Debian Stretch Openstack images changelog 9.13.11-20201218 Updates in 2 source package(s), 4 binary package(s): Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * Enable the test suite (non-fatal). * Switch to source format 3.0 (quilt), rather than having the patches in debian/patches/ but applied directly without a patch system. * Fix regression in Python 2 in the last part of CVE-2020-27783. * math-svg.patch: update expected results for the test suite. lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Fri, 18 Dec 2020 11:42:32 +0000 9.13.10-20201217 Updates in 4 source package(s), 10 binary package(s): Source openssl, binaries: libssl1.1:amd64 openssl:amd64 libssl1.1:arm64 openssl:arm64 openssl (1.1.0l-1~deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source linux, binaries: linux-image-4.9.0-14-amd64:amd64 linux-image-4.9.0-14-arm64:arm64 linux (4.9.246-2) stretch-security; urgency=high * [arm64] Fix FTBFS after Xen netback fix: - arm64: Remove redundant mov from LL/SC cmpxchg - arm64: Avoid redundant type conversions in xchg() and cmpxchg() - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint - arm64: Use correct ll/sc atomic constraints linux (4.9.246-1) stretch-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.241 - tipc: fix the skb_unshare() in tipc_buf_append() - net/ipv4: always honour route mtu during forwarding - r8169: fix data corruption issue on RTL8402 - ALSA: bebob: potential info leak in hwdep_read() - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() - tcp: fix to update snd_wl1 in bulk receiver fast path - icmp: randomize the global rate limiter (CVE-2020-25705) - cifs: remove bogus debug code - [x86] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages - ima: Don't ignore errors from crypto_shash_update() - crypto: algif_aead - Do not set MAY_BACKLOG on the async path - [x86] EDAC/i5100: Fix error handling order in i5100_init_one() - [armhf] media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" - [armhf] media: omap3isp: Fix memleak in isp_probe - [armhf] crypto: omap-sham - fix digcnt register handling with export/ import - [armhf] media: ti-vpe: Fix a missing check and reference count leak - regulator: resolve supply after creating regulator - ath10k: provide survey info as accumulated data - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 - [arm64] ASoC: qcom: lpass-platform: fix memory leak - mwifiex: Do not use GFP_KERNEL in atomic context - [x86] drm/gma500: fix error check - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() - [x86] VMCI: check return value of get_user_pages_fast() for errors - tty: serial: earlycon dependency - pty: do tty_flip_buffer_push without port->lock in pty_write - [x86] video: fbdev: vga16fb: fix setting of pixclock because a pass-by- value error - video: fbdev: sis: fix null ptr dereference - HID: roccat: add bounds checking in kone_sysfs_write_settings() - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() - [amd64] misc: mic: scif: Fix error handling path - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl - quota: clear padding in v2r1_mem2diskdqb() - net: enic: Cure the enic api locking trainwreck - iwlwifi: mvm: split a print to avoid a WARNING in ROC - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. - nl80211: fix non-split wiphy information - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() - mwifiex: fix double free - IB/mlx4: Fix starvation in paravirt mux/demux - IB/mlx4: Adjust delayed work when a dup is observed - mtd: lpddr: fix excessive stack usage with clang - mtd: mtdoops: Don't write panic data twice - [armel,armhf] 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values - RDMA/qedr: Fix use of uninitialized field - [x86] perf intel-pt: Fix "context_switch event has no tid" error - [arm64] RDMA/hns: Set the unsupported wr opcode - overflow: Include header file with SIZE_MAX declaration - IB/rdmavt: Fix sizeof mismatch - rapidio: fix error handling path - rapidio: fix the missed put_device() for rio_mport_add_riodev - [arm64,armhf] clk: bcm2835: add missing release if devm_clk_hw_register fails - vfio/pci: Clear token on bypass registration failure - [armhf] Input: omap4-keypad - fix handling of platform_get_irq() error - [armhf] Input: twl4030_keypad - fix handling of platform_get_irq() error - [armhf] Input: sun4i-ps2 - fix handling of platform_get_irq() error - [x86] KVM: x86: emulating RDPID failure shall return #UD rather than #GP - [arm64] dts: qcom: msm8916: Fix MDP/DSI interrupts - [arm64] dts: zynqmp: Remove additional compatible string for i2c IPs - nvmet: fix uninitialized work for zero kato - [x86] crypto: ccp - fix error handling - media: firewire: fix memory leak - media: ati_remote: sanity check for both endpoints - [armhf] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync - [armhf] media: exynos4-is: Fix a reference count leak - media: media/pci: prevent memory leak in bttv_probe - media: uvcvideo: Ensure all probed info is returned to v4l2 - mmc: sdio: Check for CISTPL_VERS_1 buffer size - media: saa7134: avoid a shift overflow - fs: dlm: fix configfs memory leak - ntfs: add check for mft record size in superblock - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() - scsi: mvumi: Fix error return in mvumi_io_attach() - scsi: target: core: Add CONTROL field for trace events - [amd64] mic: vop: copy data to kernel space then write to io memory - [amd64] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic - usb: gadget: function: printer: fix use-after-free in __lock_acquire - udf: Limit sparing table size - udf: Avoid accessing uninitialized data on failed inode read - USB: cdc-acm: handle broken union descriptors - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() - misc: rtsx: Fix memory leak in rtsx_pci_probe - reiserfs: only call unlock_new_inode() if I_NEW - xfs: make sure the rt allocator doesn't run off the end - usb: ohci: Default to per-port over-current protection - Bluetooth: Only mark socket zapped after unlocking - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy - rtl8xxxu: prevent potential memory leak - Fix use after free in get_capset_info callback. - tty: ipwireless: fix error handling - ipvs: Fix uninit-value in do_ip_vs_set_ctl() - reiserfs: Fix memory leak in reiserfs_parse_options() - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach - usb: core: Solve race condition in anchor cleanup functions - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). - eeprom: at25: set minimum read/write access stride to 1 - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.242 - SUNRPC: ECONNREFUSED should cause a rebind. - efivarfs: Replace invalid slashes with exclamation marks in dentries. - tipc: fix memory leak caused by tipc_buf_append() - [x86] arch/x86/amd/ibs: Fix re-arming IBS Fetch - fuse: fix page dereference after free - p54: avoid accessing the data mapped to streaming DMA - mtd: lpddr: Fix bad logic in print_drs_error - fscrypt: return -EXDEV for incompatible rename or link into encrypted dir - fscrypto: move ioctl processing more fully into common code - fscrypt: use EEXIST when file already uses different policy - f2fs: add trace exit in exception path - f2fs: fix to check segment boundary during SIT page readahead - um: change sigio_spinlock to a mutex - [armel,armhf] 8997/2: hw_breakpoint: Handle inexact watchpoint addresses - xfs: fix realtime bitmap/summary file truncation when growing rt volume - ath10k: fix VHT NSS calculation when STBC is enabled - media: tw5864: check status of tw5864_frameinterval_get - mmc: via-sdmmc: Fix data race bug - USB: adutux: fix debugging - [arm64] mm: return cpu_all_mask when node is NUMA_NO_NODE - drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values - md/bitmap: md_bitmap_get_counter returns wrong blocks - [armhf] clk: ti: clockdomain: fix static checker warning - net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid - ext4: Detect already used quota file early - gfs2: add validation checks for size of superblock - [armhf] memory: emif: Remove bogus debugfs error handling - md/raid5: fix oops during stripe resizing - [x86] perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count() - [x86] perf/x86/amd/ibs: Fix raw sample data accumulation - fs: Don't invalidate page buffers in block_write_full_page() - NFS: fix nfs_path in case of a rename retry - ACPI / extlog: Check for RDMSR failure - ACPI: video: use ACPI backlight for HP 635 Notebook - ACPI: debug: don't allow debugging when ACPI is disabled - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs - scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() - btrfs: reschedule if necessary when logging directory items - btrfs: cleanup cow block on error - btrfs: fix use-after-free on readahead extent after failure to create it - [arm64,armhf] usb: dwc3: core: add phy cleanup for probe error handling - [arm64,armhf] usb: dwc3: core: don't trigger runtime pm when remove driver - vt: keyboard, simplify vt_kdgkbsent - vt: keyboard, extend func_buf_lock to readers (CVE-2020-25656) - ubifs: dent: Fix some potential memory leaks while iterating entries - ubi: check kthread_should_stop() after the setting of task state - ceph: promote to unsigned long long before shifting - libceph: clear con->out_msg on Policy::stateful_server faults - 9P: Cast to loff_t before multiplying - ring-buffer: Return 0 on success from ring_buffer_resize() - vringh: fix __vringh_iov() when riov and wiov are different - tty: make FONTX ioctl use the tty pointer they were actually passed (CVE-2020-25668) - cachefiles: Handle readpage error correctly - device property: Keep secondary firmware node secondary by type - device property: Don't clear secondary pointer for shared primary firmware node - [arm64] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR - [x86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice - tipc: fix use-after-free in tipc_bcast_get_mode - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled - ftrace: Fix recursion check for NMI test - ftrace: Handle tracing when switching between context - tracing: Fix out of bounds write in get_trace_buf - [armhf] dts: sun4i-a10: fix cpu_alert temperature - [x86] kexec: Use up-to-dated screen_info copy to fill boot params - of: Fix reserved-memory overlap detection - scsi: core: Don't start concurrent async scan on same host - vsock: use ns_capable_noaudit() on socket create - ACPI: NFIT: Fix comparison to '-ENXIO' - vt: Disable KD_FONT_OP_COPY (CVE-2020-28974) - fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent - USB: serial: cyberjack: fix write-URB completion race - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 - USB: serial: option: add Telit FN980 composition 0x1055 - USB: Add NO_LPM quirk for Kingston flash drive https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.243 - powercap: restrict energy meter to root access (CVE-2020-8694) https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.244 - regulator: defer probe when trying to get voltage from unresolved supply - ring-buffer: Fix recursion protection transitions between interrupt context - gfs2: Wake up when sd_glock_disposal becomes zero - mm: mempolicy: fix potential pte_unmap_unlock pte error - time: Prevent undefined behaviour in timespec64_to_ns() - btrfs: reschedule when cloning lots of extents - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY - net: xfrm: fix a race condition during allocing spi - perf tools: Add missing swap for ino_generation - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() - can: peak_usb: add range checking in decode operations - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping - xfs: flush new eof page on truncate to avoid post-eof corruption - Btrfs: fix missing error return if writeback for extent buffer never started - pinctrl: devicetree: Avoid taking direct reference to device name string (CVE-2020-0427) - i40e: Fix a potential NULL pointer dereference - i40e: add num_vectors checker in iwarp handler - i40e: Wrong truncation from u16 to u8 - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c - i40e: Memory leak in i40e_config_iwarp_qvlist - geneve: add transport ports in route lookup for geneve (CVE-2020-25645) - ath9k_htc: Use appropriate rs_datalen type - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free - gfs2: check for live vs. read-only file system in gfs2_fitrim - scsi: hpsa: Fix memory leak in hpsa_init_one() - drm/amdgpu: perform srbm soft reset always on SDMA resume - mac80211: fix use of skb payload instead of header - cfg80211: regulatory: Fix inconsistent format argument - scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() - [amd64] iommu/amd: Increase interrupt remapping table limit to 512 entries - xfs: fix flags argument to rmap lookup when converting shared file rmaps - xfs: fix rmap key and record comparison functions - xfs: fix a missing unlock on error in xfs_fs_map_blocks - of/address: Fix of_node memory leak in of_dma_is_coherent - [i386] cosa: Add missing kfree in error path of cosa_write - perf: Fix get_recursion_context() - ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA - ext4: unlock xattr_sem properly in ext4_inline_data_truncate() - usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode - [x86] mei: protect mei_cl_mtu from null dereference - ocfs2: initialize ip_next_orphan - don't dump the threads that had been already exiting when zapped. - [x86] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] - [x86] pinctrl: amd: use higher precision for 512 RtcClk - [x86] pinctrl: amd: fix incorrect way to disable debounce filter - swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" - IPv6: Set SIT tunnel hard_header_len to zero - net/x25: Fix null-ptr-deref in x25_connect - net: Update window_clamp if SOCK_RCVBUF is set - random32: make prandom_u32() output unpredictable - [x86] speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP - perf/core: Fix bad use of igrab() - perf/core: Fix crash when using HW tracing kernel filters - perf/core: Fix a memory leak in perf_event_parse_addr_filter() (CVE-2020-25704) - xen/events: avoid removing an event channel while handling it (CVE-2020-27675) - xen/events: Fix potential DoS of dom0 by rogue guests (CVE-2020-27673): + xen/events: add a proper barrier to 2-level uevent unmasking + xen/events: fix race in evtchn_fifo_unmask() + xen/events: add a new "late EOI" evtchn framework + xen/blkback: use lateeoi irq binding + xen/netback: use lateeoi irq