Debian Stretch Openstack images changelog 9.11.6-20191229 Updates in 1 source package(s), 2 binary package(s): Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u1) stretch-security; urgency=medium * Import 1.0.2u - CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure). -- Steve McIntyre <93sam@debian.org> Mon, 30 Dec 2019 14:56:35 +0000 9.11.5-20191113 Updates in 2 source package(s), 8 binary package(s): Source linux, binaries: linux-image-4.9.0-11-amd64:amd64 linux-image-4.9.0-11-arm64:arm64 linux (4.9.189-3+deb9u2) stretch-security; urgency=high * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - KVM: x86: simplify ept_misconfig - KVM: x86: extend usage of RET_MMIO_PF_* constants - KVM: MMU: drop vcpu param in gpte_access - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: Add is_executable_pte() - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: kick out cmd_parser specific structs from i915_drv.h - drm/i915: cleanup use of INSTR_CLIENT_MASK - drm/i915: return EACCES for check_cmd() failures - drm/i915: don't whitelist oacontrol in cmd parser - drm/i915: Use the precomputed value for whether to enable command parsing - drm/i915/cmdparser: Limit clflush to active cachelines - drm/i915/gtt: Add read only pages to gen8_pte_encode - drm/i915/gtt: Read-only pages for insert_entries on bdw+ - drm/i915/gtt: Disable read-only support under GVT - drm/i915: Prevent writing into a read-only object via a GGTT mmap - drm/i915/cmdparser: Check reg_table_count before derefencing. - drm/i915/cmdparser: Do not check past the cmd length. - drm/i915: Silence smatch for cmdparser - drm/i915: Move engine->needs_cmd_parser to engine->flags - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA * drm/i915: Avoid ABI change for CVE-2019-0155 Source file, binaries: file:amd64 libmagic-mgc:amd64 libmagic1:amd64 file:arm64 libmagic-mgc:arm64 libmagic1:arm64 file (1:5.30-1+deb9u3) stretch-security; urgency=high * Cherry-pick commit to restrict the number of CDF_VECTOR elements. Closes: #942830 [CVE-2019-18218] -- Steve McIntyre <93sam@debian.org> Thu, 14 Nov 2019 16:42:48 +0000 9.11.4-20191015 Updates in 1 source package(s), 2 binary package(s): Source sudo, binaries: sudo:amd64 sudo:arm64 sudo (1.8.19p1-2.1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * Treat an ID of -1 as invalid since that means "no change" (CVE-2019-14287) * Fix test failure in plugins/sudoers/regress/testsudoers/test5.sh -- Steve McIntyre <93sam@debian.org> Tue, 15 Oct 2019 18:31:41 +0100 9.11.3-20191003 Updates in 3 source package(s), 14 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u1) stretch-security; urgency=medium * Import 1.1.0l - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP construction). - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey). Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2t-1~deb9u1) stretch-security; urgency=medium * Import 1.0.2t - CVE-2019-1547 (Compute ECC cofactors if not provided during EC_GROUP construction). - CVE-2019-1563 (Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey). Source e2fsprogs, binaries: e2fslibs:amd64 e2fsprogs:amd64 libcomerr2:amd64 libss2:amd64 e2fslibs:arm64 e2fsprogs:arm64 libcomerr2:arm64 libss2:arm64 e2fsprogs (1.43.4-2+deb9u1) stretch-security; urgency=high * Fix CVE-2019-5094: potential buffer overrun in e2fsck (Closes: #941139) -- Steve McIntyre <93sam@debian.org> Fri, 04 Oct 2019 18:22:52 +0100 9.11.2-20190926 Updates in 1 source package(s), 2 binary package(s): Source linux, binaries: linux-image-4.9.0-11-amd64:amd64 linux-image-4.9.0-11-arm64:arm64 linux (4.9.189-3+deb9u1) stretch-security; urgency=high * vhost: make sure log_num < in_num (CVE-2019-14835) * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) -- Steve McIntyre <93sam@debian.org> Thu, 26 Sep 2019 05:52:52 +0100 9.11.1-20190923 Updates in 2 source package(s), 4 binary package(s): Source tzdata, binaries: tzdata:amd64 tzdata:arm64 tzdata (2019c-0+deb9u1) stretch; urgency=medium * New upstream version, affecting the following future timestamps: - Fiji's next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk Island will observe Australian-style DST starting in spring 2019. The first transition is on 2019-10-06. Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.0-2+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * xmlparse.c: Deny internal entities closing the doctype (CVE-2019-15903) (Closes: #939394) -- Steve McIntyre <93sam@debian.org> Mon, 23 Sep 2019 16:41:52 -0700 9.11.0 First build for 9.11.0 release -- Steve McIntyre <93sam@debian.org> Mon, 09 Sep 2019 10:57:54 +0100