Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2019-0217)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.10.2019.0217

Category: Mageia Linux Local Security Checks

Title: Mageia: Security Advisory (MGASA-2019-0217)

Summary: The remote host is missing an update for the 'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) announced via the MGASA-2019-0217 advisory.

Description: Summary:
The remote host is missing an update for the 'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) announced via the MGASA-2019-0217 advisory.

Vulnerability Insight:
This kernel update is based on the upstream 5.1.20 and fixes at least
the following security issue:

With Xen, virtual device backends and device models running in domain 0,
or other backend driver domains, need to be able to map guest memory
(either via grant mappings, or via the foreign mapping interface). For
Linux to keep track of these mappings, it needs to have a page structure
for each one. In PV dom0, a range of pfns are typically set aside at boot
('pre-ballooned') for this purpose, for PVH and Arm dom0s, no memory is
set aside to begin with. In either case, when more of this 'foreign / grant
map pfn space' is needed, dom0 will balloon out extra pages to use for this
purpose. Unfortunately, in Linux, there are no limits, either on the total
amount of memory which dom0 will attempt to balloon down to, nor on the
amount of 'foreign / grant map' memory which any individual guest can
consume. As a result, a malicious guest may be able, with crafted requests
to the backend, to cause dom0 to exhaust its own memory, leading to a host
crash, and if this is not possible, it may be able to monopolize all of the
foreign / grant map pfn space, starving out other guests (XSA-300).

Other changes in this update:
- kernel configs:
* enable Full dynticks system (tickless) (NO_HZ_FULL)
* enable CONFIG_RCU_NOCB_CPU (mga#24701)
- add kernel side support for temperature monitoring on Amd Ryzen 3000
series (lm_sensors 3.5.0-2.1.mga7 or newer is also needed)

For other upstream changes in this update, see the referenced changelogs.

Note! This is the last update that is based on the upstream 5.1 series.
Next update will be based on the upstream 5.2 series.

Affected Software/OS:
'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.10.2019.0217
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2019-0217)
Summary:	The remote host is missing an update for the 'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) announced via the MGASA-2019-0217 advisory.
Description:	Summary: The remote host is missing an update for the 'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) announced via the MGASA-2019-0217 advisory. Vulnerability Insight: This kernel update is based on the upstream 5.1.20 and fixes at least the following security issue: With Xen, virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory (either via grant mappings, or via the foreign mapping interface). For Linux to keep track of these mappings, it needs to have a page structure for each one. In PV dom0, a range of pfns are typically set aside at boot ('pre-ballooned') for this purpose, for PVH and Arm dom0s, no memory is set aside to begin with. In either case, when more of this 'foreign / grant map pfn space' is needed, dom0 will balloon out extra pages to use for this purpose. Unfortunately, in Linux, there are no limits, either on the total amount of memory which dom0 will attempt to balloon down to, nor on the amount of 'foreign / grant map' memory which any individual guest can consume. As a result, a malicious guest may be able, with crafted requests to the backend, to cause dom0 to exhaust its own memory, leading to a host crash, and if this is not possible, it may be able to monopolize all of the foreign / grant map pfn space, starving out other guests (XSA-300). Other changes in this update: - kernel configs: * enable Full dynticks system (tickless) (NO_HZ_FULL) * enable CONFIG_RCU_NOCB_CPU (mga#24701) - add kernel side support for temperature monitoring on Amd Ryzen 3000 series (lm_sensors 3.5.0-2.1.mga7 or newer is also needed) For other upstream changes in this update, see the referenced changelogs. Note! This is the last update that is based on the upstream 5.1 series. Next update will be based on the upstream 5.2 series. Affected Software/OS: 'kernel, kernel-userspace-headers, kmod-virtualbox, kmod-xtables-addons' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2022 Greenbone AG