{ "schema_version": "1.6.2", "id": "MGASA-2023-0237", "published": "2023-07-19T19:53:31Z", "modified": "2023-07-26T20:17:56Z", "summary": "Updated kernel packages fix security vulnerabilities", "details": "This kernel update is based on upstream 5.15.120 and fixes atleast\nthe following security issues:\n\nA flaw null pointer dereference in the Linux kernel DECnet networking\nprotocol was found. A remote user could use this flaw to crash the\nsystem. This is fixed by removing DECnet support (CVE-2023-3338).\n\nA use-after-free vulnerability was found in the Linux kernel's netfilter\nsubsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with\nNFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same\ntransaction causing a use-after-free vulnerability. This flaw allows a\nlocal attacker with user access to cause a privilege escalation issue\n(CVE-2023-3390).\n\nLinux Kernel nftables Use-After-Free Local Privilege Escalation\nVulnerability; nft_chain_lookup_byid() failed to check whether a chain\nwas active and CAP_NET_ADMIN is in any user or network namespace \n(CVE-2023-31248).\n\nLinux Kernel nftables Out-Of-Bounds Read/Write Vulnerability;\nnft_byteorder poorly handled vm register contents when CAP_NET_ADMIN\nis in any user or network namespace (CVE-2023-35001).\n\nNOTE!!\nThis kernel also contains a fix for dkms builds hanging / stalling during\nupgrade to Mageia 9 (mga#31982) due to the new make 4.4 series utility\nending up in a loop processing Makefile in kernel-devel packages.\nSo if you use dkms packaged drivers, you need to be running this kernel\n(or any later released ones) before you do an online upgrade to avoid the\nupgrade stalling / hanging.\n\nFor other upstream fixes in this update, see the referenced changelogs.\n", "related": [ "CVE-2023-3338", "CVE-2023-3390", "CVE-2023-31248", "CVE-2023-35001" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2023-0237.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=32093" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=31982" }, { "type": "REPORT", "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.118" }, { "type": "REPORT", "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.119" }, { "type": "REPORT", "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.120" } ], "affected": [ { "package": { "ecosystem": "Mageia:8", "name": "kernel", "purl": "pkg:rpm/mageia/kernel?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.15.120-2.mga8" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:8", "name": "kmod-virtualbox", "purl": "pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.8-1.12.mga8" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:8", "name": "kmod-xtables-addons", "purl": "pkg:rpm/mageia/kmod-xtables-addons?arch=source&distro=mageia-8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.23-1.22.mga8" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }