{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.5.0-42-generic", "linux-image-6.5.0-42-generic", "linux-modules-6.5.0-42-generic", "linux-riscv-6.5-headers-6.5.0-42" ], "removed": [ "linux-headers-6.5.0-40-generic", "linux-image-6.5.0-40-generic", "linux-modules-6.5.0-40-generic", "linux-riscv-6.5-headers-6.5.0-40" ], "diff": [ "libnetplan0:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "netplan.io", "openssh-client", "openssh-server", "openssh-sftp-server", "ubuntu-advantage-tools", "ubuntu-pro-client", "ubuntu-pro-client-l10n" ] } }, "diff": { "deb": [ { "name": "libnetplan0:riscv64", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.3", "version": "0.106.1-7ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2071333 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: failure on systems without dbus", " - debian/netplan.io.postinst: Don't call the generator if no networkd", " configuration file exists. (LP: #2071333) ", "" ], "package": "netplan.io", "version": "0.106.1-7ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2071333 ], "author": "Sudhakar Verma ", "date": "Fri, 28 Jun 2024 22:42:13 +0530" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.40.40.1~22.04.1", "version": "6.5.0.40.40.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-42.42.1~22.04", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:55:57 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.40.40.1~22.04.1", "version": "6.5.0.40.40.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-42.42.1~22.04", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:55:57 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.40.40.1~22.04.1", "version": "6.5.0.40.40.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-42.42.1~22.04", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:55:57 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.40.40.1~22.04.1", "version": "6.5.0.40.40.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.5", "source_package_version": "6.5.0.42.42.1~22.04.1", "version": "6.5.0.42.42.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-42.42.1~22.04", "" ], "package": "linux-meta-riscv-6.5", "version": "6.5.0.42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:55:57 +0200" } ], "notes": null }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.3", "version": "0.106.1-7ubuntu0.22.04.3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2071333 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: failure on systems without dbus", " - debian/netplan.io.postinst: Don't call the generator if no networkd", " configuration file exists. (LP: #2071333) ", "" ], "package": "netplan.io", "version": "0.106.1-7ubuntu0.22.04.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2071333 ], "author": "Sudhakar Verma ", "date": "Fri, 28 Jun 2024 22:42:13 +0530" } ], "notes": null }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.7", "version": "1:8.9p1-3ubuntu0.7" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.10", "version": "1:8.9p1-3ubuntu0.10" }, "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "launchpad_bugs_fixed": [ 2070497 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via signal handler race", " condition (LP: #2070497)", " - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.", " - CVE-2024-6387", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.10", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2070497 ], "author": "Marc Deslauriers ", "date": "Wed, 26 Jun 2024 09:11:55 -0400" } ], "notes": null }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.7", "version": "1:8.9p1-3ubuntu0.7" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.10", "version": "1:8.9p1-3ubuntu0.10" }, "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "launchpad_bugs_fixed": [ 2070497 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via signal handler race", " condition (LP: #2070497)", " - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.", " - CVE-2024-6387", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.10", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2070497 ], "author": "Marc Deslauriers ", "date": "Wed, 26 Jun 2024 09:11:55 -0400" } ], "notes": null }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.7", "version": "1:8.9p1-3ubuntu0.7" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.10", "version": "1:8.9p1-3ubuntu0.10" }, "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "launchpad_bugs_fixed": [ 2070497 ], "changes": [ { "cves": [ { "cve": "CVE-2024-6387", "url": "https://ubuntu.com/security/CVE-2024-6387", "cve_description": "Race condition in SIGALRM handling code", "cve_priority": "high", "cve_public_date": "2024-07-01" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via signal handler race", " condition (LP: #2070497)", " - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.", " - CVE-2024-6387", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.10", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2070497 ], "author": "Marc Deslauriers ", "date": "Wed, 26 Jun 2024 09:11:55 -0400" } ], "notes": null }, { "name": "ubuntu-advantage-tools", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3~22.04", "version": "32.3~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~22.04", "version": "32.3.1~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2067810 ], "changes": [ { "cves": [], "log": [ "", " * Adjust the esm_cache apparmor profile to allow reading of dpkg data", " directory (LP: #2067810):", " - d/apparmor/ubuntu_pro_esm_cache.jinja2: allow /var/lib/dpkg/** for dpkg", " and other profiles", " - features/steps/machines.py: trigger the bug in the behave test suite,", " which tests the fix", " * version.py: update version to 32.3.1", "" ], "package": "ubuntu-advantage-tools", "version": "32.3.1~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2067810 ], "author": "Andreas Hasenack ", "date": "Fri, 07 Jun 2024 14:52:55 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3~22.04", "version": "32.3~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~22.04", "version": "32.3.1~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2067810 ], "changes": [ { "cves": [], "log": [ "", " * Adjust the esm_cache apparmor profile to allow reading of dpkg data", " directory (LP: #2067810):", " - d/apparmor/ubuntu_pro_esm_cache.jinja2: allow /var/lib/dpkg/** for dpkg", " and other