New kernel with several fixed CVE's SRPMS: kernel-4.4.65-1.mga5.src.rpm kernel-userspace-headers-4.4.65-1.mga5.src.rpm kmod-xtables-addons-2.10-37.mga5.src.rpm i586: cpupower-4.4.65-1.mga5.i586.rpm cpupower-devel-4.4.65-1.mga5.i586.rpm kernel-desktop-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-desktop586-devel-latest-4.4.65-1.mga5.i586.rpm kernel-desktop586-latest-4.4.65-1.mga5.i586.rpm kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-desktop-devel-latest-4.4.65-1.mga5.i586.rpm kernel-desktop-latest-4.4.65-1.mga5.i586.rpm kernel-doc-4.4.65-1.mga5.noarch.rpm kernel-server-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-server-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm kernel-server-devel-latest-4.4.65-1.mga5.i586.rpm kernel-server-latest-4.4.65-1.mga5.i586.rpm kernel-source-4.4.65-1.mga5-1-1.mga5.noarch.rpm kernel-source-latest-4.4.65-1.mga5.noarch.rpm kernel-userspace-headers-4.4.65-1.mga5.i586.rpm perf-4.4.65-1.mga5.i586.rpm xtables-addons-kernel-4.4.65-desktop-1.mga5-2.10-37.mga5.i586.rpm xtables-addons-kernel-4.4.65-desktop586-1.mga5-2.10-37.mga5.i586.rpm xtables-addons-kernel-4.4.65-server-1.mga5-2.10-37.mga5.i586.rpm xtables-addons-kernel-desktop586-latest-2.10-37.mga5.i586.rpm xtables-addons-kernel-desktop-latest-2.10-37.mga5.i586.rpm xtables-addons-kernel-server-latest-2.10-37.mga5.i586.rpm x86_64: cpupower-4.4.65-1.mga5.x86_64.rpm cpupower-devel-4.4.65-1.mga5.x86_64.rpm kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-latest-4.4.65-1.mga5.x86_64.rpm kernel-desktop-latest-4.4.65-1.mga5.x86_64.rpm kernel-doc-4.4.65-1.mga5.noarch.rpm kernel-server-4.4.65-1.mga5-1-1.mga5.x86_64.rpm kernel-server-devel-4.4.65-1.mga5-1-1.mga5.x86_64.rpm kernel-server-devel-latest-4.4.65-1.mga5.x86_64.rpm kernel-server-latest-4.4.65-1.mga5.x86_64.rpm kernel-source-4.4.65-1.mga5-1-1.mga5.noarch.rpm kernel-source-latest-4.4.65-1.mga5.noarch.rpm kernel-userspace-headers-4.4.65-1.mga5.x86_64.rpm perf-4.4.65-1.mga5.x86_64.rpm xtables-addons-kernel-4.4.65-desktop-1.mga5-2.10-37.mga5.x86_64.rpm xtables-addons-kernel-4.4.65-server-1.mga5-2.10-37.mga5.x86_64.rpm xtables-addons-kernel-desktop-latest-2.10-37.mga5.x86_64.rpm xtables-addons-kernel-server-latest-2.10-37.mga5.x86_64.rpm
virtualbox and vboxadditions kmods will be built after virtualbox update: https://bugs.mageia.org/show_bug.cgi?id=20729 is validated and pushed to mirrors
Depends on: (none) => 20729
Advisory (also added to svn): This kernel update is based on upstream 4.4.65 and fixes atleast the following security issues: fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts (CVE-2016-6213). The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (CVE-2016-7913). The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917). The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632). drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug" (CVE-2016-9083). drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (CVE-2016-9084). It was discovered that root can gain direct access to an internal keyring, such as '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring (CVE-2016-9604). The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (CVE-2017-2671). Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786 (CVE-2017-6001). The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (CVE-2017-6951). The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (CVE-2017-7308). A vulnerability was found in the Linux kernel. It was found that keyctl_set_reqkey_keyring() function leaks thread keyring which allows unprivileged local user to exhaust kernel memory (CVE-2017-7472). For other upstream fixes in this update, see the referenced changelogs. references: - https://bugs.mageia.org/show_bug.cgi?id=20747 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65
Whiteboard: (none) => advisory
Installed all the relevant packages on x86_64 real hardware nvidia 375.39 (GTX 770) Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz RAM 2x8GB ChannelB-DIMM1 1333MHz ASUS Gigabyte Sniper Z.97 motherboard Installed cleanly. Rebooted OK. Desktop running fine.
CC: (none) => tarazed25
x86_64 MSI motherboard nvidia GTX 970 Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz 32GB RAM (4*8GB ChannelA-DIMM0 1600MHz) Updated all packages. Kernel modules rebuilt. Rebooted to Mate desktop - everything running normally.
