{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-1122-kvm", "linux-image-5.4.0-1122-kvm", "linux-kvm-headers-5.4.0-1122", "linux-modules-5.4.0-1122-kvm" ], "removed": [ "linux-headers-5.4.0-1121-kvm", "linux-image-5.4.0-1121-kvm", "linux-kvm-headers-5.4.0-1121", "linux-modules-5.4.0-1121-kvm" ], "diff": [ "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "snapd" ] } }, "diff": { "deb": [ { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1122", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1122.118", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:08:57 +0200" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1122", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1122.118", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:08:57 +0200" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1122.118", "version": "5.4.0.1122.118" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1122", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1122.118", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:08:57 +0200" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.63+20.04ubuntu0.1", "version": "2.63+20.04ubuntu0.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.65.3+20.04", "version": "2.65.3+20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2077473, 2077473, 2077473, 2077473, 2072986, 2061179 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Fix missing aux info from store on snap setup", "" ], "package": "snapd", "version": "2.65.3+20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Thu, 12 Sep 2024 09:40:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Bump squashfuse from version 0.5.0 to 0.5.2 (used in snapd deb", " only)", "" ], "package": "snapd", "version": "2.65.2", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 06 Sep 2024 17:08:45 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix snapd riscv64 build", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Sat, 24 Aug 2024 10:31:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 23 Aug 2024 08:49:28 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2072986", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to AppArmor 4.0.1", " - AppArmor: support AppArmor snippet priorities", " - AppArmor prompting: add checks for prompting support, include", " prompting status in system key, and restart snapd if prompting", " flag changes", " - AppArmor prompting: include prompt prefix in AppArmor rules if", " prompting is supported and enabled", " - AppArmor prompting: add common types, constraints, and mappings", " from AppArmor permissions to abstract permissions", " - AppArmor prompting: add path pattern parsing and matching", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views", " using snapctl", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store (no", " REST API/CLI)", " - Snap components: support removing components (REST API, no CLI)", " - Snap components: started support for component hooks", " - Snap components: support kernel modules as components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug api command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Add registry interface that provides snaps access to a particular", " registry view", " - steam-support interface: relaxed AppArmor and seccomp restrictions", " to improve user experience", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", "" ], "package": "snapd", "version": "2.64", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2072986 ], "author": "Ernest Lotter ", "date": "Wed, 24 Jul 2024 21:11:59 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2061179", " - Support for snap services to show the current status of user", " services (experimental)", " - Refresh app awareness: record snap-run-inhibit notice when", " starting app from snap that is busy with refresh (experimental)", " - Refresh app awareness: use warnings as fallback for desktop", " notifications (experimental)", " - Aspect based configuration: make request fields in the aspect-", " bundle's rules optional (experimental)", " - Aspect based configuration: make map keys conform to the same", " format as path sub-keys (experimental)", " - Aspect based configuration: make unset and set behaviour similar", " to configuration options (experimental)", " - Aspect based configuration: limit nesting level for setting value", " (experimental)", " - Components: use symlinks to point active snap component revisions", " - Components: add model assertion support for components", " - Components: fix to ensure local component installation always gets", " a new revision number", " - Add basic support for a CIFS remote filesystem-based home", " directory", " - Add support for AppArmor profile kill mode to avoid snap-confine", " error", " - Allow more than one interface to grant access to the same API", " endpoint or notice type", " - Allow all snapd service's control group processes to send systemd", " notifications to prevent warnings flooding the log", " - Enable not preseeded single boot install", " - Update secboot to handle new sbatlevel", " - Fix to not use cgroup for non-strict confined snaps (devmode,", " classic)", " - Fix two race conditions relating to freedesktop notifications", " - Fix missing tunables in snap-update-ns AppArmor template", " - Fix rejection of snapd snap udev command line by older host snap-", " device-helper", " - Rework seccomp allow/deny list", " - Clean up files removed by gadgets", " - Remove non-viable boot chains to avoid secboot failure", " - posix_mq interface: add support for missing time64 mqueue syscalls", " mq_timedreceive_time64 and mq_timedsend_time64", " - password-manager-service interface: allow kwalletd version 6", " - kubernetes-support interface: allow SOCK_SEQPACKET sockets", " - system-observe interface: allow listing systemd units and their", " properties", " - opengl interface: enable use of nvidia container toolkit CDI", " config generation", "" ], "package": "snapd", "version": "2.63", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2061179 ], "author": "Ernest Lotter ", "date": "Wed, 24 Apr 2024 02:00:39 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1122.130 -proposed tracker (LP: #2082221)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", "", " [ Ubuntu: 5.4.0-198.218 ]", "", " * focal/linux: 5.4.0-198.218 -proposed tracker (LP: #2082232)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1122.130", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:05:58 +0200" } ], "notes": "linux-headers-5.4.0-1122-kvm version '5.4.0-1122.130' (source package linux-kvm version '5.4.0-1122.130') was added. linux-headers-5.4.0-1122-kvm version '5.4.0-1122.130' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1121-kvm. As such we can use the source package version of the removed package, '5.4.0-1121.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1121.129", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-1122.130", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.4.0-1122.130", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:09:09 +0200" } ], "notes": "linux-image-5.4.0-1122-kvm version '5.4.0-1122.130' (source package linux-signed-kvm version '5.4.0-1122.130') was added. linux-image-5.4.0-1122-kvm version '5.4.0-1122.130' has the same source package name, linux-signed-kvm, as removed package linux-image-5.4.0-1121-kvm. As such we can use the source package version of the removed package, '5.4.0-1121.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.4.0-1122", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1122.130 -proposed tracker (LP: #2082221)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", "", " [ Ubuntu: 5.4.0-198.218 ]", "", " * focal/linux: 5.4.0-198.218 -proposed tracker (LP: #2082232)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1122.130", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:05:58 +0200" } ], "notes": "linux-kvm-headers-5.4.0-1122 version '5.4.0-1122.130' (source package linux-kvm version '5.4.0-1122.130') was added. linux-kvm-headers-5.4.0-1122 version '5.4.0-1122.130' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1121-kvm. As such we can use the source package version of the removed package, '5.4.0-1121.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-1122-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1122.130", "version": "5.4.0-1122.130" }, "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-38630", "url": "https://ubuntu.com/security/CVE-2024-38630", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.", "cve_priority": "high", "cve_public_date": "2024-06-21 11:15:00 UTC" }, { "cve": "CVE-2024-27397", "url": "https://ubuntu.com/security/CVE-2024-27397", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.", "cve_priority": "high", "cve_public_date": "2024-05-14 15:12:00 UTC" }, { "cve": "CVE-2024-26960", "url": "https://ubuntu.com/security/CVE-2024-26960", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in \"count == SWAP_HAS_CACHE\". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----", "cve_priority": "high", "cve_public_date": "2024-05-01 06:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1122.130 -proposed tracker (LP: #2082221)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.kvm/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", "", " [ Ubuntu: 5.4.0-198.218 ]", "", " * focal/linux: 5.4.0-198.218 -proposed tracker (LP: #2082232)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.09.02)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", " * CVE-2024-38630", " - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger", " * CVE-2024-27397", " - netfilter: nf_tables: use timestamp to check for set element timeout", " * CVE-2024-26960", " - mm: swap: fix race between free_swap_and_cache() and swapoff()", "" ], "package": "linux-kvm", "version": "5.4.0-1122.130", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2082221, 1786013, 2082232, 1786013 ], "author": "Thibault Ferrante ", "date": "Thu, 03 Oct 2024 17:05:58 +0200" } ], "notes": "linux-modules-5.4.0-1122-kvm version '5.4.0-1122.130' (source package linux-kvm version '5.4.0-1122.130') was added. linux-modules-5.4.0-1122-kvm version '5.4.0-1122.130' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1121-kvm. As such we can use the source package version of the removed package, '5.4.0-1121.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.4.0-1121", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20241011 to 20241016", "from_series": "focal", "to_series": "focal", "from_serial": "20241011", "to_serial": "20241016", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }