5-1-1.mga5.x86_64.rpm kernel-server-devel-4.4.13-1.mga5-1-1.mga5.x86_64.rpm kernel-server-devel-latest-4.4.13-1.mga5.x86_64.rpm kernel-server-latest-4.4.13-1.mga5.x86_64.rpm kernel-source-4.4.13-1.mga5-1-1.mga5.noarch.rpm kernel-source-latest-4.4.13-1.mga5.noarch.rpm kernel-userspace-headers-4.4.13-1.mga5.x86_64.rpm perf-4.4.13-1.mga5.x86_64.rpm vboxadditions-kernel-4.4.13-desktop-1.mga5-5.0.16-6.mga5.x86_64.rpm vboxadditions-kernel-4.4.13-server-1.mga5-5.0.16-6.mga5.x86_64.rpm vboxadditions-kernel-desktop-latest-5.0.16-6.mga5.x86_64.rpm vboxadditions-kernel-server-latest-5.0.16-6.mga5.x86_64.rpm virtualbox-kernel-4.4.13-desktop-1.mga5-5.0.16-6.mga5.x86_64.rpm virtualbox-kernel-4.4.13-server-1.mga5-5.0.16-6.mga5.x86_64.rpm virtualbox-kernel-desktop-latest-5.0.16-6.mga5.x86_64.rpm virtualbox-kernel-server-latest-5.0.16-6.mga5.x86_64.rpm xtables-addons-kernel-4.4.13-desktop-1.mga5-2.10-7.mga5.x86_64.rpm xtables-addons-kernel-4.4.13-server-1.mga5-2.10-7.mga5.x86_64.rpm xtables-addons-kernel-desktop-latest-2.10-7.mga5.x86_64.rpm xtables-addons-kernel-server-latest-2.10-7.mga5.x86_64.rpm
Blocks: (none) => 18374
Blocks: (none) => 18375
Advisory: This kernel update provides an upgrade to the upstream 4.4 longterm kernel series, currently based on 4.4.13 and resolves atleast the following security issues: The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (CVE-2013-4312). drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device (CVE-2015-5257). The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (CVE-2015-5307). An out-of-bounds memory read was found, affecting kernels from 4.3-rc1 onwards. This vulnerability was caused by incorrect X.509 time validation in x509_decode_time() function in x509_cert_parser.c (CVE-2015-5327). The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (CVE-2015-6937). The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls (CVE-2015-7550). The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799). The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (CVE-2015-8104). The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (CVE-2015-8543). The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands (CVE-2016-0728). An issue with ASN.1 DER decoder was reported that could lead to memory corruptions, possible privilege escalation, or complete local denial of service via x509 certificate DER files (CVE-2016-0758). The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack (CVE-2016-2085). The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data (CVE-2016-2117). The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (CVE-2016-3136). drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (CVE-2016-3137). The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (CVE-2016-3672). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) with variable Memory Type Range Registers(MTRR) support is vulnerable to an out-of-bounds r/w access issue. It could occur while accessing processors MTRRs via ioctl(2) calls. A privileged user inside guest could use this flaw to manipulate host kernels memory bytes leading to information disclosure OR potentially crashing the kernel resulting in DoS (CVE-2016-3713). Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area (CVE-2016-3961). The server kernels have been switched from SLAB to SLUB memory allocator as it performs better under high memory pressure for most users. This update also provides better support for various newer hardware. For other changes in this update, see the referenced changelogs. References: http://kernelnewbies.org/Linux_4.2 http://kernelnewbies.org/Linux_4.3 http://kernelnewbies.org/Linux_4.4 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.1 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.2 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.3 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.4 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.5 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.6 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.7 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.9 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.12 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.13
CVE list: CVE-2013-4312 CVE-2015-5257 CVE-2015-5307 CVE-2015-5327 CVE-2015-6937 CVE-2015-7550 CVE-2015-7799 CVE-2015-8104 CVE-2015-8543 CVE-2016-0728 CVE-2016-0758 CVE-2016-2085 CVE-2016-2117 CVE-2016-2143 CVE-2016-3136 CVE-2016-3137 CVE-2016-3672 CVE-2016-3713 CVE-2016-3961
x86_64 server kernel has been running on Mageia buildsystem servers for the last ~12 hours, no issue so far. i586 and x86_64 server kernels have been running on my local buildservers for the last ~12 hours overloded with parallell builds of kernel, gcc, glibc in a loop to max out cpu and memory pressure with 3 times more threads than the hw can provide, and they still keep going without problems...
