group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #06077
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.2.0-42.49
---------------
linux (4.2.0-42.49) wily; urgency=low
[ Ben Romer ]
* Release Tracking Bug
- LP: #1597053
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
[ Upstream Kernel Changes ]
* Revert "scsi: fix soft lockup in scsi_remove_target() on module
removal"
- LP: #1592552
* ath10k: fix firmware assert in monitor mode
- LP: #1592552
* drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
- LP: #1592552
* ath10k: fix debugfs pktlog_filter write
- LP: #1592552
* drm/i915: Call intel_dp_mst_resume() before resuming displays
- LP: #1592552
* ARM: mvebu: fix GPIO config on the Linksys boards
- LP: #1592552
* ath5k: Change led pin configuration for compaq c700 laptop
- LP: #1592552, #972604
* xfs: disallow rw remount on fs with unknown ro-compat features
- LP: #1592552
* xfs: Don't wrap growfs AGFL indexes
- LP: #1592552
* rtlwifi: rtl8723be: Add antenna select module parameter
- LP: #1592552
* rtlwifi: btcoexist: Implement antenna selection
- LP: #1592552
* drm/gma500: Fix possible out of bounds read
- LP: #1592552
* Bluetooth: vhci: fix open_timeout vs. hdev race
- LP: #1592552
* Bluetooth: vhci: purge unhandled skbs
- LP: #1592552
* cpuidle: Indicate when a device has been unregistered
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Use clkdev_create()
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Remove clock tree on error path
- LP: #1592552
* [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in
put_v4l2_create32
- LP: #1592552
* scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
- LP: #1592552
* drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C
- LP: #1592552
* usb: f_mass_storage: test whether thread is running before starting
another
- LP: #1592552
* hwmon: (ads7828) Enable internal reference
- LP: #1592552
* ath10k: fix rx_channel during hw reconfigure
- LP: #1592552
* Bluetooth: vhci: Fix race at creating hci device
- LP: #1592552
* powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
- LP: #1592552
* PM / Runtime: Fix error path in pm_runtime_force_resume()
- LP: #1592552
* crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
- LP: #1592552
* ath9k: Add a module parameter to invert LED polarity.
- LP: #1592552
* ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- LP: #1592552
* pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
- LP: #1592552
* btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
btrfs_ioctl
- LP: #1592552
* serial: 8250_pci: fix divide error bug if baud rate is 0
- LP: #1592552
* TTY: n_gsm, fix false positive WARN_ON
- LP: #1592552
* staging: comedi: das1800: fix possible NULL dereference
- LP: #1592552
* arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
- LP: #1592552
* KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
- LP: #1592552
* aacraid: Relinquish CPU during timeout wait
- LP: #1592552
* aacraid: Fix for aac_command_thread hang
- LP: #1592552
* aacraid: Fix for KDUMP driver hang
- LP: #1592552
* ext4: fix hang when processing corrupted orphaned inode list
- LP: #1592552
* MIPS: ath79: make bootconsole wait for both THRE and TEMT
- LP: #1592552
* Drivers: hv: ring_buffer.c: fix comment style
- LP: #1592552
* mei: fix NULL dereferencing during FW initiated disconnection
- LP: #1592552
* mei: amthif: discard not read messages
- LP: #1592552
* tty: Abstract tty buffer work
- LP: #1592552
* Fix OpenSSH pty regression on close
- LP: #1592552
* QE-UART: add "fsl,t1040-ucc-uart" to of_device_id
- LP: #1592552
* thunderbolt: Fix double free of drom buffer
- LP: #1592552
* USB: serial: option: add support for Cinterion PH8 and AHxx
- LP: #1592552
* usb: misc: usbtest: format the data pattern according to max packet
size
- LP: #1592552
* usb: misc: usbtest: fix pattern tests for scatterlists.
