All critical CVE fixes in as in core kernel in MGASA-2017-0136 + More CVE fixes, including remote NFSD exploits, advisory will follow... SRPMS: kernel-tmb-4.4.68-1.mga5.src.rpm i586: kernel-tmb-desktop-4.4.68-1.mga5-1-1.mga5.i586.rpm kernel-tmb-desktop-devel-4.4.68-1.mga5-1-1.mga5.i586.rpm kernel-tmb-desktop-devel-latest-4.4.68-1.mga5.i586.rpm kernel-tmb-desktop-latest-4.4.68-1.mga5.i586.rpm kernel-tmb-source-4.4.68-1.mga5-1-1.mga5.noarch.rpm kernel-tmb-source-latest-4.4.68-1.mga5.noarch.rpm x86_64: kernel-tmb-desktop-4.4.68-1.mga5-1-1.mga5.x86_64.rpm kernel-tmb-desktop-devel-4.4.68-1.mga5-1-1.mga5.x86_64.rpm kernel-tmb-desktop-devel-latest-4.4.68-1.mga5.x86_64.rpm kernel-tmb-desktop-latest-4.4.68-1.mga5.x86_64.rpm kernel-tmb-source-4.4.68-1.mga5-1-1.mga5.noarch.rpm kernel-tmb-source-latest-4.4.68-1.mga5.noarch.rpm
x86_64, nvidia GTX770, Haswell i7-4790K, 16GB RAM (DIMM) Gigabyte Sniper.Z97 motherboard Clean install. nvidia and virtualbox modules rebuilt during boot sequence. nvidia 375.26 Mate, Mate terminal, emacs Virtualbox Sound and video working fine, vlc, mplayer, TV card PCTV 290e Package installation, gem, ruby, tk, rsync MCC, LibreOffice writer, Firefox, MageiaWelcome Bluetooth eom, gqview, ImageMagick, gwenview, gimp glmark2 galculator, xpdf All working fine.
CC: (none) => tarazed25
Broadwell Intel(R) Core(TM) i7-5700HQ CPU @ 2.70GHz 16GB RAM twin nvidia GTX 965M - running on one Installed from Updates Testing and rebooted. Mate Desktop functioning. pulseaudio up and running. Tried terminals, emacs, networking, libreoffice, the gimp, mcc, urpmi, firefox Installed ntp, enabled and started it. image viewers: eom, gwenview, display audio/video OK in gmplayer and vlc All working - that should be enough for now.
Re comment 2 - that was x86_64 $ sudo nvidia-xconfig --sli=ON Logged out and in. xorg.conf screen section records "SLI" "ON" nvidia-settings lists DFP-1 against GPU 0 only. The system continues to work normally.
x86_64 Ivy Bridge Intel(R) Core(TM) i7-3630QM nvidia GT 650M (nvidia 375.26 driver) 8GB RAM Installed the packages from Core Updates Testing - no problems. Rebooted to working Mate desktop. Common applications work: terminal, emacs, vi, ssh, ruby, tk, vlc, mplayer, libreoffice, imagemagick, eom, gqview, gwenview, firefox, sound and video..... Installed stellarium and celestia and both worked fine.
Advisory (also added to svn): This kernel-tmb update is based on upstream 4.4.68 and fixes atleast the following security issues: fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts (CVE-2016-6213). The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (CVE-2016-7913). The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917). The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632). drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug" (CVE-2016-9083). drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (CVE-2016-9084). It was discovered that root can gain direct access to an internal keyring, such as '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring (CVE-2016-9604). The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (CVE-2017-2671). Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786 (CVE-2017-6001). The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (CVE-2017-6951). The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (CVE-2017-7308). A vulnerability was found in the Linux kernel. It was found that keyctl_set_reqkey_keyring() function leaks thread keyring which allows unprivileged local user to exhaust kernel memory (CVE-2017-7472). The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (CVE-2017-7645). The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c (CVE-2017-7895). For other upstream fixes in this update, see the referenced changelogs. references: - https://bugs.mageia.org/show_bug.cgi?id=20859 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.66 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.67 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.68
Whiteboard: (none) => advisory
Testing of all kernels complete on real hardware and under vb.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA5-64-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0147.html
Status: NEW => RESOLVEDResolution: (none) => FIXED