Advisory update/removal: I patched CVE-2016-0728 was already in MGASA-2016-0033
4.4.13-desktop-1.mga5 on an Acer Aspire 5738DZG laptop (x86-64). Everything seems fine: Firefox, YouTube, Xfce, VLC, Extreme Tux Racer, HexChat , Pidgin, Samba, ssh.
CC: (none) => shlomif
Blocks: (none) => 18493
Assuming that the distributable form of b43-openfwwf open firmware will continue to not work with kernel 4.4 and above, and because of that Mageia will probably no longer be supporting it, I have converted to the proprietary firmware for my BCM4318 devices and will no longer be testing that open firmware with new kernels. Installed the i586 kernel-desktop on my Dell Dimension E310, P4 processor and Intel graphics. BCM4318 wifi came up immediately upon booting. Firefox 45.2 browses as expected, videos play perfectly with vlc. No problems noted.
CC: (none) => andrewsfarm
Linux localhost 4.4.13-desktop-1.mga5 #1 SMP Fri Jun 10 12:16:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Video: Description: âRS780L [Radeon 3000] CPU: AMD Athlon(tm) II X3 450 Processor Ethernet: AR8151 v2.0 Gigabit Ethernet Soundcard: SBx00 Azalia (Intel HDA) - Advanced Micro Devices, Inc. [AMD/ATI] Sound is working. I was able to record from headphone mic as well. so far so good. I'll keep it running and see if something breaks.
CC: (none) => brtians1
x86_64 server kernel updated OK with Athlon X2 box and nvidia 340 driver. Virtualbox had been updated to 5.0.20 in a previous test and has been working OK for me so I have not downgraded it back to 5.0.16 as some have advised. Unless there is a compelling reason for the downgrade, I'd rather leave things as they are. No problems noted. The nvidia and virtualbox kernel modules rebuilt themselves for the 4.4.13 kernel, and are working without incident. Virtualbox XP guest runs perfectly, or as perfectly as XP ever runs. I have not yet tried either of my Mageia guests yet. Other apps working OK: vlc, Firefox, Thunderbird, Libreoffice Calc.
On my workstation at home, with 4.4.13 (server i586), mplayer is able to capture the audio itself rather than having to use aumix -l. I am no longer able to control the volume or sound via Kmix, but by adding the "-mixer-channel line" option to mplayer, the m key for mute inside of mplayer itself works. In the long run (thinking Plasma and Mageia 6), this may be a good thing. Sometimes I have to do "alsactl init" again to get audio working, but this is good enough for now. I think we can release this one. Will test on my other systems when I have the opportunity to. Thanks for your patience with this Thomas!
Linux localhost 4.4.13-desktop-1.mga5 #1 SMP Fri Jun 10 12:16:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Video: NVIDIA GEForce 6100 CPU: Athlon X2-3800 Ethernet: NVIDIA MCP51 Sound is working USB thumbdrive mounts fine and is accessible. Will test WIFI next
WIFI: RALINK RT2760 Working as designed. Able to connect and browse. So far this seems pretty clean on my equipment.
Updated both 32-bit and 64-bit Mageia guests in VirtualBox 5.0.20. All packages installed cleanly. No problems noted in either guest.
All ok mga5 64 (q6600 nvidia-current) Anybody have any objections to validating this one?
I don't. Tested owncoud with it as well. It worked fine. <typed from 4.4.13 kernel.>
Validating the kernel - hurrah!
Keywords: (none) => validated_updateWhiteboard: (none) => mga5-64-ok mga5-32-okCC: (none) => sysadmin-bugs
Tested mga5_64, Testing complete for the new kernel-desktop-4.4.13-1.mga5, all seems to work properly. Tested on a real hardware (Laptop ASUS K73S with Optimus Technology): No regression found !! Just a question: is there any nvidia module rebuilt against this new kernel to validate?
CC: (none) => geiger.david68210
Nonfree modules are not now prebuilt due to it being found to be in violation of the GPL. They are supplied dkms only and should rebuild when kernels are installed or after the reboot.
advisory uploaded
Whiteboard: mga5-64-ok mga5-32-ok => mga5-64-ok mga5-32-ok advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0225.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=15660