Just released. 9.4.4-20180507 Updates in 2 source package(s), 4 binary package(s): Source linux, binaries: linux-image-4.9.0-6-amd64:amd64 linux-image-4.9.0-6-arm64:arm64 linux (4.9.88-1) stretch-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.83 - ext4: fix a race in the ext4 shutdown path - ext4: save error to disk in __ext4_grp_locked_error() - console/dummy: leave .con_font_get set to NULL - rtlwifi: rtl8821ae: Fix connection lost problem correctly - target/iscsi: avoid NULL dereference in CHAP auth error path - Btrfs: fix deadlock in run_delalloc_nocow - Btrfs: fix crash due to not cleaning up tree log block's dirty bits - Btrfs: fix extent state leak from tree log - Btrfs: fix unexpected -EEXIST when creating new inode - ALSA: seq: Fix racy pool initializations (CVE-2018-7566) - ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE - [s390] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls - [x86] x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (hardening for Spectre) - [x86] x86/speculation: Update Speculation Control microcode blacklist - [x86] x86/speculation: Correct Speculation Control microcode blacklist again - [x86] KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods - [x86] X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs - vfs: don't do RCU lookup of empty pathnames - media: r820t: fix r820t_write_reg for KASAN https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.84 - cfg80211: check dev_set_name() return value - xfrm: skip policies marked as dead while rehashing - mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. - xfrm: Fix stack-out-of-bounds read on socket policy lookup. - xfrm: check id proto in validate_tmpl() - sctp: set frag_point in sctp_setsockopt_maxseg correctly - drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all - selinux: ensure the context is NUL terminated in security_context_to_sid_core() - [x86] KVM: x86: fix escape of guest dr6 to the host - netfilter: x_tables: fix int overflow in xt_alloc_table_info() - netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() - netfilter: on sockopt() acquire sock lock only in the required scope - netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert - crypto: hash - prevent using keyed hashes without setting key - [arm*] ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen - sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune - net_sched: red: Avoid devision by zero - net_sched: red: Avoid illegal values - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree - 509: fix printing uninitialized stack memory when OID is empty - dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved - clk: fix a panic error caused by accessing NULL pointer - xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. - drm/armada: fix leak of crtc structure - [x86] mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep - [x86] x86/mm/kmmio: Fix mmiotrace for page unaligned addresses - hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close - [powerpc*] powerpc/64s: Fix conversion of slb_miss_common to use RFI_TO_USER/KERNEL - [powerpc*] powerpc/64s: Simple RFI macro conversions - [powerpc*] powerpc/64s: Improve RFI L1-D cache flush fallback - crypto: talitos - fix Kernel Oops on hashing an empty file - ALSA: hda/ca0132 - fix possible NULL pointer use - [x86] KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously - crypto: s5p-sss - Fix kernel Oops in AES-ECB mode https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.85 - netfilter: drop outermost socket lock in getsockopt() - X.509: fix BUG_ON() when hash algorithm is unsupported - PKCS#7: fix certificate chain verification - RDMA/uverbs: Protect from command mask overflow - iio: buffer: check if a buffer has been set up when poll is called - iio: adis_lib: Initialize trigger before requesting interrupt - irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() - ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func() - usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() - ]arm64] arm64: Disable unhandled signal log messages by default - Revert "usb: musb: host: don't start next rx urb if current one failed" - X.509: fix NULL