group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1884159] Re: Update lockdown patches

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1884159@xxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Jul 2020 21:55:56 -0000
Reply-to: Bug 1884159 <1884159@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 4.15.0-112.113

---------------
linux (4.15.0-112.113) bionic; urgency=medium

  * bionic/linux: 4.15.0-112.113 -proposed tracker (LP: #1887048)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CVE-2020-11935
    - SAUCE: aufs: do not call i_readcount_inc()
    - SAUCE: aufs: bugfix, IMA i_readcount

  * CVE-2020-10757
    - mm: Fix mremap not considering huge pmd devmap

  * Update lockdown patches (LP: #1884159)
    - efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
    - efi: Restrict efivar_ssdt_load when the kernel is locked down
    - powerpc/xmon: add read-only mode
    - powerpc/xmon: Restrict when kernel is locked down
    - [Config] CONFIG_XMON_DEFAULT_RO_MODE=y
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down

  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server
      flavours

 -- Khalid Elmously <khalid.elmously@xxxxxxxxxxxxx>  Thu, 09 Jul 2020
19:13:37 -0400

** Changed in: linux (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10757

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1884159

Title:
  Update lockdown patches

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-oem-osp1 package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux-oem-osp1 source package in Bionic:
  Fix Committed
Status in linux source package in Eoan:
  Fix Committed
Status in linux source package in Focal:
  Fix Released

Bug description:
  Impact: The lockdown patches have evolved over time, and part of this
  was restricting more areas of the kernel. Not all of these additions
  were backported, and some can lead to lockdown bypasses, see [1] and
  [2].

  Fix: Backport newer lockdown restrictions to older releases.

  Test Case: Test cases for most of the backports can be found at [3],
  and [4] is another test case. Some which need e.g. specific hardware
  to test have not been tested.

  Regression Potential: Most of these are small, simple fixes with low
  potential for regression. Users may also lose access to some
  functionality previously accissible under secure boot. Some changes
  are more substantial, especially the hw_param and debugfs changes for
  xenial, but they are based on well-tested upstream code. The xmon
  backports also carry a more moderate risk of regression.

  [1] https://lists.ubuntu.com/archives/kernel-team/2020-June/111050.html
  [2] https://lore.kernel.org/lkml/20200615104332.901519-1-Jason@xxxxxxxxx/
  [3] https://git.launchpad.net/~sforshee/+git/lockdown-tests
  [4] https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1884159/+subscriptions