profiles", " - features/steps/machines.py: trigger the bug in the behave test suite,", " which tests the fix", " * version.py: update version to 32.3.1", "" ], "package": "ubuntu-advantage-tools", "version": "32.3.1~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2067810 ], "author": "Andreas Hasenack ", "date": "Fri, 07 Jun 2024 14:52:55 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3~22.04", "version": "32.3~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "32.3.1~22.04", "version": "32.3.1~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2067810 ], "changes": [ { "cves": [], "log": [ "", " * Adjust the esm_cache apparmor profile to allow reading of dpkg data", " directory (LP: #2067810):", " - d/apparmor/ubuntu_pro_esm_cache.jinja2: allow /var/lib/dpkg/** for dpkg", " and other profiles", " - features/steps/machines.py: trigger the bug in the behave test suite,", " which tests the fix", " * version.py: update version to 32.3.1", "" ], "package": "ubuntu-advantage-tools", "version": "32.3.1~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2067810 ], "author": "Andreas Hasenack ", "date": "Fri, 07 Jun 2024 14:52:55 -0300" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-42.42.1~22.04.1 -proposed tracker", " (LP: #2068178)", "", " [ Ubuntu: 6.5.0-42.42.1 ]", "", " * mantic/linux-riscv: 6.5.0-42.42.1 -proposed tracker (LP: #2068180)", " * mantic/linux: 6.5.0-42.42 -proposed tracker (LP: #2068188)", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", " * mantic/linux: 6.5.0-41.41 -proposed tracker (LP: #2065893)", " * CVE-2024-21823", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:51:22 +0200" } ], "notes": "linux-headers-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-42.42.1~22.04.1') was added. linux-headers-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-40-generic. As such we can use the source package version of the removed package, '6.5.0-40.40.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-42.42.1~22.04.1 -proposed tracker", " (LP: #2068178)", "", " [ Ubuntu: 6.5.0-42.42.1 ]", "", " * mantic/linux-riscv: 6.5.0-42.42.1 -proposed tracker (LP: #2068180)", " * mantic/linux: 6.5.0-42.42 -proposed tracker (LP: #2068188)", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", " * mantic/linux: 6.5.0-41.41 -proposed tracker (LP: #2065893)", " * CVE-2024-21823", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:51:22 +0200" } ], "notes": "linux-image-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-42.42.1~22.04.1') was added. linux-image-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-40-generic. As such we can use the source package version of the removed package, '6.5.0-40.40.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.5.0-42-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-42.42.1~22.04.1 -proposed tracker", " (LP: #2068178)", "", " [ Ubuntu: 6.5.0-42.42.1 ]", "", " * mantic/linux-riscv: 6.5.0-42.42.1 -proposed tracker (LP: #2068180)", " * mantic/linux: 6.5.0-42.42 -proposed tracker (LP: #2068188)", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", " * mantic/linux: 6.5.0-41.41 -proposed tracker (LP: #2065893)", " * CVE-2024-21823", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:51:22 +0200" } ], "notes": "linux-modules-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-42.42.1~22.04.1') was added. linux-modules-6.5.0-42-generic version '6.5.0-42.42.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-40-generic. As such we can use the source package version of the removed package, '6.5.0-40.40.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-riscv-6.5-headers-6.5.0-42", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-42.42.1~22.04.1", "version": "6.5.0-42.42.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26809", "url": "https://ubuntu.com/security/CVE-2024-26809", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\") which came after: 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "cve_priority": "high", "cve_public_date": "2024-04-04 10:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.5: 6.5.0-42.42.1~22.04.1 -proposed tracker", " (LP: #2068178)", "", " [ Ubuntu: 6.5.0-42.42.1 ]", "", " * mantic/linux-riscv: 6.5.0-42.42.1 -proposed tracker (LP: #2068180)", " * mantic/linux: 6.5.0-42.42 -proposed tracker (LP: #2068188)", " * CVE-2024-26925", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26809", " - netfilter: nft_set_pipapo: release elements in clone only from destroy path", " * Mantic update: upstream stable patchset 2024-04-02 (LP: #2059991) //", " CVE-2024-26809", " - netfilter: nft_set_pipapo: store index in scratch maps", " - netfilter: nft_set_pipapo: add helper to release pcpu scratch area", " - netfilter: nft_set_pipapo: remove scratch_aligned pointer", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", " * mantic/linux: 6.5.0-41.41 -proposed tracker (LP: #2065893)", " * CVE-2024-21823", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-riscv-6.5", "version": "6.5.0-42.42.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068178, 2068180, 2068188, 2059991, 2065893 ], "author": "Hannah Peuckmann ", "date": "Thu, 20 Jun 2024 09:51:22 +0200" } ], "notes": "linux-riscv-6.5-headers-6.5.0-42 version '6.5.0-42.42.1~22.04.1' (source package linux-riscv-6.5 version '6.5.0-42.42.1~22.04.1') was added. linux-riscv-6.5-headers-6.5.0-42 version '6.5.0-42.42.1~22.04.1' has the same source package name, linux-riscv-6.5, as removed package linux-headers-6.5.0-40-generic. As such we can use the source package version of the removed package, '6.5.0-40.40.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.5.0-40-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": "6.5.0-40.40.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.5.0-40-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": "6.5.0-40.40.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.5.0-40-generic", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": "6.5.0-40.40.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-riscv-6.5-headers-6.5.0-40", "from_version": { "source_package_name": "linux-riscv-6.5", "source_package_version": "6.5.0-40.40.1~22.04.1", "version": "6.5.0-40.40.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20240627 to 20240701", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240627", "to_serial": "20240701", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }