Hi, together with Raphaël Hertzog, Moritz Mühlenhoff, Ben Hutchings and Raphael Geissert I've prepared updated linux-2.6 packages using the latest 2.6.32.64 upstream release.
The upload fixes the following CVEs: CVE-2012-4461 CVE-2012-4508 CVE-2012-6657 CVE-2013-1796 CVE-2013-1798 CVE-2013-4587 CVE-2013-6367 CVE-2014-4508 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4943 CVE-2014-5077 CVE-2014-5471 CVE-2014-5472 Packages are available at http://layer-acht.org/squeeze9/ Please test and report feedback! cheers, Holger linux-2.6 (2.6.32-48squeeze9) squeeze-lts; urgency=medium * Security upload by the Debian LTS team with support from the Debian Kernel and Security Teams. * New upstream stable release 2.6.32.64, see https://lkml.org/lkml/2014/11/23/181 for more information. [ Raphaël Hertzog ] * The following upstream releases include many security fixes which were already shipped in previous Debian releases. * Add stable release 2.6.32.61: - Revert "pcdp: use early_ioremap/early_iounmap to access pcdp table" - Revert "block: improve queue_should_plug() by looking at IO depths" - 2.6.32.y: timekeeping: Fix nohz issue with commit 61b76840ddee647c0c223365378c3f394355b7d7 - clockevents: Don't allow dummy broadcast timers - posix-cpu-timers: Fix nanosleep task_struct leak - timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE - tick: Cleanup NOHZ per cpu data on cpu down - kbuild: Fix gcc -x syntax - gen_init_cpio: avoid stack overflow when expanding - usermodehelper: introduce umh_complete(sub_info) - usermodehelper: implement UMH_KILLABLE - usermodehelper: ____call_usermodehelper() doesn't need do_exit() - kmod: introduce call_modprobe() helper - kmod: make __request_module() killable - exec: do not leave bprm->interp on stack - exec: use -ELOOP for max recursion depth - signal: always clear sa_restorer on execve - ptrace: ptrace_resume() shouldn't wake up !TASK_TRACED thread - ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up() - ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL - ptrace: Fix ptrace when task is in task_is_stopped() state - kernel/signal.c: stop info leak via the tkill and the tgkill syscalls - signal: Define __ARCH_HAS_SA_RESTORER so we know whether to clear sa_restorer - kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER - wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task - coredump: prevent double-free on an error path in core dumper - kernel/sys.c: call disable_nonboot_cpus() in kernel_restart() - ring-buffer: Fix race between integrity check and readers - genalloc: stop crashing the system when destroying a pool - kernel/resource.c: fix stack overflow in __reserve_region_with_split() - Driver core: treat unregistered bus_types as having no devices - cgroup: remove incorrect dget/dput() pair in cgroup_create_dir() - Fix a dead loop in async_synchronize_full() - tracing: Don't call page_to_pfn() if page is NULL - tracing: Fix double free when function profile init failed - hugetlb: fix resv_map leak in error path - mm: fix vma_resv_map() NULL pointer - mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED - mm: bugfix: set current->reclaim_state to NULL while returning from kswapd() - mm: fix invalidate_complete_page2() lock ordering - mempolicy: fix a race in shared_policy_replace() - ALSA: hda - More ALC663 fixes and support of compatible chips - ALSA: hda - Add a pin-fix for FSC Amilo Pi1505 - ALSA: seq: Fix missing error handling in snd_seq_timer_open() - ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new() - x86, ioapic: initialize nr_ioapic_registers early in mp_register_ioapic() - x86: Don't use the EFI reboot method by default - x86, random: make ARCH_RANDOM prompt if EMBEDDED, not EXPERT - x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. - x86/msr: Add capabilities check - x86/mm: Check if PUD is large when validating a kernel address - x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates - xen/bootup: allow read_tscp call for Xen PV guests. - xen/bootup: allow {read|write}_cr8 pvops call. - KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) - KVM: x86: relax MSR_KVM_SYSTEM_TIME alignment check - KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) - KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461) - MCE: Fix vm86 handling for 32bit mce handler - ACPI / cpuidle: Fix NULL pointer issues when cpuidle is disabled - alpha: Add irongate_io to PCI bus resources - PARISC: fix user-triggerable panic on parisc - serial: 8250, increase PASS_LIMIT - drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow - w1: fix oops when w1_search is called from netlink connector - staging: comedi: ni_labpc: correct differential channel sequence for AI commands - staging: comedi: ni_labpc: set up command4 register *after* command3 - staging: comedi: comedi_test: fix race when cancelling command - staging: comedi: fix memory leak for saved channel list - staging: comedi: s626: don't dereference insn->data - staging: comedi: jr3_pci: fix iomem dereference - staging: comedi: don't dereference user memory for INSN_INTTRIG - staging: comedi: check s->async for poll(), read() and write() - staging: comedi: das08: Correct AO output for das08jr-16-ao - staging: vt6656: [BUG] out of bound array reference in RFbSetPower. - libata: fix Null pointer dereference on disk error - scsi: Silence unnecessary warnings about ioctl to partition - scsi: use __uX types for headers exported to user space - fix crash in scsi_dispatch_cmd() - SCSI: bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload - keys: fix race with concurrent install_user_keyrings() - crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption - xfrm_user: fix info leak in copy_to_user_state() - xfrm_user: fix info leak in copy_to_user_policy() - xfrm_user: fix info leak in copy_to_user_tmpl() - xfrm_user: return error pointer instead of NULL - xfrm_user: return error pointer instead of NULL #2 - r8169: correct settings of rtl8102e. - r8169: remove the obsolete and incorrect AMD workaround - r8169: Add support for D-Link 530T rev C1 (Kernel Bug 38862) - r8169: incorrect identifier for a 8168dp - b43legacy: Fix crash on unload when firmware not available - tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode - IPoIB: Fix use-after-free of multicast object - telephony: ijx: buffer overflow in ixj_write_cid() - Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() - Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) - Bluetooth: RFCOMM - Fix info leak via getsockname() - Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() - Bluetooth: L2CAP - Fix info leak via getsockname() - Bluetooth: fix possible info leak in bt_sock_recvmsg() - xhci: Make handover code more robust - USB: EHCI: go back to using the system clock for QH unlinks - USB: whiteheat: fix memory leak in error path - USB: serial: Fix memory leak in sierra_release() - USB: mos7840: fix urb leak at release - USB: mos7840: fix port-device leak in error path - USB: garmin_gps: fix memory leak on disconnect - USB: io_ti: Fix NULL dereference in chase_port() - USB: cdc-wdm: fix buffer overflow - USB: serial: ftdi_sio: Handle the old_termios == 0 case e.g. uart_resume_port() - USB: ftdi_sio: Quiet sparse noise about using plain integer was NULL pointer - epoll: prevent missed events on EPOLL_CTL_MOD - fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check - fs/fscache/stats.c: fix memory leak - sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() - tmpfs: fix use-after-free of mempolicy object - jbd: Delay discarding buffers in journal_unmap_buffer - jbd: Fix assertion failure in commit code due to lacking transaction credits - jbd: Fix lock ordering bug in journal_unmap_buffer() - ext4: Fix fs corruption when make_indexed_dir() fails - ext4: don't dereference null pointer when make_indexed_dir() fails - ext4: Fix max file size and logical block counting of extent format file - ext4: fix memory leak in ext4_xattr_set_acl()'s error path - ext4: online defrag is not supported for journaled files - ext4: always set i_op in ext4_mknod() - ext4: fix fdatasync() for files with only i_size changes - ext4: lock i_mutex when truncating orphan inodes - ext4: fix race in ext4_mb_add_n_trim() - ext4: limit group search loop for non-extent files - CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure - ext4: make orphan functions be no-op in no-journal mode - ext4: avoid hang when mounting non-journal filesystems with orphan list - udf: fix memory leak while allocating blocks during write - udf: avoid info leak on export - udf: Fix bitmap overflow on large filesystems with small block size - fs/cifs/cifs_dfs_ref.c: fix potential memory leakage - isofs: avoid info leak on export - fat: Fix stat->f_namelen - NLS: improve UTF8 -> UTF16 string conversion routine - hfsplus: fix potential overflow in hfsplus_file_truncate() - btrfs: use rcu_barrier() to wait for bdev puts at unmount - kernel panic when mount NFSv4 - nfsd4: fix oops on unusual readlike compound - net/core: Fix potential memory leak in dev_set_alias() - net: reduce net_rx_action() latency to 2 HZ - softirq: reduce latencies - af_packet: remove BUG statement in tpacket_destruct_skb - bridge: set priority of STP packets - bonding: Fix slave selection bug. - ipv4: check rt_genid in dst_check - net_sched: gact: Fix potential panic in tcf_gact(). - net: sched: integer overflow fix - net: prevent setting ttl=0 via IP_TTL - net: fix divide by zero in tcp algorithm illinois - net: guard tcp_set_keepalive() to tcp sockets Fixes CVE-2012-6657 - net: fix info leak in compat dev_ifconf() - inet: add RCU protection to inet->opt - tcp: allow splice() to build full TSO packets - tcp: fix MSG_SENDPAGE_NOTLAST logic - tcp: preserve ACK clocking in TSO - unix: fix a race condition in unix_release() - dcbnl: fix various netlink info leaks - sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails - net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree - net: sctp: sctp_endpoint_free: zero out secret key data - net: sctp: sctp_auth_key_put: use kzfree instead of kfree - ipv6: discard overlapping fragment - ipv6: make fragment identifications less predictable - netfilter: nf_ct_ipv4: packets with wrong ihl are invalid - ipvs: allow transmit of GRO aggregated skbs - ipvs: IPv6 MTU checking cleanup and bugfix - ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT) - atm: update msg_namelen in vcc_recvmsg() - atm: fix info leak via getsockname() - atm: fix info leak in getsockopt(SO_ATMPVC) - ax25: fix info leak via msg_name in ax25_recvmsg() - isdnloop: fix and simplify isdnloop_init() - iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() - llc: fix info leak via getsockname() - llc: Fix missing msg_namelen update in llc_ui_recvmsg() - rds: set correct msg_namelen - rose: fix info leak via msg_name in rose_recvmsg() - irda: Fix missing msg_namelen update in irda_recvmsg_dgram() - tipc: fix info leaks via msg_name in recv_msg/recv_stream - mpt2sas: Send default descriptor for RAID pass through in mpt2ctl - x86, ptrace: fix build breakage with gcc 4.7 * Add stable release 2.6.32.62: - scsi: fix missing include linux/types.h in scsi_netlink.h - Fix lockup related to stop_machine being stuck in __do_softirq. - Revert "x86, ptrace: fix build breakage with gcc 4.7" - x86, ptrace: fix build breakage with gcc 4.7 (second try) - ipvs: fix CHECKSUM_PARTIAL for TCP, UDP - intel-iommu: Flush unmaps at domain_exit - staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice - kernel/kmod.c: check for NULL in call_usermodehelper_exec() - cciss: fix info leak in cciss_ioctl32_passthru() - cpqarray: fix info leak in ida_locked_ioctl() - drivers/cdrom/cdrom.c: use kzalloc() for failing hardware - sctp: deal with multiple COOKIE_ECHO chunks - sctp: Use correct sideffect command in duplicate cookie handling - ipv6: ip6_sk_dst_check() must not assume ipv6 dst - af_key: fix info leaks in notify messages - af_key: initialize satype in key_notify_policy_flush() - block: do not pass disk names as format strings - b43: stop format string leaking into error msgs - HID: validate HID report id size - HID: zeroplus: validate output report details - HID: pantherlord: validate output report details - HID: LG: validate HID output report details - HID: check for NULL field when setting values - HID: provide a helper for validating hid reports - crypto: api - Fix race condition in larval lookup - ipv6: tcp: fix panic in SYN processing - tcp: must unclone packets before mangling them - net: do not call sock_put() on TIMEWAIT sockets - net: heap overflow in __audit_sockaddr() - proc connector: fix info leaks - can: dev: fix nlmsg size calculation in can_get_size() - net: vlan: fix nlmsg size calculation in vlan_get_size() - farsync: fix info leak in ioctl - connector: use nlmsg_len() to check message length - net: dst: provide accessor function to dst->xfrm - sctp: Use software crc32 checksum when xfrm transform will happen. - sctp: Perform software checksum if packet has to be fragmented. - wanxl: fix info leak in ioctl - davinci_emac.c: Fix IFF_ALLMULTI setup - resubmit bridge: fix message_age_timer calculation - ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put - ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put - dm9601: fix IFF_ALLMULTI handling - bonding: Fix broken promiscuity reference counting issue - ll_temac: Reset dma descriptors indexes on ndo_open - tcp: fix tcp_md5_hash_skb_data() - ipv6: fix possible crashes in ip6_cork_release() - ip_tunnel: fix kernel panic with icmp_dest_unreach - net: sctp: fix NULL pointer dereference in