← Back to team overview

kernel-packages team mailing list archive

[Bug 1568523] Re: CVE-2016-3672

 

This bug was fixed in the package linux - 4.4.0-22.38

---------------
linux (4.4.0-22.38) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1573817

  * autoreconstruct: need to also generate extend-diff-ignore options for links
    (LP: #1574362)
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links

  * tipc: missing linearization of sk_buff (LP: #1567064)
    - tipc: move linearization of buffers to generic code

  * [Hyper-V] In-flight PCI Passthrough Patches (LP: #1570124)
    - SAUCE:(noup) drivers:hv: Lock access to hyperv_mmio resource tree
    - SAUCE:(noup) drivers:hv: Call vmbus_mmio_free() to reverse
      vmbus_mmio_allocate()
    - SAUCE:(noup) drivers:hv: Reverse order of resources in hyperv_mmio
    - SAUCE:(noup) drivers:hv: Track allocations of children of hv_vmbus in
      private resource tree
    - SAUCE:(noup) drivers:hv: Record MMIO range in use by frame buffer
    - SAUCE:(noup) drivers:hv: Separate out frame buffer logic when picking MMIO
      range

  * vbox: resync with 5.0.18-dfsg-2build1 (LP: #1571156)
    - ubuntu: vbox -- update to 5.0.18-dfsg-2build1

  * CONFIG_AUFS_XATTR is not set (LP: #1557776)
    - [Config] CONFIG_AUFS_XATTR=y

  * CVE-2016-3672 (LP: #1568523)
    - x86/mm/32: Enable full randomization on i386 and X86_32

  * CVE-2016-3955 (LP: #1572666)
    - USB: usbip: fix potential out-of-bounds write

  * Xenial update to v4.4.8 stable release (LP: #1573034)
    - hwmon: (max1111) Return -ENODEV from max1111_read_channel if not
      instantiated
    - PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
    - parisc: Avoid function pointers for kernel exception routines
    - parisc: Fix kernel crash with reversed copy_from_user()
    - parisc: Unbreak handling exceptions from kernel modules
    - ALSA: timer: Use mod_timer() for rearming the system timer
    - ALSA: hda - Asus N750JV external subwoofer fixup
    - ALSA: hda - Fix white noise on Asus N750JV headphone
    - ALSA: hda - Apply fix for white noise on Asus N550JV, too
    - mm: fix invalid node in alloc_migrate_target()
    - powerpc/mm: Fixup preempt underflow with huge pages
    - libnvdimm: fix smart data retrieval
    - libnvdimm, pfn: fix uuid validation
    - compiler-gcc: disable -ftracer for __noclone functions
    - arm64: opcodes.h: Add arm big-endian config options before including arm
      header
    - drm/dp: move hw_mutex up the call stack
    - drm/udl: Use unlocked gem unreferencing
    - drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
    - drm/radeon: add another R7 370 quirk
    - drm/radeon: add a dpm quirk for all R7 370 parts
    - drm/amdgpu/gmc: move vram type fetching into sw_init
    - drm/amdgpu/gmc: use proper register for vram type on Fiji
    - xen/events: Mask a moving irq
    - tcp: convert cached rtt from usec to jiffies when feeding initial rto
    - tunnel: Clear IPCB(skb)->opt before dst_link_failure called
    - net: jme: fix suspend/resume on JMC260
    - net: vrf: Remove direct access to skb->data
    - net: qca_spi: Don't clear IFF_BROADCAST
    - net: qca_spi: clear IFF_TX_SKB_SHARING
    - net: fix bridge multicast packet checksum validation
    - sctp: lack the check for ports in sctp_v6_cmp_addr
    - mld, igmp: Fix reserved tailroom calculation
    - tipc: Revert "tipc: use existing sk_write_queue for outgoing packet chain"
    - qmi_wwan: add Sierra Wireless EM74xx device ID
    - ipv6: re-enable fragment header matching in ipv6_find_hdr
    - vxlan: fix missing options_len update on RX with collect metadata
    - cdc_ncm: toggle altsetting to force reset before setup
    - udp6: fix UDP/IPv6 encap resubmit path
    - tcp: fix tcpi_segs_in after connection establishment
    - ppp: release rtnl mutex when interface creation fails
    - net: validate variable length ll headers
    - ax25: add link layer header validation function
    - packet: validate variable length ll headers
    - bpf: avoid copying junk bytes in bpf_get_current_comm()
    - sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
    - sh_eth: advance 'rxdesc' later in sh_eth_ring_format()
    - qlcnic: Remove unnecessary usage of atomic_t
    - qlcnic: Fix mailbox completion handling during spurious interrupt
    - macvtap: always pass ethernet header in linear
    - mlxsw: spectrum: Check requested ageing time is valid
    - rocker: set FDB cleanup timer according to lowest ageing time
    - bridge: allow zero ageing time
    - ipv4: Don't do expensive useless work during inetdev destroy.
    - net: Fix use after free in the recvmmsg exit path
    - mlx4: add missing braces in verify_qp_parameters
    - farsync: fix off-by-one bug in fst_add_one
    - ath9k: fix buffer overrun for ar9287
    - ppp: ensure file->private_data can't be overridden
    - tcp/dccp: remove obsolete WARN_ON() in icmp handlers
    - qlge: Fix receive packets drop.
    - net: bcmgenet: fix dma api length mismatch
    - bonding: fix bond_get_stats()
    - ipv4: fix broadcast packets reception
    - ipv4: initialize flowi4_flags before calling fib_lookup()
    - ppp: take reference on channels netns
    - xfrm: Fix crash observed during device unregistration and decryption
    - qmi_wwan: add "D-Link DWM-221 B1" device id
    - ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
    - bridge: Allow set bridge ageing time when switchdev disabled
    - rtnl: fix msg size calculation in if_nlmsg_size()
    - tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
    - tuntap: restore default qdisc
    - ipv4: l2tp: fix a potential issue in l2tp_ip_recv
    - ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
    - ip6_tunnel: set rtnl_link_ops before calling register_netdevice
    - ipv6: Count in extension headers in skb->network_header
    - mpls: find_outdev: check for err ptr in addition to NULL check
    - USB: uas: Limit qdepth at the scsi-host level
    - USB: uas: Add a new NO_REPORT_LUNS quirk
    - cdc-acm: fix NULL pointer reference
    - KVM: x86: Inject pending interrupt even if pending nmi exist
    - KVM: x86: reduce default value of halt_poll_ns parameter
    - MIPS: Fix MSA ld unaligned failure cases
    - pinctrl: pistachio: fix mfio84-89 function description and pinmux.
    - pinctrl: sh-pfc: only use dummy states for non-DT platforms
    - pinctrl: sunxi: Fix A33 external interrupts not working
    - pinctrl: nomadik: fix pull debug print inversion
    - pinctrl: freescale: imx: fix bogus check of of_iomap() return value
    - au0828: fix au0828_v4l2_close() dev_state race condition
    - au0828: Fix dev_state handling
    - coda: fix error path in case of missing pdata on non-DT platform
    - v4l: vsp1: Set the SRU CTRL0 register when starting the stream
    - pcmcia: db1xxx_ss: fix last irq_to_gpio user
    - rbd: use GFP_NOIO consistently for request allocations
    - virtio: virtio 1.0 cs04 spec compliance for reset
    - mac80211: properly deal with station hashtable insert errors
    - mac80211: avoid excessive stack usage in sta_info
    - mac80211: fix ibss scan parameters
    - mac80211: fix unnecessary frame drops in mesh fwding
    - mac80211: fix txq queue related crashes
    - usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
    - usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
    - usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()
    - iio: st_magn: always define ST_MAGN_TRIGGER_SET_STATE
    - iio: accel: bmc150: fix endianness when reading axes
    - iio: gyro: bmg160: fix buffer read values
    - iio: gyro: bmg160: fix endianness when reading axes
    - sd: Fix excessive capacity printing on devices with blocks bigger than 512
      bytes
    - fs: add file_dentry()
    - nfs: use file_dentry()
    - btrfs: fix crash/invalid memory access on fsync when using overlayfs
    - ext4: add lockdep annotations for i_data_sem
    - ext4: ignore quota mount options if the quota feature is enabled
    - iommu: Don't overwrite domain pointer when there is no default_domain
    - Btrfs: fix file/data loss caused by fsync after rename and new inode
    - arm64: replace read_lock to rcu lock in call_step_hook
    - perf: Do not double free
    - perf: Cure event->pending_disable race
    - mmc: sdhci-pci: Add support and PCI IDs for more Broxton host controllers
    - ALSA: hda - Fixup speaker pass-through control for nid 0x14 on ALC225
    - ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2
    - ALSA: hda/realtek - Enable the ALC292 dock fixup on the Thinkpad T460s
    - ALSA: usb-audio: Add a sample rate quirk for Phoenix Audio TMX320
    - ALSA: usb-audio: Add a quirk for Plantronics BT300
    - ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock
    - HID: wacom: fix Bamboo ONE oops
    - HID: usbhid: fix inconsistent reset/resume/reset-resume behavior
    - Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"
    - Revert "PCI: Add helpers to manage pci_dev->irq and pci_dev->irq_managed"
    - Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"
    - staging: android: ion: Set the length of the DMA sg entries in buffer
    - usbvision: fix crash on detecting device with invalid configuration
    - Revert "usb: hub: do not clear BOS field during reset device"
    - Linux 4.4.8

