MGASA-2020-0201

Description

Updated kernel packages fix security vulnerabilities This update is based on the upstream 5.6.8 kernel and fixes at least the following security issues: usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference(CVE-2020-12464). An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation (CVE-2020-12659). Other fixes in this update: - printk: queue wake_up_klogd irq_work only if per-CPU areas are ready - Fix use after free in get_tree_bdev() - propagate_one(): mnt_set_mountpoint() needs mount_lock - iwlwifi: pcie: handle QuZ configs with killer NICs as well - Fix building out of tree modules on aarch64 (pterjan) For other fixes and changes in this update, see the refenced changelogs.

Affected Systems

• mageia•kernel

  < 5.6.8-1.mga7

• mageia•kmod-virtualbox

  < 6.0.20-4.mga7

• mageia•kmod-xtables-addons

  < 3.9-2.mga7

References (4)

• https://advisories.mageia.org/MGASA-2020-0201.html
• https://bugs.mageia.org/show_bug.cgi?id=26570
• https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7
• https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8