You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa kpatch-patch

Sigurnosni nedostaci programskog paketa kpatch-patch

by - 0

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: kpatch-patch security update
Advisory ID: RHSA-2019:3076-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3076
Issue date: 2019-10-15
CVE Names: CVE-2018-20856 CVE-2019-3846 CVE-2019-9506
CVE-2019-10126
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) – ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: Use-after-free in __blk_drain_queue() function in
block/blk-core.c (CVE-2018-20856)

* kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in
marvell/mwifiex/scan.c (CVE-2019-3846)

* hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB)
(CVE-2019-9506)

* kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in
drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1713059 – CVE-2019-3846 kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c
1716992 – CVE-2019-10126 kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c
1727857 – CVE-2019-9506 hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB)
1738705 – CVE-2018-20856 kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:
kpatch-patch-3_10_0-1062-1-5.el7.src.rpm
kpatch-patch-3_10_0-1062_1_1-1-4.el7.src.rpm
kpatch-patch-3_10_0-1062_1_2-1-3.el7.src.rpm

ppc64le:
kpatch-patch-3_10_0-1062-1-5.el7.ppc64le.rpm
kpatch-patch-3_10_0-1062-debuginfo-1-5.el7.ppc64le.rpm
kpatch-patch-3_10_0-1062_1_1-1-4.el7.ppc64le.rpm
kpatch-patch-3_10_0-1062_1_1-debuginfo-1-4.el7.ppc64le.rpm
kpatch-patch-3_10_0-1062_1_2-1-3.el7.ppc64le.rpm
kpatch-patch-3_10_0-1062_1_2-debuginfo-1-3.el7.ppc64le.rpm

x86_64:
kpatch-patch-3_10_0-1062-1-5.el7.x86_64.rpm
kpatch-patch-3_10_0-1062-debuginfo-1-5.el7.x86_64.rpm
kpatch-patch-3_10_0-1062_1_1-1-4.el7.x86_64.rpm
kpatch-patch-3_10_0-1062_1_1-debuginfo-1-4.el7.x86_64.rpm
kpatch-patch-3_10_0-1062_1_2-1-3.el7.x86_64.rpm
kpatch-patch-3_10_0-1062_1_2-debuginfo-1-3.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-20856
https://access.redhat.com/security/cve/CVE-2019-3846
https://access.redhat.com/security/cve/CVE-2019-9506
https://access.redhat.com/security/cve/CVE-2019-10126
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXaYGz9zjgjWX9erEAQjmog/7Bl5IwoBvnTEMCcihDS8qLZaNP/Bk69mC
FVs0t7gs8R20K72LANagQzmjOfrm/C0d3AdmEmuV2iqPK8WY9XQbPXnOEVq2kGrK
659UoOinN1mFUI65TL9ZganENCQLRwrI/sU4Y756sm7wK/WaszsW0BgX+Kr3iEb6
H4CLpbnm/0EUFcWqlZxkmgYEhPzrBqWrpDrtoweaA7a+yXkL8CpEr3MDHnTbb+Mw
W1kSjhu+BtimpUCaVSm/rtIviWbY0txGexbLve3eTQdT2jI5FxLBhvzpP3Hsxrsl
01EJGEgokNDIjmPTzFqwH917UNelzeQ9JY5X7oUk6azKYbUQLbDSrcHx9XISI17q
ACw60YsW1dv51GLUzg/+oq6Il8mZXE6PGTfLUulbHXFPy+j082l9DM0KV+E1I61u
YB4l66H5hSobySjZFpQ80BMcz4W/InbqYP+H7ZOphLmhUW4p5IJ8bsFbub5B3Vgx
ksAY8u0aeDvLgkJuyi+ug2o7BYQyZnMszEJQJR9Zr2fJLjYuI8Qr3i07mUR1dJSa
Uj+rAVnkXiM0YPn6hnk+os003H+POOCFxqt/e3JwaAy0EClbsi9pDtWIHT47JF8x
+X10XUgqyhyErPJEiMwlPndHGCqC3O3O2C4Yt6hMBm5lNuMwy4TRmJ7m1DzO1EmE
xj2lH6U9FbQ=
=/2Qu
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci jezgre operacijskog sustava RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja, izvršavanje proizvoljnog programskog koda,...

Close