socket destruction - packet: packet_getname_spkt: make sure string is always 0-terminated - neighbour: fix a race in neigh_destroy() - net: Swap ver and type in pppoe_hdr - sunvnet: vnet_port_remove must call unregister_netdev - ifb: fix rcu_sched self-detected stalls - dummy: fix oops when loading the dummy failed - ifb: fix oops when loading the ifb failed - vlan: fix a race in egress prio management - arcnet: cleanup sizeof parameter - sysctl net: Keep tcp_syn_retries inside the boundary - sctp: fully initialize sctp_outq in sctp_outq_init - net_sched: Fix stack info leak in cbq_dump_wrr(). - af_key: more info leaks in pfkey messages - net_sched: info leak in atm_tc_dump_class() - htb: fix sign extension bug - net: check net.core.somaxconn sysctl values - tcp: cubic: fix bug in bictcp_acked() - ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match - ipv6: remove max_addresses check from ipv6_create_tempaddr - ipv6: drop packets with multiple fragmentation headers - ipv6: Don't depend on per socket memory for neighbour discovery messages - ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO - tipc: fix lockdep warning during bearer initialization - net: Fix "ip rule delete table 256" - ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv - random32: fix off-by-one in seeding requirement - bonding: fix two race conditions in bond_store_updelay/downdelay - isdnloop: use strlcpy() instead of strcpy() - ipv4: fix possible seqlock deadlock - inet: prevent leakage of uninitialized memory to user in recv syscalls - net: rework recvmsg handler msg_name and msg_namelen logic - net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct sockaddr_storage) - inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions - net: clamp ->msg_namelen instead of returning an error - ipv6: fix leaking uninitialized port number of offender sockaddr - atm: idt77252: fix dev refcnt leak - net: core: Always propagate flag changes to interfaces - bridge: flush br's address entry in fdb when remove the bridge dev - inet: fix possible seqlock deadlocks - ipv6: fix possible seqlock deadlock in ip6_finish_output2 - {pktgen, xfrm} Update IPv4 header total len and checksum after tranformation - net: drop_monitor: fix the value of maxattr - net: unix: allow bind to fail on mutex lock - drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() - hamradio/yam: fix info leak in ioctl - rds: prevent dereference of a NULL device - net: rose: restore old recvmsg behavior - net: llc: fix use after free in llc_ui_recvmsg - inet_diag: fix inet_diag_dump_icsk() timewait socket state logic - net: fix 'ip rule' iif/oif device rename - tg3: Fix deadlock in tg3_change_mtu() - bonding: 802.3ad: make aggregator_identifier bond-private - net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode - virtio-net: alloc big buffers also when guest can receive UFO - tg3: Don't check undefined error bits in RXBD - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable - net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk - net: socket: error on a negative msg_namelen - netlink: don't compare the nul-termination in nla_strcmp - isdnloop: several buffer overflows - rds: prevent dereference of a NULL device in rds_iw_laddr_check - isdnloop: Validate NUL-terminated strings from user. - sctp: unbalanced rcu lock in ip_queue_xmit() - aacraid: prevent invalid pointer dereference - ipv6: udp packets following an UFO enqueued packet need also be handled by UFO - inet: fix possible memory corruption with UDP_CORK and UFO - vm: add vm_iomap_memory() helper function - Fix a few incorrectly checked [io_]remap_pfn_range() calls - libertas: potential oops in debugfs - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround - gianfar: disable TX vlan based on kernel 2.6.x - powernow-k6: set transition latency value so ondemand governor can be used - powernow-k6: disable cache when changing frequency - powernow-k6: correctly initialize default parameters - powernow-k6: reorder frequencies - tcp: fix tcp_trim_head() to adjust segment count with skb MSS - tcp_cubic: limit delayed_ack ratio to prevent divide error - tcp_cubic: fix the range of delayed_ack - n_tty: Fix n_tty_write crash when echoing in raw mode - exec/ptrace: fix get_dumpable() incorrect tests - ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data - dm snapshot: fix data corruption - crypto: ansi_cprng - Fix off by one error in non-block size request - uml: check length in exitcode_proc_write() - KVM: Improve create VCPU parameter (CVE-2013-4587) - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) - qeth: avoid buffer overflow in snmp ioctl - xfs: underflow bug in xfs_attrlist_by_handle() - aacraid: missing capable() check in compat ioctl - SELinux: Fix kernel BUG on empty security contexts. - s390: fix kernel crash due to linkage stack instructions - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages - floppy: ignore kernel-only members in FDRAWCMD ioctl input - floppy: don't write kernel-only members to FDRAWCMD ioctl output * Add stable release 2.6.32.63: - ethtool: Report link-down while interface is down - futex: Add another early deadlock detection check - futex: Prevent attaching to kernel threads - futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) - futex: Validate atomic acquisition in futex_lock_pi_atomic() - futex: Always cleanup owner tid in unlock_pi - futex: Make lookup_pi_state more robust - auditsc: audit_krule mask accesses need bounds checking - net: fix regression introduced in 2.6.32.62 by sysctl fixes * Add stable release 2.6.32.64: - x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508) - x86_32, entry: Store badsys error code in %eax - x86_32, entry: Clean up sysenter_badsys declaration - MIPS: Cleanup flags in syscall flags handlers. - MIPS: asm: thread_info: Add _TIF_SECCOMP flag - fix autofs/afs/etc. magic mountpoint breakage - ALSA: control: Make sure that id->index does not overflow - ALSA: control: Handle numid overflow - sctp: Fix sk_ack_backlog wrap-around problem - mm: try_to_unmap_cluster() should lock_page() before mlocking - filter: prevent nla extensions to peek beyond the end of the message - ALSA: control: Protect user controls against concurrent access - ptrace,x86: force IRET path after a ptrace_stop() - sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue - tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb - igmp: fix the problem when mc leave group - appletalk: Fix socket referencing in skb - net: sctp: fix information leaks in ulpevent layer - sunvnet: clean up objects created in vnet_new() on vnet_exit() - ipv4: fix buffer overflow in ip_options_compile() - net: sctp: inherit auth_capable on INIT collisions Fixes CVE-2014-5077 - net: sendmsg: fix NULL pointer dereference - tcp: Fix integer-overflows in TCP veno - tcp: Fix integer-overflow in TCP vegas - macvlan: Initialize vlan_features to turn on offload support. - net: Correctly set segment mac_len in skb_segment(). - iovec: make sure the caller actually wants anything in memcpy_fromiovecend - sctp: fix possible seqlock seadlock in sctp_packet_transmit() - Revert "nfsd: correctly handle return value from nfsd_map_name_to_*" - dm crypt: fix access beyond the end of allocated space - gianfar: disable vlan tag insertion by default - USB: kobil_sct: fix non-atomic allocation in write path - fix misuses of f_count() in ppp and netlink - net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks - tty: Fix high cpu load if tty is unreleaseable - netfilter: nf_log: account for size of NLMSG_DONE attribute - netfilter: nfnetlink_log: fix maximum packet length logged to userspace - ring-buffer: Always reset iterator to reader page - md/raid6: avoid data corruption during recovery of double-degraded RAID6 - net: pppoe: use correct channel MTU when using Multilink PPP - ARM: 7668/1: fix memset-related crashes caused by recent GCC (4.7.2) optimizations - ARM: 7670/1: fix the memset fix - lib/lzo: Update LZO compression to current upstream version - Documentation: lzo: document part of the encoding - lzo: check for length overrun in variable length encoding. - USB: add new zte 3g-dongle's pid to option.c - futex: Unlock hb->lock in futex_wait_requeue_pi() error path - isofs: Fix unbounded recursion when processing relocated directories Fixes CVE-2014-5471 CVE-2014-5472 - sctp: not send SCTP_PEER_ADDR_CHANGE notifications with failed probe * Update the OpenVZ patch to apply on top of 2.6.32.64. Non-trivial changes in net/ipv4/tcp_output.c. [ Holger Levsen ] * CVE-2014-4653: ALSA: control: Ensure possession of a read/write lock. * CVE-2014-4654: ALSA: control: Check authorization for commands. * CVE-2014-4655: ALSA: control: Maintain the user_ctl_count value properly. * Ignore ABI change of module:drivers/scsi/osd/libosd by listing it in debian/config/defines [ Raphael Geissert ] * CVE-2014-4943: net: ppol2tp: don't fall back on UDP [get|set]sockopt -- Holger Levsen <hol...@debian.org> Sun, 30 Nov 2014 15:57:49 +0100
signature.asc
Description: This is a digitally signed message part.