dereference when restricting key with unsupported_sig - mm: avoid spurious 'bad pmd' warning messages - [x86] x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.86 - i2c: designware: must wait for enable - f2fs: fix a bug caused by NULL extent tree (CVE-2017-18193) - mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM - mtd: nand: brcmnand: Zero bitflip is not an error - [arm*] ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch - sget(): handle failures of register_shrinker() - drm/nouveau/pci: do a msi rearm on init - mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl - tipc: error path leak fixes in tipc_enable_bearer() - tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path - tg3: Add workaround to restrict 5762 MRRS to 2048 - tg3: Enable PHY reset in MTU change path for 5720 - bnx2x: Improve reliability in case of nested PCI errors - IB/mlx5: Fix mlx5_ib_alloc_mr error flow - genirq: Guard handle_bad_irq log messages - IB/mlx4: Fix mlx4_ib_alloc_mr error flow - IB/ipoib: Fix race condition in neigh creation - xfs: quota: fix missed destroy of qi_tree_lock - xfs: quota: check result of register_shrinker() - macvlan: Fix one possible double free - e1000: fix disabling already-disabled warning - drm/ttm: check the return value of kzalloc - nl80211: Check for the required netlink attribute presence - bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine. - xen-netfront: enable device after manual module load - mdio-sun4i: Fix a memory leak - xen/gntdev: Fix off-by-one error when unmapping with holes - xen/gntdev: Fix partial gntdev_mmap() cleanup - sctp: make use of pre-calculated len - net: gianfar_ptp: move set_fipers() to spinlock protecting area https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.87 - [x86] tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus - [x86] tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus - [x86] tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus - [x86] tpm_tis: fix potential buffer overruns caused by bit glitches on the bus - [x86] tpm: constify transmit data pointers - [x86] tpm-dev-common: Reject too short writes - ALSA: usb-audio: Add a quirck for B&W PX headphones - ALSA: hda: Add a power_save blacklist - ALSA: hda - Fix pincfg at resume on Lenovo T470 dock - timers: Forward timer base before migrating timers - [hppa] parisc: Fix ordering of cache and TLB flushes - dax: fix vma_is_fsdax() helper - [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend - [x86] platform/intel-mid: Handle Intel Edison reboot correctly - media: m88ds3103: don't call a non-initalized function - nospec: Allow index argument to have const-qualified type - [armel,armhf] mvebu: Fix broken PL310_ERRATA_753970 selects - KVM: mmu: Fix overlap between public and private memslots - [x86] KVM: Remove indirect MSR op calls from SPEC_CTRL - [x86] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() - PCI/ASPM: Deal with missing root ports in link state handling - dm io: fix duplicate bio completion due to missing ref count - [armhf] dts: LogicPD SOM-LV: Fix I2C1 pinmux - [armhf] dts: LogicPD Torpedo: Fix I2C1 pinmux - [x86] mm: Give each mm TLB flush generation a unique ID - [x86] speculation: Use Indirect Branch Prediction Barrier in context switch - md: only allow remove_and_add_spares when no sync_thread running. - netlink: put module reference if dump start fails - [x86] apic/vector: Handle legacy irq data correctly - bridge: check brport attr show in brport_show - fib_semantics: Don't match route with mismatching tclassid - hdlc_ppp: carrier detect ok, don't turn off negotiation - ipv6 sit: work around bogus gcc-8 -Wrestrict warning - net: fix race on decreasing number of TX queues - net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 - netlink: ensure to loop over all netns in genlmsg_multicast_allns() - ppp: prevent unregistered channels from connecting to PPP units - udplite: fix partial checksum initialization - sctp: fix dst refcnt leak in sctp_v4_get_dst - net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT - tcp: Honor the eor bit in tcp_mtu_probe - rxrpc: Fix send in rxrpc_send_data_packet() - tcp_bbr: better deal with suboptimal GSO - sctp: fix dst refcnt leak in sctp_v6_get_dst() - [s390x] qeth: fix underestimated count of buffer elements - [s390x] qeth: fix SETIP command handling - [s390x] qeth: fix overestimated count of buffer elements - [s390x] qeth: fix IP removal on offline cards - [s390x] qeth: fix double-free on IP add/remove race - [s390x] qeth: fix IP address lookup for L3 devices - [s390x] qeth: fix IPA command submission race - sctp: verify size of a new chunk in _sctp_make_chunk() (CVE-2018-5803) - net: mpls: Pull common label check into helper - mpls, nospec: Sanitize array index in mpls_label_ok() - bpf: fix wrong exposure of map_flags into fdinfo for lpm - bpf: fix mlock precharge on arraymaps - bpf, x64: implement retpoline for tail call - bpf, arm64: fix out of bounds access in tail call - btrfs: preserve i_mode if __btrfs_set_acl() fails https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.88 - RDMA/ucma: Limit possible option size - RDMA/ucma: Check that user doesn't overflow QP state - RDMA/mlx5: Fix integer overflow while resizing CQ - [x86] drm/i915: Try EDID bitbanging on HDMI after failed read - scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS - [x86] drm/i915: Always call to intel_display_set_init_power() in resume_early. - workqueue: Allow retrieval of current task's work struct - drm: Allow determining if current task is output poll worker - drm/nouveau: Fix deadlock on runtime suspend - drm/radeon: Fix deadlock on runtime suspend - drm/amdgpu: Fix deadlock on runtime suspend - drm/amdgpu: Notify sbios device ready before send request - drm/radeon: fix KV harvesting - drm/amdgpu: fix KV harvesting - drm/amdgpu:Correct max uvd handles - drm/amdgpu:Always save uvd vcpu_bo in VM Mode - [mips*/octeon] irq: Check for null return on kzalloc allocation - loop: Fix lost writes caused by missing flag - virtio_ring: fix num_free handling in error case - [s390x] KVM: fix memory overwrites when not using SCA entries - kbuild: Handle builtin dtb file names containing hyphens - IB/mlx5: Fix incorrect size of klms in the memory region - bcache: fix crashes in duplicate cache device register - bcache: don't attach backing with duplicate UUID - [x86] MCE: Serialize sysfs changes (CVE-2018-7995) - perf tools: Fix trigger class trigger_on() - [x86] spectre_v2: Don't check microcode versions when running under hypervisors - ALSA: hda/realtek: Limit mic boost on T480 - ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 - ALSA: hda/realtek - Make dock sound work on ThinkPad L570 - ALSA: seq: Don't allow resizing pool in use - ALSA: seq: More protection for concurrent write and ioctl races - ALSA: hda: add dock and led support for HP EliteBook 820 G3 - ALSA: hda: add dock and led support for HP ProBook 640 G2 - nospec: Kill array_index_nospec_mask_check() - nospec: Include <asm/barrier.h> dependency - Revert "x86/retpoline: Simplify vmexit_fill_RSB()" - [x86] speculation: Use IBRS if available before calling into firmware - [x86] retpoline: Support retpoline builds with Clang - [x86] speculation, objtool: Annotate indirect calls/jumps for objtool - [x86] boot, objtool: Annotate indirect jump in secondary_startup_64() - [x86] speculation: Move firmware_restrict_branch_speculation_*() from C to CPP - [x86] paravirt, objtool: Annotate indirect calls - watchdog: hpwdt: SMBIOS check - watchdog: hpwdt: Check source of NMI - watchdog: hpwdt: fix unused variable warning - watchdog: hpwdt: Remove legacy NMI sourcing. - [armhf] omap2: hide omap3_save_secure_ram on non-OMAP3 builds - Input: tca8418_keypad - remove double read of key event register - tc358743: fix register i2c_rd/wr function fix - netfilter: add back stackpointer size checks (CVE-2018-1065) - netfilter: x_tables: fix missing timer initialization in xt_LED - netfilter: nat: cope with negative port range - netfilter: IDLETIMER: be syzkaller friendly - netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets (CVE-2018-1068) - netfilter: bridge: ebt_among: add missing match size checks - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt - netfilter: x_tables: pass xt_counters struct instead of packet counter - netfilter: x_tables: pass xt_counters struct to counter allocator - netfilter: