MGASA-2020-0355 - Updated kernel and kernel-linus packages fix security vulnerabilities
Publication date: 30 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0355.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-19448,
CVE-2020-14314
This update is based on the upstream 5.7.19 kernel and fixes at least the
following security issue:
In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem
image, performing some operations, and then making a syncfs system call can
lead to a use-after-free in try_merge_free_space in
fs/btrfs/free-space-cache.c because the pointer to a left data structure can
be the same as the pointer to a right data structure (CVE-2019-19448).
A memory out-of-bounds read flaw was found in the Linux kernel's ext3/ext4
filesystem, in the way it accesses a directory with broken indexing. This flaw
allows a local user to crash the system if the directory exists. The highest
threat from this vulnerability is to system availability (CVE-2020-14314).
For other upstream fixes and changes in this update, see the referenced
changelogs.
Also, the wireguard-tools package has been updated to version 1.0.20200827.
References:
- https://bugs.mageia.org/show_bug.cgi?id=27215
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.15
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.16
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.17
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.18
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.19
- https://access.redhat.com/security/cve/CVE-2020-14314
- https://www.linuxkernelcves.com/cves/CVE-2020-14314
- https://www.linuxkernelcves.com/cves/CVE-2019-19448
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19448
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314
SRPMS:
- 7/core/kernel-5.7.19-1.mga7
- 7/core/kernel-linus-5.7.19-1.mga7
- 7/core/kmod-virtualbox-6.0.24-5.mga7
- 7/core/kmod-xtables-addons-3.10-3.mga7
- 7/core/wireguard-tools-1.0.20200827-1.mga7
Mageia 2020-0355: kernel and kernel-linus security update
Summary
This update is based on the upstream 5.7.19 kernel and fixes at least the
following security issue:
In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem
image, performing some operations, and then making a syncfs system call can
lead to a use-after-free in try_merge_free_space in
fs/btrfs/free-space-cache.c because the pointer to a left data structure can
be the same as the pointer to a right data structure (CVE-2019-19448).
A memory out-of-bounds read flaw was found in the Linux kernel's ext3/ext4
filesystem, in the way it accesses a directory with broken indexing. This flaw
allows a local user to crash the system if the directory exists. The highest
threat from this vulnerability is to system availability (CVE-2020-14314).
For other upstream fixes and changes in this update, see the referenced
changelogs.
Also, the wireguard-tools package has been updated to version 1.0.20200827.
References
- https://bugs.mageia.org/show_bug.cgi?id=27215
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.15
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.16
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.17
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.18
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.19
- https://access.redhat.com/security/cve/CVE-2020-14314
- https://www.linuxkernelcves.com/cves/CVE-2020-14314
- https://www.linuxkernelcves.com/cves/CVE-2019-19448
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19448
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314
Resolution
MGASA-2020-0355 - Updated kernel and kernel-linus packages fix security vulnerabilities
SRPMS
- 7/core/kernel-5.7.19-1.mga7
- 7/core/kernel-linus-5.7.19-1.mga7
- 7/core/kmod-virtualbox-6.0.24-5.mga7
- 7/core/kmod-xtables-addons-3.10-3.mga7
- 7/core/wireguard-tools-1.0.20200827-1.mga7
Severity
Publication date: 30 Aug 2020
URL: https://advisories.mageia.org/MGASA-2020-0355.html
Type: security
CVE: CVE-2019-19448,
CVE-2020-14314
News
HOWTOs
Features
Guide to Web Application Penetration Testing
Thank You for Participating in Our Security Dashboard Redesign Survey
Web App Vs. Progressive Web App: How Are They Different?
Interview with Guardian Digital CEO Dave Wreski: Open Source Utilization in Email Security Solutions & More
Email Security FAQs Answered by Guardian Digital
About Us
Powered By