binding + xen/scsiback: use lateeoi irq binding + xen/pciback: use lateeoi irq binding + xen/events: switch user event channels to lateeoi model + xen/events: use a common cpu hotplug hook for event channels + xen/events: defer eoi in case of excessive number of events + xen/events: block rogue events for some time - perf/core: Fix race in the perf_mmap_close() function (CVE-2020-14351) - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" - reboot: fix overflow parsing reboot cpu number - ext4: fix leaking sysfs kobject after failed mount - Convert trailing spaces and periods in path components https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.245 - [armhf] i2c: imx: use clk notifier for rate changes - [armhf] i2c: imx: Fix external abort on interrupt in exit paths - [armhf] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc - [x86] Input: sunkbd - avoid use-after-free in teardown paths (CVE-2020-25669) - mac80211: always wind down STA state - [x86] KVM: x86: clflushopt should be treated as a no-op by emulation https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.246 - ah6: fix error return code in ah6_input() - atm: nicstar: Unmap DMA on send error - bnxt_en: read EEPROM A2h address using page 0 - devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() - net: b44: fix error return code in b44_init_one() - net: bridge: add missing counters to ndo_get_stats64 callback - net: Have netpoll bring-up DSA management interface - netlabel: fix our progress tracking in netlbl_unlabel_staticlist() - netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() - net/mlx4_core: Fix init_hca fields offset - net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request - qlcnic: fix error return code in qlcnic_83xx_restart_hw() - sctp: change to hold/put transport for proto_unreach_timer - net: usb: qmi_wwan: Set DTR quirk for MR400 - tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate - [armhf] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq - [arm64] psci: Avoid printing in cpu_psci_cpu_die() - vfs: remove lockdep bogosity in __sb_start_write - [armhf] dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy - [armhf] dts: imx50-evk: Fix the chip select 1 IOMUX - perf lock: Don't free "lock_seq_stat" if read_count isn't zero - can: dev: can_restart(): post buffer from the right context - can: peak_usb: fix potential integer overflow on shift of a int - [armhf] regulator: ti-abb: Fix array out of bound read access on the first transition - xfs: revert "xfs: fix rmap key and record comparison functions" - libfs: fix error cast of negative value in simple_attr_write() - ALSA: ctl: fix error path at adding user-defined element set - ALSA: mixart: Fix mutex deadlock - tty: serial: imx: keep console clocks always on - ext4: fix bogus warning in ext4_update_dx_flag() - [x86] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum - regulator: fix memory leak with repeated set_machine_constraints() - mac80211: minstrel: remove deferred sampling code - mac80211: minstrel: fix tx status processing corner case - mac80211: free sta in sta_info_insert_finish() on errors - [x86] microcode/intel: Check patch signature before saving microcode for early loading [ Ben Hutchings ] * fscrypto: Ignore ABI changes * xen/events: Ignore ABI changes * efivarfs: revert "fix memory leak in efivarfs_create()" (regression in 4.9.246) * [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb (regressions in 4.9.228, 4.9.244) * regulator: avoid resolve_supply() infinite recursion (regression in 4.9.241) * regulator: workaround self-referent regulators (regression in 4.9.241) * bonding: wait for sysfs kobject destruction before freeing struct slave (regression in 4.9.226) * [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (regression in 4.9.244) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2020-1971: EDIPARTYNAME NULL pointer de-reference. Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-27783: Backport additional upstream commit a105ab8dc262ec6735977c25c13f0bdfcdec72a7 to address math/svg part of the vulnerability and complete the fix -- Steve McIntyre <93sam@debian.org> Thu, 17 Dec 2020 23:58:43 +0000 9.13.9-20201210 Updates in 4 source package(s), 14 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.4.11) stretch-security; urgency=high * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) - apt-pkg/contrib/arfile.cc: add extra checks. - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB - test/*: add tests. - CVE-2020-27350 * Additional hardening: - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB + * Fix autopkgtest regression in 1.8.2.1 security update Source lxml, binaries: python-lxml:amd64 python-lxml:arm64 lxml (3.7.1-1+deb9u1) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping. * CVE-2020-27783: Prevent combinations of