x_tables: pack percpu counter allocations - ext4: inplace xattr block update fails to deduplicate blocks - ubi: Fix race condition between ubi volume creation and udev - scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport - NFS: Fix an incorrect type in struct nfs_direct_req - NFS: Fix unstable write completion - [x86] module: Detect and skip invalid relocations - [x86] Treat R_X86_64_PLT32 as R_X86_64_PC32 - serial: sh-sci: prevent lockup on full TTY buffers - tty/serial: atmel: add new version check for usart - uas: fix comparison for error code - [x86] staging: comedi: fix comedi_nsamples_left. - USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h - usbip: vudc: fix null pointer dereference on udc->lock - usb: quirks: add control message delay for 1b1c:1b20 - usb: usbmon: Read text within supplied buffer size - usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() - serial: 8250_pci: Add Brainboxes UC-260 4 port serial device - serial: core: mark port as initialized in autoconfig - earlycon: add reg-offset to physical address before mapping - PCI: dwc: Fix enumeration end when reaching root subordinate [Yves-Alexis Perez] * [powerpc*] drop RFI patches, now included upstream [ Salvatore Bonaccorso ] * [rt] Refresh 0001-timer-make-the-base-lock-raw.patch context * [rt] Update to 4.9.84-rt62 * blkcg: fix double free of new_blkg in blkcg_init_queue (CVE-2018-7480) * CIFS: Enable encryption during session setup phase (CVE-2018-1066) * staging: ncpfs: memory corruption in ncp_read_kernel() (CVE-2018-8822) * [arm64] net: hns: Fix a skb used after free bug (CVE-2017-18218) * media: usbtv: prevent double free in error case (CVE-2017-17975) * [arm64] net: hns: fix ethtool_get_strings overflow in hns driver * [arm64] net: hns: Fix ethtool private flags (CVE-2017-18222) * scsi: libsas: fix memory leak in sas_smp_get_phy_events() (CVE-2018-7757) * ext4: add validity checks for bitmap block numbers (CVE-2018-1093) * ext4: fix bitmap position validation * ext4: fail ext4_iget for root directory if unallocated (CVE-2018-1092) * random: fix crng_ready() test (CVE-2018-1108) * random: set up the NUMA crng instances after the CRNG is fully initialized * random: crng_reseed() should lock the crng instance that it is modifying * random: fix possible sleeping allocation from irq context * perf/hwbp: Simplify the perf-hwbp code, fix documentation (CVE-2018-1000199) [ Ben Hutchings ] * [x86] Revert "x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping" to avoid an ABI change * [x86] mm: Avoid ABI change for addition of ctx_id * [x86] cpu: Avoid ABI change in 4.9.83 * crypto: hash: Avoid ABI change in 4.9.84 * fs: Avoid ABI change in 4.9.85 * [x86] nospec: Ignore ABI change for removal of __clear_rsb and __fill_rsb, previously exported for use by KVM * [x86] Ignore ABI change for cpu_tlbstate, apparently not used externally * jbd2: Ignore ABI changes * tpm_tis: Ignore ABI changes * ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (CVE-2017-18216) * ocfs2: ip_alloc_sem should be taken in ocfs2_get_block() (CVE-2017-18224) * f2fs: fix a panic caused by NULL flush_cmd_control (CVE-2017-18241) * f2fs: fix a dead loop in f2fs_fiemap() (CVE-2017-18257) * mm/hugetlb.c: don't call region_abort if region_chg fails * hugetlbfs: fix offset overflow in hugetlbfs mmap * hugetlbfs: check for pgoff value overflow (CVE-2018-7740) * mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() (CVE-2018-8087) * drm: udl: Properly check framebuffer mmap offsets (CVE-2018-8781) * xfs: set format back to extents if xfs_bmap_extents_to_btree (CVE-2018-10323) * debian/lib/python/debian_linux/gencontrol.py: Allow uploads to *-security with a simple revision Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2018e-0+deb9u1) stretch; urgency=medium [ Aurelien Jarno ] * New upstream version, affecting the following future timestamp: - North Korea switches back to +09 on 2018-05-05. https://cloud.debian.org/images/openstack/current-9/ -- Steve McIntyre, Cambridge, UK. steve@einval.com "I've only once written 'SQL is my bitch' in a comment. But that code is in use on a military site..." -- Simon Booth
Attachment:
signature.asc
Description: PGP signature