Alerts This Week
Warning Icon 1 659
Alerts This Week
Warning Icon 1 659

Mageia 6: MGASA-2018-0487 Critical: Kernel Security Flaws Addressed

mageia
Calendar Grey December 21, 2018
Dist Mageia Esm H88
The crucial patch MGASA-2018-0487 targets significant security flaws and vulnerabilities present in Mageia 6's kernel.
This kernel update is based on the upstream 4.14.89 and fixes atleast the following security issues: Cross-hyperthread Spectre v2 mitigation is now provided by the Single Thread I...

Summary

This kernel update is based on the upstream 4.14.89 and fixes atleast the following security issues:
Cross-hyperthread Spectre v2 mitigation is now provided by the Single Thread Indirect Branch Predictors (STIBP) support. Note that STIBP also requires the functionality be supported by the Intel microcode in use.
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (CVE-2018-1128).
A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (CVE-2018-1129).
A flaw was found in the Linux Kernel where an attacker may be able to have an uncont...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=24032

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.79

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.80

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.81

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.82

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.83

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.84

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.85

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.86

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.88

- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.89

- https://www.cve.org/CVERecord?id=CVE-2018-1128

- https://www.cve.org/CVERecord?id=CVE-2018-1129

- https://www.cve.org/CVERecord?id=CVE-2018-14625

- https://www.cve.org/CVERecord?id=CVE-2018-16862

- https://www.cve.org/CVERecord?id=CVE-2018-18397

- https://www.cve.org/CVERecord?id=CVE-2018-19824

Topics%20covered

Topics Covered

security advisory information leak access control kernel replay attack Mageia cross-hyperthread

Resolution

SRPMS

- 6/core/kernel-4.14.89-1.mga6

- 6/core/kernel-userspace-headers-4.14.89-1.mga6

- 6/core/kmod-vboxadditions-5.2.22-5.mga6

- 6/core/kmod-virtualbox-5.2.22-5.mga6

- 6/core/kmod-xtables-addons-2.13-75.mga6

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 21 Dec 2018
URL: https://advisories.mageia.org/MGASA-2018-0487.html
Type: security
CVE: CVE-2018-1128, CVE-2018-1129, CVE-2018-14625, CVE-2018-16862, CVE-2018-18397, CVE-2018-19824

Topics%20covered

Topics Covered

security advisory information leak access control kernel replay attack Mageia cross-hyperthread

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here