Bug 22543 - Update request: kernel-tmb 4.14.18
Summary: Update request: kernel-tmb 4.14.18
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK, MGA6-32-OK
Keywords: advisory, validated_update
Depends on: 22525
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-08 10:07 CET by Thomas Backlund
Modified: 2018-02-15 22:18 CET (History)
3 users (show)

See Also:
Source RPM: kernel-tmb
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-02-08 10:07:33 CET
As core kernel now have catched up on Spectre/Meltdown mitigations (bug 22533), its time to update theese kernels too...

Advisory will follow...



SRPMS:
kernel-tmb-4.14.18-1.mga6.src.rpm


i586:
kernel-tmb-desktop-4.14.18-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.14.18-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.14.18-1.mga6.i586.rpm
kernel-tmb-desktop-latest-4.14.18-1.mga6.i586.rpm
kernel-tmb-source-4.14.18-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.18-1.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.14.18-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.14.18-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.14.18-1.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.14.18-1.mga6.x86_64.rpm
kernel-tmb-source-4.14.18-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.18-1.mga6.noarch.rpm
Thomas Backlund 2018-02-08 10:07:42 CET

Depends on: (none) => 22525

Comment 1 Len Lawrence 2018-02-09 01:42:23 CET
Installed tmb desktop kernel.
nvidia current module and virtualbox kmod built.
$ drakboot --boot
Rebooted to Mate desktop.

System:    Host: difda Kernel: 4.14.16-desktop-1.mga6 x86_64
CPU:       Quad core Intel Core i7-4790 (-HT-MCP-) speed/max: 3810/4000 MHz
Machine:   Device: desktop Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169
Graphics:  Card: NVIDIA GM204 [GeForce GTX 970]
           GLX Version: 4.5.0 NVIDIA 384.111
RAM:       31.37 GB

Successful runs of stress tests and glmark2.  NFS shares mounted.
Desktop running fine.  vlc playing videos via NFS share.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2018-02-11 13:40:04 CET
Not sure which partition that last install referred to.
Have redone it on another partition.

nvidia kmod rebuilt at boot.

System:    Host: difda Kernel: 4.14.18-tmb-desktop-1.mga6 x86_64
CPU:       Quad core Intel Core i7-4790 (-HT-MCP-) speed/max: 3921/4000 MHz
Machine:   Device: desktop Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0
Graphics:  Card: NVIDIA GM204 [GeForce GTX 970]
           GLX Version: 4.5.0 NVIDIA 384.111
RAM:       31.32 GB
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169

Everything is running smoothly.  Hardware tests completed.
virtualbox, sound and video, scheduled updates, networking and network shares. 
No regressions.
Comment 3 Thomas Backlund 2018-02-11 17:44:20 CET
Advisory, added to svn:

type: security
subject: Updated kernel-tmb packages fix security vulnerabilities
CVE:
 - CVE-2017-5715
 - CVE-2017-5753
 - CVE-2017-8824
 - CVE-2017-1000410
src:
  6:
   core:
     - kernel-tmb-4.14.18-1.mga6
description: |
  This kernel-tmb update is based on the upstream 4.14.18 and and adds some
  support for mitigating  Spectre, variant 1 (CVE-2017-5753) and as it is
  built with the retpoline-aware gcc-5.5.0-1.mga6, it now provides full
  retpoline mitigation for Spectre, variant 2 (CVE-2017-5715).

  The BPF interpreter has been used as part of the spectre 2 attack
  CVE-2017-5715. To make attacker job harder introduce BPF_JIT_ALWAYS_ON
  config option that removes interpreter from the kernel in favor of JIT-only
  mode. This is now enabled by default in Mageia kernels.

  Other security fixes in this update:

  Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies
  in the processing of incoming L2CAP commands - ConfigRequest, and
  ConfigResponse messages. This info leak is a result of uninitialized stack
  variables that may be returned to an attacker in their uninitialized state.
  By manipulating the code flows that precede the handling of these
  configuration messages, an attacker can also gain some control over which
  data will be held in the uninitialized stack variables. This can allow him
  to bypass KASLR, and stack canaries protection - as both pointers and stack
  canaries may be leaked in this manner (CVE-2017-1000410).

  The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through
  4.14.3 allows local users to gain privileges or cause a denial of service
  (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN
  state (CVE-2017-8824).

  WireGuard has been updated to 0.0.20180202

  This update also fixes the rtl8812au driver that got broken/missing in
  the upgrade to 4.14 series kernels (mga#22524).

  For other fixes in this update, read the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22543
 - https://bugs.mageia.org/show_bug.cgi?id=22524
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.15
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.16
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.17
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.18

Keywords: (none) => advisory

Comment 4 James Kerr 2018-02-12 12:50:17 CET
On mga6-64 plasma

packages installed cleanly:
- kernel-tmb-desktop-4.14.18-1.mga6-1-1.mga6.x86_64
- kernel-tmb-desktop-latest-4.14.18-1.mga6.x86_64

system rebooted normally:
$ uname -r
4.14.18-tmb-desktop-1.mga6

Tested several commonly used applications

No regressions noted

OK for mga6-64 on this system:

Machine:   Device: desktop System: Hewlett-Packard product: CQ2925EA
           Mobo: PEGATRON model: 2AE2 v: 1.02 UEFI: AMI v: 8.08
CPU:       Dual core Intel Pentium G645T (-MCP-) cache: 3072 KB 
Graphics:  Card: Intel 2nd Generation Core Processor Family
           Display Server: Mageia X.org 119.5 drivers: v4l,intel

CC: (none) => jim

Comment 5 James Kerr 2018-02-13 11:46:26 CET
on mga6-32 XFCE

packages installed cleanly:
- kernel-tmb-desktop-4.14.18-1.mga6-1-1.mga6.i586
- kernel-tmb-desktop-devel-4.14.18-1.mga6-1-1.mga6.i586
- kernel-tmb-desktop-devel-latest-4.14.18-1.mga6.i586
- kernel-tmb-desktop-latest-4.14.18-1.mga6.i586

system re-booted normally
$ uname -r
4.14.18-tmb-desktop-1.mga6

tested several commonly used applications

looks OK for mga6-32 on this system:

Machine:   Device: desktop Mobo: ECS model: GeForce7050M-M 
CPU:       Quad core AMD Phenom 9500 (-MCP-)
Graphics:  Card: NVIDIA C68 [GeForce 7050 PV / nForce 630a]
           Display Server: Mageia X.org 119.5 drivers: nvidia,v4l
           GLX Version: 2.1.2 NVIDIA 304.137
Comment 6 claire robinson 2018-02-13 18:16:04 CET
Testing mga6 64

Nothing unusual to report.

Kaby Lake laptop.
model name : Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
Comment 7 Thomas Backlund 2018-02-15 21:58:22 CET
Validating as its tested om both arches

Whiteboard: (none) => MGA6-64-OK, MGA6-32-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2018-02-15 22:18:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0126.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.