Changelog
user-mode-linux (3.2-2um-1+deb7u2) wheezy-security; urgency=high
* Rebuild against linux-source-3.2 (3.2.46-1+deb7u1):
* Fix regression in "xen: netback: shutdown the ring if it contains garbage
(CVE-2013-0216)"
* libceph: Fix NULL pointer dereference in auth client code (CVE-2013-1059)
* fanotify: info leak in copy_event_to_user() (CVE-2013-2148)
* drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (CVE-2013-2164)
* ipv6: ip6_sk_dst_check() must not assume ipv6 dst (CVE-2013-2232)
* af_key: fix info leaks in notify messages (CVE-2013-2234)
* af_key: initialize satype in key_notify_policy_flush() (CVE-2013-2237)
* block: do not pass disk names as format strings (CVE-2013-2851)
* b43: stop format string leaking into error msgs (CVE-2013-2852)
* ipv6: call udp_push_pending_frames when uncorking a socket (CVE-2013-4162)
* ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
(CVE-2013-4163)
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.42
- TTY: do not reset master's packet mode
- l2tp: Restore socket refcount when sendmsg succeeds
- tun: add a missing nf_reset() in tun_net_xmit()
- netlabel: correctly list all the static label mappings
- sctp: Use correct sideffect command in duplicate cookie handling
- rtlwifi: rtl8192cu: Fix problem that prevents reassociation
- inet: limit length of fragment queue hash table bucket lists
- sfc: Properly sync RX DMA buffer when it is not the last in the page
- sfc: Fix efx_rx_buf_offset() in the presence of swiotlb
- sfc: Only use TX push if a single descriptor is to be written
- ext4: fix the wrong number of the allocated blocks in
ext4_split_extent()
- jbd2: fix use after free in jbd2_journal_dirty_metadata()
- ext4: convert number of blocks to clusters properly
- ext4: use atomic64_t for the per-flexbg free_clusters count
- cifs: delay super block destruction until all cifsFileInfo objects are
gone
- USB: xhci: correctly enable interrupts (possibly fix for #703470)
- [amd64] Fix the failure case in copy_user_handle_tail()
- dm thin: fix discard corruption
- USB: serial: fix interface refcounting
- vfs,proc: guarantee unique inodes in /proc
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.43
- [armhf/mx5] ASoC: imx-ssi: Fix occasional AC97 reset failure
- rtlwifi: usb: add missing freeing of skbuff
- xen-blkback: fix dispatch_rw_block_io() error path
- net/irda: add missing error path release_sock call
- sysfs: fix race between readdir and lseek
- sysfs: handle failure path correctly for readdir()
- NFSv4.1: Fix a race in pNFS layoutcommit
- usb: xhci: Fix TRB transfer length macro used for Event TRB.
- nfsd4: reject "negative" acl lengths
- Nest rename_lock inside vfsmount_lock
- [x86] iommu/amd: Make sure dma_ops are set for hotplug devices
- b43: A fix for DMA transmission sequence errors
- reiserfs: Fix warning and inode leak when deleting inode with xattrs
- virtio: console: add locking around c_ovq operations
- mm: prevent mmap_cache race in find_vma()
- ixgbe: fix registration order of driver and DCA nofitication
- key: Fix resource leak
- udf: Fix bitmap overflow on large filesystems with small block size
- NFS: nfs_getaclargs.acl_len is a size_t
- loop: prevent bdev freeing while device in use
- sky2: Threshold for Pause Packet is set wrong
- 8021q: fix a potential use-after-free
- unix: fix a race condition in unix_release()
- atl1e: drop pci-msi support because of packet corruption
(possibly fixes: #577747)
- ipv6: don't accept multicast traffic with scope 0
- ipv6: don't accept node local multicast traffic from the wire
- pch_gbe: fix ip_summed checksum reporting on rx
- HID: microsoft: do not use compound literal (fixes FTBFS on m68k)
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.44
- USB: serial: fix use-after-free in TIOCMIWAIT
- hrtimer: Don't reinitialize a cpu_base lock on CPU_UP
- crypto: gcm - fix assumption that assoc has one segment
- sched_clock: Prevent 64bit inatomicity on 32bit systems
- can: gw: use kmem_cache_free() instead of kfree()
- spinlocks and preemption points need to be at least compiler barriers
- [x86] mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates
- Btrfs: make sure nbytes are right after log replay
- kobject: fix kset_find_obj() race with concurrent last kobject_put()
- vfs: Revert spurious fix to spinning prevention in prune_icache_sb
- ath9k_htc: accept 1.x firmware newer than 1.3
- [armel] Fix kexec by setting outer_cache.inv_all for Feroceon
- hugetlbfs: add swap entry check in follow_hugetlb_page()
- writeback: fix dirtied pages accounting on redirty
- Btrfs: fix race between mmap writes and compression
- mtd: Disable mtdchar mmap on MMU systems
- fbcon: fix locking harder
- hfsplus: fix potential overflow in hfsplus_file_truncate()
- sched: Convert BUG_ON()s in try_to_wake_up_local() to WARN_ON_ONCE()s
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.45
- [ia64] Wrong asm register contraints in the futex implementation
- [ia64] Wrong asm register contraints in the kvm implementation
- [ia64] Fix initialization of CMCI/CMCP interrupts
- sysfs: fix use after free in case of concurrent read/write and readdir
- nfsd: don't run get_file if nfs4_preprocess_stateid_op return error
- ext4/jbd2: don't wait (forever) for stale tid caused by wraparound
- jbd2: fix race between jbd2_journal_remove_checkpoint and
->j_commit_callback
- hrtimer: Fix ktime_add_ns() overflow on 32bit architectures
- nfsd4: don't close read-write opens too soon
- wireless: regulatory: fix channel disabling race condition
- iwlwifi: dvm: don't send zeroed LQ cmd
- powerpc/spufs: Initialise inode->i_ino in spufs_new_inode()
(possibly fixes: #707175)
- clockevents: Set dummy handler on CPU_DEAD shutdown
- powerpc: Add isync to copy_and_flush
- fs/fscache/stats.c: fix memory leak
- md: bad block list should default to disabled. (fixes regression in 3.1)
- inotify: invalid mask should return a error number but not set it
(fixes regression in 3.2.40)
- fs/dcache.c: add cond_resched() to shrink_dcache_parent()
- perf: Fix error return code
- [x86] perf: Fix offcore_rsp valid mask for SNB/IVB (CVE-2013-2146)
- vm: Introduce and use vm_iomap_memory() helper function
- atl1e: limit gso segment size to prevent generation of wrong ip length
fields
- netfilter: don't reset nf_trace in nf_reset()
- rtnetlink: Call nlmsg_parse() with correct header length
- tcp: incoming connections might use wrong route under synflood
- esp4: fix error return code in esp_output()
- net: sctp: sctp_auth_key_put: use kzfree instead of kfree
- netrom: fix info leak via msg_name in nr_recvmsg()
- netrom: fix invalid use of sizeof in nr_recvmsg()
- net: drop dst before queueing fragments
- [sparc] sparc64: Fix race in TLB batch processing.
- r8169: fix 8168evl frame padding.
- ixgbe: add missing rtnl_lock in PM resume path
- kernel/audit_tree.c: tree will leak memory when failure occurs in
audit_trim_trees()
- r8169: fix vlan tag read ordering.
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.46
- nfsd4: don't allow owner override on 4.1 CLAIM_FH opens
- ext4: limit group search loop for non-extent files
- iscsi-target: Fix processing of OOO commands
- cifs: only set ops for inodes in I_NEW state
- KVM: VMX: fix halt emulation while emulating invalid guest sate
- [armel/kirkwood] Enable PCIe port 1 on QNAP TS-11x/TS-21x
- drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory
overflow
- ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex
- btrfs: don't stop searching after encountering the wrong item
- TTY: Fix tty miss restart after we turn off flow-control
- SUNRPC: Prevent an rpc_task wakeup race
- fat: fix possible overflow for fat_clusters
- mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
- mm compaction: fix of improper cache flush in migration code
- mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
- nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary
- random: fix accounting race condition with lockless irq entropy_count
update
- mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas
- ipvs: ip_vs_sip_fill_param() BUG: bad check of return value
- x86,efi: Check max_size only if it is non-zero.