- LP: #1592552
* mcb: Fixed bar number assignment for the gdd
- LP: #1592552
* USB: serial: option: add more ZTE device ids
- LP: #1592552
* USB: serial: option: add even more ZTE device ids
- LP: #1592552
* ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA
internal strings
- LP: #1592552
* drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh
- LP: #1592552
* USB: serial: cp210x: fix hardware flow-control disable
- LP: #1592552
* ext4: fix oops on corrupted filesystem
- LP: #1592552
* ext4: address UBSAN warning in mb_find_order_for_block()
- LP: #1592552
* ext4: silence UBSAN in ext4_mb_init()
- LP: #1592552
* arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
- LP: #1592552
* ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on
exynos4210-trats
- LP: #1592552
* ath10k: fix kernel panic, move arvifs list head init before htt init
- LP: #1592552
* can: fix handling of unmodifiable configuration options
- LP: #1592552
* MIPS: Fix siginfo.h to use strict posix types
- LP: #1592552
* MIPS: Don't unwind to user mode with EVA
- LP: #1592552
* MIPS: Avoid using unwind_stack() with usermode
- LP: #1592552
* MIPS: Reserve nosave data for hibernation
- LP: #1592552
* MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- LP: #1592552
* MIPS64: R6: R2 emulation bugfix
- LP: #1592552
* usb: host: xhci-rcar: Avoid long wait in xhci_reset()
- LP: #1592552
* mfd: omap-usb-tll: Fix scheduling while atomic BUG
- LP: #1592552
* USB: serial: io_edgeport: fix memory leaks in attach error path
- LP: #1592552
* USB: serial: io_edgeport: fix memory leaks in probe error path
- LP: #1592552
* USB: serial: keyspan: fix use-after-free in probe error path
- LP: #1592552
* USB: serial: mxuport: fix use-after-free in probe error path
- LP: #1592552
* USB: serial: quatech2: fix use-after-free in probe error path
- LP: #1592552
* crypto: caam - fix caam_jr_alloc() ret code
- LP: #1592552
* MIPS: KVM: Fix timer IRQ race when freezing timer
- LP: #1592552
* MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
- LP: #1592552
* gcov: disable tree-loop-im to reduce stack usage
- LP: #1592552
* irqchip/gic: Ensure ordering between read of INTACK and shared data
- LP: #1592552
* irqchip/gic-v3: Configure all interrupts as non-secure Group-1
- LP: #1592552
* arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
- LP: #1592552
* kbuild: move -Wunused-const-variable to W=1 warning level
- LP: #1592552
* rtlwifi: Fix logic error in enter/exit power-save mode
- LP: #1592552
* rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
rtl_pci_reset_trx_ring
- LP: #1592552
* sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded
systems
- LP: #1592552
* powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
- LP: #1592552
* powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()
- LP: #1592552
* MIPS: Handle highmem pages in __update_cache
- LP: #1592552
* MIPS: Sync icache & dcache in set_pte_at
- LP: #1592552
* SIGNAL: Move generic copy_siginfo() to signal.h
- LP: #1592552
* MIPS: Fix uapi include in exported asm/siginfo.h
- LP: #1592552
* MIPS: math-emu: Fix jalr emulation when rd == $0
- LP: #1592552
* MIPS: ptrace: Fix FP context restoration FCSR regression
- LP: #1592552
* MIPS: ptrace: Prevent writes to read-only FCSR bits
- LP: #1592552
* MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- LP: #1592552
* MIPS: Force CPUs to lose FP context during mode switches
- LP: #1592552
* ring-buffer: Use long for nr_pages to avoid overflow failures
- LP: #1592552
* ring-buffer: Prevent overflow of size in ring_buffer_resize()
- LP: #1592552
* mmc: mmc: Fix partition switch timeout for some eMMCs
- LP: #1592552
* PCI: Disable all BAR sizing for devices with non-compliant BARs
- LP: #1592552
* MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- LP: #1592552
* drm/i915/fbdev: Fix num_connector references in
intel_fb_initial_config()
