Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 620
Alerts This Week
Warning Icon 1 620

Mageia 8: MGASA-2021-0398 Moderate: Kernel-Linus BPF Memory Exposure

mageia
Calendar Grey August 7, 2021
Dist Mageia Esm H88
Kernel-linus upgrade MGASA-2021-0399 tackles significant vulnerabilities within Mageia, boosting overall system security and resilience.
This kernel-linus update is based on upstream 5.10.56 and fixes atleast the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain s...

Summary

This kernel-linus update is based on upstream 5.10.56 and fixes atleast the following security issues:
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (CVE-2021-34556).
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value (CVE-2021-35477).
For other upstream fixes, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=29313

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.53

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.54

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.55

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.56

- https://www.cve.org/CVERecord?id=CVE-2021-34556

- https://www.cve.org/CVERecord?id=CVE-2021-35477

Resolution

SRPMS

- 8/core/kernel-linus-5.10.56-1.mga8

Publication date: 07 Aug 2021
URL: https://advisories.mageia.org/MGASA-2021-0398.html
Type: security
CVE: CVE-2021-34556, CVE-2021-35477

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.