- x86,efi: Implement efi_no_storage_paranoia parameter
- tcp: force a dst refcount when prequeue packet
- packet: tpacket_v3: do not trigger bug() on wrong header status
- macvlan: fix passthru mode race between dev removal and rx path
- ipv6: do not clear pinet6 field
* Input: MT: add tracking and frame synchronisation to core
* Input: add support for Cypress PS/2 Trackpads, thanks to
Apollon Oikonomopoulos
* drm, agp: Update to 3.4.47:
- drm/i915: restrict kernel address leak in debugfs
- KMS: fix EDID detailed timing vsync parsing
- KMS: fix EDID detailed timing frame rate
- drm/radeon: add support for Richland APUs
- drm/radeon/benchmark: make sure bo blit copy exists before using it
- drm/i915: Don't clobber crtc->fb when queue_flip fails
- drm/i915: Use the correct size of the GTT for placing the per-process
entries
- udl: handle EDID failure properly.
- drm/i915: Add no-lvds quirk for Fujitsu Esprimo Q900
- drm/i915: Fall back to bit banging mode for DVO transmitter detection
- drm/radeon: don't use get_engine_clock() on APUs
- drm/radeon/dce6: add missing display reg for tiling setup
- drm/radeon: properly lock disp in mc_stop/resume for evergreen+
- drm/radeon: disable the crtcs in mc_stop (evergreen+) (v2)
- drm/radeon/evergreen+: don't enable HPD interrupts on eDP/LVDS
- drm/radeon: fix endian bugs in atom_allocate_fb_scratch()
- drm/radeon: fix possible segfault when parsing pm tables
- drm/radeon: add new richland pci ids
- drm/radeon: fix handling of v6 power tables
- drm/radeon: Fix VRAM size calculation for VRAM >= 4GB
- drm/radeon: check incoming cliprects pointer
- drm/mm: fix dump table BUG
* [rt] Update to 3.2.45-rt66:
- rcutiny: Fix typo of using swake_up() instead of swait_wake()
- tcp: force a dst refcount when prequeue packet
- x86/mce: Defer mce wakeups to threads for PREEMPT_RT
- swap: Use unique local lock name for swap_lock
- sched: Add is_idle_task() to handle invalidated uses of idle_cpu()
* debugfs: Document change of default mode
* iwlwifi: Do not request firmware API version 6 for IWL6005/6205
* bug script: Remove broken sound functions
* [i386/486] udeb: Add lxfb to fb-modules
* [i386] cpufreq / Longhaul: Disable driver by default
* iscsi-target: fix heap buffer overflow on error (CVE-2013-2850)
* ath9k: Disable PowerSave by default
* dlm: Do not allocate a fd for peeloff
* nfsd4: Fix performance problem with RELEASE_LOCKOWNER
- hash lockowners to simplify RELEASE_LOCKOWNER
- maintain one seqid stream per (lockowner, file)
* ipw2100,ipw2200: Fix order of device registration
* udf: Fix handling of i_blocks
* kbuild: Fix missing '\n' for NEW symbols in yes "" | make oldconfig
>conf.new
* [i386] udeb: Add viafb to fb-modules
- [i386] udeb: Move i2c-algo-bit to i2c-modules and make fb-modules
depend on it
- viafb: Autoload on OLPC XO 1.5 only
* cifs: fix potential buffer overrun when composing a new options string
* ext3,ext4,nfsd: dir_index: Return 64-bit readdir cookies for NFSv3 and 4
-- dann frazier <email address hidden> Wed, 28 Aug 2013 20:30:48 -0600
