SB2019090448 - Information exposure in Linux kernel
Published: September 4, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information exposure (CVE-ID: CVE-2019-15902)
The vulnerability allows a local user to gain access to sensitive information.
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because 2 (correctly ordered) code lines were swapped.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
- https://seclists.org/bugtraq/2019/Sep/41
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://usn.ubuntu.com/4157-1/
- https://usn.ubuntu.com/4157-2/
- https://usn.ubuntu.com/4162-1/
- https://usn.ubuntu.com/4162-2/
- https://usn.ubuntu.com/4163-1/
- https://usn.ubuntu.com/4163-2/
- https://www.debian.org/security/2019/dsa-4531