- LP: #1592552
* drm/fb_helper: Fix references to dev->mode_config.num_connector
- LP: #1592552
* fs/cifs: correctly to anonymous authentication via NTLMSSP
- LP: #1592552
* fs/cifs: correctly to anonymous authentication for the LANMAN
authentication
- LP: #1592552
* fs/cifs: correctly to anonymous authentication for the NTLM(v1)
authentication
- LP: #1592552
* fs/cifs: correctly to anonymous authentication for the NTLM(v2)
authentication
- LP: #1592552
* remove directory incorrectly tries to set delete on close on non-empty
directories
- LP: #1592552
* cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
- LP: #1592552
* xfs: xfs_iflush_cluster fails to abort on error
- LP: #1592552
* xfs: fix inode validity check in xfs_iflush_cluster
- LP: #1592552
* xfs: skip stale inodes in xfs_iflush_cluster
- LP: #1592552
* ASoC: ak4642: Enable cache usage to fix crashes on resume
- LP: #1592552
* cifs: Create dedicated keyring for spnego operations
- LP: #1592552
* ALSA: hda - Fix headphone noise on Dell XPS 13 9360
- LP: #1592552
* kvm: arm64: Fix EC field in inject_abt64
- LP: #1592552
* Input: uinput - handle compat ioctl for UI_SET_PHYS
- LP: #1592552
* PM / sleep: Handle failures in device_suspend_late() consistently
- LP: #1592552
* mm: use phys_addr_t for reserve_bootmem_region() arguments
- LP: #1592552
* locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait()
- LP: #1592552
* drm/i915: Don't leave old junk in ilk active watermarks on readout
- LP: #1592552
* mmc: longer timeout for long read time quirk
- LP: #1592552
* mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
- LP: #1592552
* mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
- LP: #1592552
* sunrpc: fix stripping of padded MIC tokens
- LP: #1592552
* wait/ptrace: assume __WALL if the child is traced
- LP: #1592552
* xen/x86: actually allocate legacy interrupts on PV guests
- LP: #1592552
* xen/events: Don't move disabled irqs
- LP: #1592552
* UBI: Fix static volume checks when Fastmap is used
- LP: #1592552
* drm/amdgpu: Fix hdmi deep color support.
- LP: #1592552
* dma-debug: avoid spinlock recursion when disabling dma-debug
- LP: #1592552
* dell-rbtn: Ignore ACPI notifications if device is suspended
- LP: #1592552
* Input: xpad - prevent spurious input from wired Xbox 360 controllers
- LP: #1592552
* Input: pwm-beeper - fix - scheduling while atomic
- LP: #1592552
* MIPS: lib: Mark intrinsics notrace
- LP: #1592552
* hpfs: fix remount failure when there are no options changed
- LP: #1592552
* affs: fix remount failure when there are no options changed
- LP: #1592552
* hpfs: implement the show_options method
- LP: #1592552
* regmap: cache: Fix typo in cache_bypass parameter description
- LP: #1592552
* ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile
- LP: #1592552
* serial: doc: Un-document non-existing uart_write_console()
- LP: #1592552
* iio: buffer: add missing descriptions in iio_buffer_access_funcs
- LP: #1592552
* iommu/vt-d: Ratelimit fault handler
- LP: #1592552
* iommu/vt-d: Improve fault handler error messages
- LP: #1592552
* power: ipaq-micro-battery: freeing the wrong variable
- LP: #1592552
* ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence
- LP: #1592552
* security: drop the unused hook skb_owned_by
- LP: #1592552
* mfd: lp8788-irq: Uninitialized variable in irq handler
- LP: #1592552
* am437x-vfpe: fix typo in vpfe_get_app_input_index
- LP: #1592552
* am437x-vpfe: fix an uninitialized variable bug
- LP: #1592552
* cx23885: uninitialized variable in cx23885_av_work_handler()
- LP: #1592552
* ipv6, token: allow for clearing the current device token
- LP: #1592552
* usb: gadget: f_fs: Fix EFAULT generation for async read operations
- LP: #1592552
* EDAC: Increment correct counter in edac_inc_ue_error()
- LP: #1592552
* PCI: Supply CPU physical address (not bus address) to
iomem_is_exclusive()
- LP: #1592552
* alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not
IORESOURCE_IO
- LP: #1592552
* ARM: debug: remove extraneous DEBUG_HI3716_UART option
- LP: #1592552
* cxl: Fix DAR check & use REGION_ID instead of opencoding
- LP: #1592552
* taskstats: fix nl parsing in accounting/getdelays.c
- LP: #1592552
* char: Drop bogus dependency of DEVPORT on !M68K
- LP: #1592552
* driver-core: use 'dev' argument in dev_dbg_ratelimited stub
- LP: #1592552
* metag: Fix atomic_*_return inline asm constraints
- LP: #1592552
* tty: vt, return error when con_startup fails
- LP: #1592552
* cpufreq: Fix GOV_LIMITS handling for the userspace governor
- LP: #1592552
* ACPI / sysfs: fix error code in get_status()
- LP: #1592552
* clk: qcom: msm8916: Fix crypto clock flags
- LP: #1592552
* MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200
- LP: #1592552
* NFS: Fix an LOCK/OPEN race when unlinking an open file
- LP: #1592552
* ata: sata_dwc_460ex: remove incorrect locking
- LP: #1592552
* s390/vmem: fix identity mapping
- LP: #1592552
* perf tools: Fix perf regs mask generation
- LP: #1592552
* powerpc/sstep: Fix sstep.c compile on powerpcspe
- LP: #1592552
* MIPS: BMIPS: BMIPS5000 has I cache filing from D cache
- LP: #1592552
* MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier
- LP: #1592552
* MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache
- LP: #1592552
* MIPS: BMIPS: Pretty print BMIPS5200 processor name
- LP: #1592552
* MIPS: math-emu: Fix BC1{EQ,NE}Z emulation
- LP: #1592552
* MIPS: Fix BC1{EQ,NE}Z return offset calculation
- LP: #1592552
* MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435
- LP: #1592552
* IB/srp: Print "ib_srp: " prefix once
- LP: #1592552
* IB/IWPM: Fix a potential skb leak
- LP: #1592552
* i40e: fix an uninitialized variable bug
- LP: #1592552
* blk-mq: fix undefined behaviour in order_to_size()
- LP: #1592552
* x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
- LP: #1592552
* netlink: Fix dump skb leak/double free
- LP: #1592552
* MIPS: ath79: fix regression in PCI window initialization
- LP: #1592552
* sched/preempt: Fix preempt_count manipulations
- LP: #1592552
* tipc: fix nametable publication field in nl compat
- LP: #1592552
* sunrpc: Update RPCBIND_MAXNETIDLEN
- LP: #1592552
* batman-adv: fix skb deref after free
- LP: #1592552
* net: ehea: avoid null pointer dereference
- LP: #1592552
* tuntap: correctly wake up process during uninit
- LP: #1592552
* uapi glibc compat: fix compilation when !__USE_MISC in glibc
- LP: #1592552
* drivers/hwspinlock: use correct radix tree API
- LP: #1592552
* RDMA/cxgb3: device driver frees DMA memory with different size
- LP: #1592552
* Linux 4.2.8-ckt12
- LP: #1592552
* HID: core: prevent out-of-bound readings
- LP: #1579190
* mm: migrate dirty page without clear_page_dirty_for_io etc
- LP: #1581865
- CVE-2016-3070
-- Benjamin M Romer <benjamin.romer@xxxxxxxxxxxxx> Tue, 28 Jun 2016
14:57:26 -0400
** Changed in: linux (Ubuntu Wily)
Status: In Progress => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3070
** Changed in: linux (Ubuntu Wily)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1566221
Title:
linux: Enforce signed module loading when UEFI secure boot
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
In Progress
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Bug description:
This work is authorized by an approved UOS spec and blueprint at
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
Add code to implement secure boot checks. Unsigned or incorrectly
signed modules will continue to install while tainting the kernel
_until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse
for platforms booting in secure boot mode with a DKMS dependency is to
disable secure boot using mokutil:
sudo mokutil --disable-validation
sudo reboot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions
References