Except that firefox keeps freezing.
x86_64 MBR Lenovo Ideapad Y500 nvidia GT650M Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz RAM 2x4GB DIMM Smooth upgrade; dkms builds OK. Rebooted to a working desktop and there do not appear to be any problems.
Tested on 4 laptops i586 an x86_64.
CC: (none) => lists.jjorge
MGA-32 on Asus A6000VM Xfce (MBR - nVidia) No installatio issues. Restarting after installation went after a while to a black screen and then hangs too long for me to wait (more than 10 min.) Power down, and then restart OK Opened Firefox (obviously) pdf, odp, jpg files, played movie and sound from newspaper site. All seems OK.
CC: (none) => herman.viaene
virtualbox update got pushed, so the kmods for this update is now built: SRPMS: kmod-vboxadditions-5.1.22-2.mga5.src.rpm kmod-virtualbox-5.1.22-2.mga5.src.rpm i586: vboxadditions-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.i586.rpm vboxadditions-kernel-4.4.65-desktop586-1.mga5-5.1.22-2.mga5.i586.rpm vboxadditions-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.i586.rpm vboxadditions-kernel-desktop586-latest-5.1.22-2.mga5.i586.rpm vboxadditions-kernel-desktop-latest-5.1.22-2.mga5.i586.rpm vboxadditions-kernel-server-latest-5.1.22-2.mga5.i586.rpm virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.i586.rpm virtualbox-kernel-4.4.65-desktop586-1.mga5-5.1.22-2.mga5.i586.rpm virtualbox-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.i586.rpm virtualbox-kernel-desktop586-latest-5.1.22-2.mga5.i586.rpm virtualbox-kernel-desktop-latest-5.1.22-2.mga5.i586.rpm virtualbox-kernel-server-latest-5.1.22-2.mga5.i586.rpm x86_64: vboxadditions-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64.rpm vboxadditions-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.x86_64.rpm vboxadditions-kernel-desktop-latest-5.1.22-2.mga5.x86_64.rpm vboxadditions-kernel-server-latest-5.1.22-2.mga5.x86_64.rpm virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64.rpm virtualbox-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.x86_64.rpm virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64.rpm virtualbox-kernel-server-latest-5.1.22-2.mga5.x86_64.rpm
And Mageia infra has been running the x86_64 server kernel for ~1 week now without problems
32-bit Installed desktop within VM on AMD x3 hardware AMD Radeon Seems to be working as designed. $ uname -a Linux localhost 4.4.65-desktop-1.mga5 #1 SMP Fri Apr 28 14:45:58 UTC 2017 i686 i686 i686 GNU/Linux
CC: (none) => brtians1
64-bit Install and execution working as designed. I've also tested that VBox is still working. Actually running an mga6 install in VB on the update kernel now. AMD x3 and AMD Integrated video (Radeon). $ uname -a Linux localhost 4.4.65-desktop-1.mga5 #1 SMP Fri Apr 28 14:15:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux -------------- The following 4 packages are going to be installed: - cpupower-4.4.65-1.mga5.x86_64 - kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64 - virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64 - virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64 53MB of additional disk space will be used. 47MB of packages will be retrieved. Is it ok to continue? ------------- Firefox, network, writer and VBox are working.
On mga5-64 Packages installed cleanly: - cpupower-4.4.65-1.mga5.x86_64 - kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64 - kernel-desktop-latest-4.4.65-1.mga5.x86_64 - virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64 - virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64 System rebooted normally No regressions noted virtualbox and clients - OK OK for mga5-64 on this system: Dell product: Precision Tower 3620 Mobo: Dell model: 09WH54 Card: Intel HD Graphics 530 CPU: Quad core Intel Core i7-6700 (-HT-MCP-)
CC: (none) => jim
Testing x64 real EFI hardware. cpupower-4.4.65-1.mga5 kernel-desktop-latest-4.4.65-1.mga5 kernel-desktop-4.4.65-1.mga5-1-1.mga5 kernel-desktop-devel-latest-4.4.65-1.mga5 kernel-userspace-headers-4.4.65-1.mga5 kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5 Have been using these without problems. OK for me.
CC: (none) => lewyssmith
No issue here with 7 years laptop (x86_64)
Testing of both i586 and x86_64 installs here ok, with all kernels, as usual. As CVE-2017-7308 is exploitable per https://googleprojectzero.blogspot.ca/2017/05/exploiting-linux-kernel-via-packet.html and no problems found, validating the update.
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0136.html
Status: NEW => RESOLVEDResolution: (none) => FIXED