apticron report [Thu, 23 Aug 2018 22:38:05 +0200] ======================================================================== apticron has detected that some packages need upgrading on: quigon.federez.net [ 160.228.155.65 ] The following packages are currently pending an upgrade: linux-image-4.9.0-8-amd64 4.9.110-3+deb9u4 linux-image-amd64 4.9+80+deb9u6 linux-libc-dev 4.9.110-3+deb9u4 mutt 1.7.2-1+deb9u1 openssh-client 1:7.4p1-10+deb9u4 openssh-server 1:7.4p1-10+deb9u4 openssh-sftp-server 1:7.4p1-10+deb9u4 ======================================================================== Package Details: apt-listchanges : Lecture des fichiers de modifications (« changelog »)... apt-listchanges : journaux des modifications (« changelogs ») ------------------------------------------------------------- --- Modifications pour linux (linux-libc-dev) --- linux (4.9.110-3+deb9u4) stretch-security; urgency=high * init: rename and re-order boot_cpu_state_init() Adresses boot failures on arm* systems. (Closes: #906769) * Sync "cpu/hotplug: Boot HT siblings at least once" from 4.9.120 * Sync "cpu/hotplug: Non-SMP machines do not make use of booted_once" from 4.9.120 * Refresh features/all/rt/0157-softirq-Split-softirq-locks.patch patch. Adjust context after applying "init: rename and re-order boot_cpu_state_init()". -- Salvatore Bonaccorso <carnil(a)debian.org> Tue, 21 Aug 2018 16:50:09 +0200 linux (4.9.110-3+deb9u3) stretch-security; urgency=high [ Salvatore Bonaccorso ] * Add L1 Terminal Fault fixes (CVE-2018-3620, CVE-2018-3646) - [x86] speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT - [x86] mm: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 - [x86] speculation/l1tf: Change order of offset/type in swap entry - [x86] speculation/l1tf: Protect swap entries against L1TF - [x86] speculation/l1tf: Protect PROT_NONE PTEs against speculation - [x86] speculation/l1tf: Make sure the first page is always reserved - [x86] speculation/l1tf: Add sysfs reporting for l1tf - [x86] speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings - [x86] speculation/l1tf: Limit swap file size to MAX_PA/2 - [x86] bugs: Move the l1tf function and define pr_fmt properly - [x86] smp: Provide topology_is_primary_thread() - [x86] topology: Provide topology_smt_supported() - cpu/hotplug: Make bringup/teardown of smp threads symmetric - cpu/hotplug: Split do_cpu_down() - cpu/hotplug: Provide knobs to control SMT - [x86] cpu: Remove the pointless CPU printout - [x86] cpu/AMD: Remove the pointless detect_ht() call - [x86] cpu/common: Provide detect_ht_early() - [x86] cpu/topology: Provide detect_extended_topology_early() - [x86] cpu/intel: Evaluate smp_num_siblings early - [x86] CPU/AMD: Do not check CPUID max ext level before parsing SMP info - [x86] cpu/AMD: Evaluate smp_num_siblings early - [x86] apic: Ignore secondary threads if nosmt=force - [x86] speculation/l1tf: Extend 64bit swap file size limit - [x86] cpufeatures: Add detection of L1D cache flush support. - [x86] CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings - [x86] speculation/l1tf: Protect PAE swap entries against L1TF - [x86] speculation/l1tf: Fix up pte->pfn conversion for PAE - Revert "[x86] apic: Ignore secondary threads if nosmt=force" - cpu/hotplug: Boot HT siblings at least once - [x86] KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present - [x86] KVM/VMX: Add module argument for L1TF mitigation - [x86] KVM/VMX: Add L1D flush algorithm - [x86] KVM/VMX: Add L1D MSR based flush - [x86] KVM/VMX: Add L1D flush logic - kvm: nVMX: Update MSR load counts on a VMCS switch - [x86] KVM/VMX: Split the VMX MSR LOAD structures to have an host/guest numbers - [x86] KVM/VMX: Add find_msr() helper function - [x86] KVM/VMX: Separate the VMX AUTOLOAD guest/host number accounting - [x86] KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only MSRs - [x86] KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required - cpu/hotplug: Online siblings when SMT control is turned on - [x86] litf: Introduce vmx status variable - [x86] kvm: Drop L1TF MSR list approach - [x86] l1tf: Handle EPT disabled state proper - [x86] kvm: Move l1tf setup function - [x86] kvm: Add static key for flush always - [x86] kvm: Serialize L1D flush parameter setter - [x86] kvm: Allow runtime control of L1D flush - cpu/hotplug: Expose SMT control init function - cpu/hotplug: Set CPU_SMT_NOT_SUPPORTED early - [x86] bugs, kvm: Introduce boot-time control of L1TF mitigations - Documentation: Add section about CPU vulnerabilities - [x86] KVM/VMX: Initialize the vmx_l1d_flush_pages' content - Documentation/l1tf: Fix typos - cpu/hotplug: detect SMT disabled by BIOS - [x86] KVM/VMX: Don't set l1tf_flush_l1d to true from vmx_l1d_flush() - [x86] KVM/VMX: Replace 'vmx_l1d_flush_always' with 