Updated kernel and kmod packages fix security vulnerabilities
Publication date: 29 Dec 2016Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8399 , CVE-2016-9576 , CVE-2016-9794
Description
This update is based on upstream 4.4.39 and fixes at least the following
security issues:
Due to lack of size checking on ICMP header length, it is possible to
cause out-of-bounds read on stack (CVE-2016-8399)
A use-after-free vulnerability in the SCSI generic driver allows users
with write access to /dev/sg* or /dev/bsg* to elevate their privileges
(CVE-2016-9576).
A use-after-free vulnerability was found in ALSA pcm layer, which allows
local users to cause a denial of service, memory corruption, or possibly
other unspecified impact (CVE-2016-9794).
Other fixes in this update:
- fix for HID gamepad DragonRise (mga#19853)
- fix for radeon driver crashing on Dell Precision M4800 (mga#19892)
For other upstream fixes in this update, see the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=19990
- https://bugs.mageia.org/show_bug.cgi?id=19892
- https://bugs.mageia.org/show_bug.cgi?id=19853
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8399
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9794
SRPMS
5/core
- kernel-4.4.39-1.mga5
- kernel-userspace-headers-4.4.39-1.mga5
- kmod-vboxadditions-5.1.10-3.1.mga5
- kmod-virtualbox-5.1.10-3.1.mga5
- kmod-xtables-addons-2.10-18.mga5