diff --git a/debian/changelog b/debian/changelog index a4e963e8d800..c982eedfbcd3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.6.6-1) UNRELEASED; urgency=medium +linux (4.6.7-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.5 @@ -295,6 +295,62 @@ linux (4.6.6-1) UNRELEASED; urgency=medium - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516) - vfs: fix deadlock in file_remove_privs() on overlayfs - [mips*] CM: Fix mips_cm_max_vp_width for UP kernels + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.7 + - [x86] libnvdimm, dax: record the specified alignment of a dax-device instance + - [x86] libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment + - ppp: defer netns reference release for ppp channel + - tcp: make challenge acks less predictable (CVE-2016-5696) + - tcp: enable per-socket rate limiting of all 'challenge acks' + - bonding: set carrier off for devices created through netlink + - net: bgmac: Fix infinite loop in bgmac_dma_tx_add() + - vlan: use a valid default mtu value for vlan over macsec + - bridge: Fix incorrect re-injection of LLDP packets + - net: ipv6: Always leave anycast and multicast groups on link down + - net/irda: fix NULL pointer dereference on memory allocation failure + - qed: Fix setting/clearing bit in completion bitmap + - macsec: ensure rx_sa is set when validation is disabled + - tcp: consider recv buf for the initial window scale + - i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR + - [mips] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace + - IB/hfi1: Correct issues with sc5 computation + - IB/hfi1: Fix deadlock with txreq allocation slow path + - apparmor: fix ref count leak when profile sha1 hash is read + - regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed + - random: strengthen input validation for RNDADDTOENTCNT + - [x86] mm/pat: Add support of non-default PAT MSR setting + - [x86] mm/pat: Add pat_disable() interface + - [x86] mm/pat: Replace cpu_has_pat with boot_cpu_has() + - [x86] mtrr: Fix Xorg crashes in Qemu sessions + - [x86] mtrr: Fix PAT init handling when MTRR is disabled + - [x86] xen, pat: Remove PAT table init code from Xen + - [x86] pat: Document the PAT initialization sequence + - [x86] mm/pat: Fix BUG_ON() in mmap_mem() on QEMU/i386 + - udf: Prevent stack overflow on corrupted filesystem mount + - [powerpc] eeh: Fix invalid cached PE primary bus + - [powerpc] bpf/jit: Disable classic BPF JIT on ppc64le + - mm: memcontrol: fix swap counter leak on swapout from offline cgroup + - mm: memcontrol: fix memcg id ref counter on swap charge move + - [x86] syscalls/64: Add compat_sys_keyctl for 32-bit userspace + - block: fix use-after-free in seq file + - sysv, ipc: fix security-layer leaking + - radix-tree: account nodes to memcg only if explicitly requested + - [x86] microcode: Fix suspend to RAM with builtin microcode + - [x86] power/64: Fix hibernation return address corruption + - fuse: fsync() did not return IO errors + - fuse: fuse_flush must check mapping->flags for errors + - fuse: fix wrong assignment of ->flags in fuse_send_init() + - Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" + - fs/dcache.c: avoid soft-lockup in dput() + - Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" + - crypto: gcm - Filter out async ghash if necessary + - crypto: scatterwalk - Fix test in scatterwalk_done + - serial: mvebu-uart: free the IRQ in ->shutdown() + - ext4: check for extents that wrap around + - ext4: fix deadlock during page writeback + - ext4: don't call ext4_should_journal_data() on the journal inode + - ext4: validate s_reserved_gdt_blocks on mount + - ext4: short-cut orphan cleanup on error + - ext4: fix reference counting bug on block allocation error [ Uwe Kleine-König ] * Fix perf to be able to find debug info based on build-id. (Closes: @@ -308,9 +364,6 @@ linux (4.6.6-1) UNRELEASED; urgency=medium * [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412) * audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136) - [ Salvatore Bonaccorso ] - * tcp: make challenge acks less predictable (CVE-2016-5696) - -- Ben Hutchings Sat, 30 Jul 2016 14:23:58 +0100 linux (4.6.4-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch b/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch deleted file mode 100644 index 5322d343071c..000000000000 --- a/debian/patches/bugfix/all/tcp-make-challenge-acks-less-predictable.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Eric Dumazet -Date: Sun, 10 Jul 2016 10:04:02 +0200 -Subject: tcp: make challenge acks less predictable -Origin: https://git.kernel.org/linus/75ff39ccc1bd5d3c455b6822ab09e533c551f758 - -Yue Cao claims that current host rate limiting of challenge ACKS -(RFC 5961) could leak enough information to allow a patient attacker -to hijack TCP sessions. He will soon provide details in an academic -paper. - -This patch increases the default limit from 100 to 1000, and adds -some randomization so that the attacker can no longer hijack -sessions without spending a considerable amount of probes. - -Based on initial analysis and patch from Linus. - -Note that we also have per socket rate limiting, so it is tempting -to remove the host limit in the future. - -v2: randomize the count of challenge acks per second, not the period. - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Reported-by: Yue Cao -Signed-off-by: Eric Dumazet -Suggested-by: Linus Torvalds -Cc: Yuchung Cheng -Cc: Neal Cardwell -Acked-by: Neal Cardwell -Acked-by: Yuchung Cheng -Signed-off-by: David S. Miller -[carnil: Backported to 4.6: adjust context] ---- - net/ipv4/tcp_input.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3460,7 +3460,7 @@ static void tcp_send_challenge_ack(struc - static u32 challenge_timestamp; - static unsigned int challenge_count; - struct tcp_sock *tp = tcp_sk(sk); -- u32 now; -+ u32 count, now; - - /* First check our per-socket dupack rate limit. */ - if (tcp_oow_rate_limited(sock_net(sk), skb, -@@ -3468,13 +3468,18 @@ static void tcp_send_challenge_ack(struc - &tp->last_oow_ack_time)) - return; - -- /* Then check the check host-wide RFC 5961 rate limit. */ -+ /* Then check host-wide RFC 5961 rate limit. */ - now = jiffies / HZ; - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ WRITE_ONCE(challenge_count, half + -+ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -+ count = READ_ONCE(challenge_count); -+ if (count > 0) { -+ WRITE_ONCE(challenge_count, count - 1); - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } diff --git a/debian/patches/series b/debian/patches/series index 106f447e39ef..b9a14b1dd9d7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -104,7 +104,6 @@ bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch -bugfix/all/tcp-make-challenge-acks-less-predictable.patch bugfix/powerpc/kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-int.patch bugfix/powerpc/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch bugfix/all/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch