Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Mageia 7: MGASA-2021-0058 Moderate: SCSI XCOPY Attack Exploit

mageia
Calendar Grey January 29, 2021
Dist Mageia Esm H88
Kernel-linus patch MGASA-2021-0059 addresses vulnerabilities in network protocols, fortifying overall system integrity.
This kernel-linus update is based on upstream 5.10.11 and fixes atleast the following security issue: SCSI “EXTENDED COPY” (XCOPY) requests sent to a Linux SCSI target (LIO) a...

Summary

This kernel-linus update is based on upstream 5.10.11 and fixes atleast the following security issue:
SCSI “EXTENDED COPY” (XCOPY) requests sent to a Linux SCSI target (LIO) allow an attacker to read or write anywhere on any LIO backstore configured on the host, provided the attacker has access to one LUN and knowledge of the victim backstore’s vpd_unit_serial (AKA “wwn”). This is possible regardless of the transport/HBA settings for the victim backstore (CVE-2020-28374).
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS (CVE-2021-3178).
It also adds the following fix: - fix up kernel-devel packages to not cause errors during dkms installs (mga#27080)

References

- https://bugs.mageia.org/show_bug.cgi?id=28164

- https://bugs.mageia.org/show_bug.cgi?id=27080

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.7

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.8

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.9

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.10

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.11

- https://www.cve.org/CVERecord?id=CVE-2020-28374

- https://www.cve.org/CVERecord?id=CVE-2021-3178

Resolution

SRPMS

- 7/core/kernel-linus-5.10.11-1.mga7

Publication date: 29 Jan 2021
URL: https://advisories.mageia.org/MGASA-2021-0058.html
Type: security
CVE: CVE-2020-28374, CVE-2021-3178

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here