'vmx_l1d_flush_cond' - [x86] KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush() - [x86] irq: Demote irq_cpustat_t::__softirq_pending to u16 - [x86] KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d - [x86] Don't include linux/irq.h from asm/hardirq.h - [x86] irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d - [x86] KVM/VMX: Don't set l1tf_flush_l1d from vmx_handle_external_intr() - Documentation/l1tf: Remove Yonah processors from not vulnerable list - [x86] KVM: x86: Add a framework for supporting MSR-based features - KVM: SVM: Add MSR-based feature support for serializing LFENCE - [x86] KVM: X86: Introduce kvm_get_msr_feature() - [x86] KVM: X86: Allow userspace to define the microcode version - KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR - [x86] speculation: Simplify sysfs report of VMX L1TF vulnerability - [x86] speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry - KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry - cpu/hotplug: Fix SMT supported evaluation - [x86] speculation/l1tf: Invert all not present mappings - [x86] speculation/l1tf: Make pmd/pud_mknotpresent() invert - [x86] mm/pat: Make set_memory_np() L1TF safe - [x86] mm/kmmio: Make the tracer robust against L1TF - tools headers: Synchronise x86 cpufeatures.h for L1TF additions - [x86] microcode: Do not upload microcode if CPUs are offline - [x86] microcode: Allow late microcode loading with SMT disabled - [x86] smp: fix non-SMP broken build due to redefinition of apic_id_is_primary_thread - cpu/hotplug: Non-SMP machines do not make use of booted_once - [x86] init: fix build with CONFIG_SWAP=n - [x86] speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures - [x86] cpu/amd: Limit cpu_core_id fixup to families older than F17h - [x86] CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present - [x86] l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled - [x86] i8259: Add missing include file - [x86] speculation/l1tf: Exempt zeroed PTEs from inversion [ Yves-Alexis Perez ] * [rt] refresh 0284-cpu-rt-Rework-cpu-down-for-PREEMPT_RT and 0286-kernel-cpu-fix-cpu-down-problem-if-kthread-s-cpu-is- context after applying L1TF fixes. * [rt] update 0281-random-Make-it-work-on-rt to fix builds with recent compilers. [ Ben Hutchings ] * Bump ABI to 8 -- Salvatore Bonaccorso <carnil(a)debian.org> Sun, 19 Aug 2018 15:36:38 +0200 --- Modifications pour linux-latest (linux-image-amd64) --- linux-latest (80+deb9u6) stretch-security; urgency=high * Update to 4.9.0-8 -- Salvatore Bonaccorso <carnil(a)debian.org> Sun, 19 Aug 2018 20:28:09 +0200 --- Modifications pour mutt --- mutt (1.7.2-1+deb9u1) stretch-security; urgency=high * Initial changelog entries for security update (Closes: 904051) * Patches provided by Roberto C. Sánchez <roberto(a)debian.org> + Fix arbitrary command execution by remote IMAP servers via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription (CVE-2018-14354) + Fix arbitrary command execution by remote IMAP servers via backquote characters, related to the mailboxes command associated with an automatic subscription (CVE-2018-14357) + Fix a stack-based buffer overflow caused by imap_quote_string() not leaving room for quote characters (CVE-2018-14352) + Fix an integer underflow in imap_quote_string() (CVE-2018-14353) + Fix mishandling of zero-length UID in pop.c (CVE-2018-14356) + Fix unsafe interaction between message-cache pathnames and certain characters in pop.c (CVE-2018-14362) + Fix mishandling of ".." directory traversal in IMAP mailbox name (CVE-2018-14355) + Fix a stack-based buffer overflow for an IMAP FETCH response with a long INTERNALDATE field (CVE-2018-14350) + Fix a stack-based buffer overflow for an IMAP FETCH response with a long RFC822.SIZE field (CVE-2018-14358) + Fix mishandling of an IMAP NO response without a message (CVE-2018-14349) + Fix mishandling of long IMAP status mailbox literal count size (CVE-2018-14351) + Fix a buffer overflow via base64 data (CVE-2018-14359) + Fix a stack-based buffer overflow because of incorrect sscanf usage (CVE-2018-14360) + Fix a defect where processing continues if memory allocation fails for NNTP messages (CVE-2018-14361) * Fix unsafe interaction between message-cache pathnames and certain characters in newsrc.c (CVE-2018-14363) -- Antonio Radici <antonio(a)debian.org> Tue, 07 Aug 2018 09:48:44 +0100 --- Modifications pour openssh (openssh-client openssh-server openssh-sftp-server) --- openssh (1:7.4p1-10+deb9u4) stretch-security; urgency=high * Non-maintainer upload by the Security Team * CVE-2018-15473: fix username enumeration issue, initially reported by Dariusz Tytko and Michal Sajdak (Closes: #906236) -- Sebastien Delafond <seb(a)debian.org> Tue, 21 Aug 2018 05:14:18 +0200 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on quigon.federez.net -- apticron