  * Fix speaker volume on a Dell machine (LP: #1549660)
    - ALSA: hda - Fixup speaker pass-through control for nid 0x14 on ALC225

  * Xenial update to v4.4.7 stable release (LP: #1572722)
    - regulator: core: avoid unused variable warning
    - regulator: core: Fix nested locking of supplies
    - ASoC: samsung: pass DMA channels as pointers
    - mmc: sh_mmcif: rework dma channel handling
    - mmc: sh_mmcif: Correct TX DMA channel allocation
    - x86/microcode/intel: Make early loader look for builtin microcode too
    - x86/microcode: Untangle from BLK_DEV_INITRD
    - x86/entry/compat: Keep TS_COMPAT set during signal delivery
    - perf/x86/intel: Add definition for PT PMI bit
    - x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs
    - KVM: i8254: change PIT discard tick policy
    - KVM: fix spin_lock_init order on x86
    - KVM: VMX: avoid guest hang on invalid invept instruction
    - KVM: VMX: avoid guest hang on invalid invvpid instruction
    - KVM: VMX: fix nested vpid for old KVM guests
    - perf/core: Fix perf_sched_count derailment
    - perf tools: Dont stop PMU parsing on alias parse error
    - perf tools: Fix checking asprintf return value
    - perf tools: Fix python extension build
    - sched/cputime: Fix steal_account_process_tick() to always return jiffies
    - sched/preempt, sh: kmap_coherent relies on disabled preemption
    - EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
    - s390: fix floating pointer register corruption (again)
    - s390/cpumf: add missing lpp magic initialization
    - pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing
    - PCI: Disable IO/MEM decoding for devices with non-compliant BARs
    - PCI: ACPI: IA64: fix IO port generic range check
    - x86/irq: Cure live lock in fixup_irqs()
    - x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt()
    - x86/iopl/64: Properly context-switch IOPL on Xen PV
    - x86/iopl: Fix iopl capability check on Xen PV
    - x86/mm: TLB_REMOTE_SEND_IPI should count pages
    - sg: fix dxferp in from_to case
    - aacraid: Fix RRQ overload
    - aacraid: Fix memory leak in aac_fib_map_free
    - aacraid: Set correct msix count for EEH recovery
    - sd: Fix discard granularity when LBPRZ=1
    - scsi: storvsc: fix SRB_STATUS_ABORTED handling
    - be2iscsi: set the boot_kset pointer to NULL in case of failure
    - aic7xxx: Fix queue depth handling
    - libnvdimm: Fix security issue with DSM IOCTL.
    - dm snapshot: disallow the COW and origin devices from being identical
    - dm: fix excessive dm-mq context switching
    - dm thin metadata: don't issue prefetches if a transaction abort has failed
    - dm cache: make sure every metadata function checks fail_io
    - dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request()
    - usb: retry reset if a device times out
    - usb: hub: fix a typo in hub_port_init() leading to wrong logic
    - USB: uas: Reduce can_queue to MAX_CMNDS
    - USB: cdc-acm: more sanity checking
    - USB: iowarrior: fix oops with malicious USB descriptors
    - USB: usb_driver_claim_interface: add sanity checking
    - USB: mct_u232: add sanity checking in probe
    - USB: digi_acceleport: do sanity checking for the number of ports
    - USB: cypress_m8: add endpoint sanity check
    - USB: serial: cp210x: Adding GE Healthcare Device ID
    - USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
    - USB: option: add "D-Link DWM-221 B1" device id
    - pwc: Add USB id for Philips Spc880nc webcam
    - Input: powermate - fix oops with malicious USB descriptors
    - ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
    - ALSA: usb-audio: Add sanity checks for endpoint accesses
    - ALSA: usb-audio: add Microsoft HD-5001 to quirks
    - ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
    - ALSA: usb-audio: Fix double-free in error paths after
      snd_usb_add_audio_stream() call
    - Bluetooth: btusb: Add new AR3012 ID 13d3:3395
    - Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
    - Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
    - crypto: ccp - Add hash state import and export support
    - crypto: ccp - Limit the amount of information exported
    - crypto: ccp - Don't assume export/import areas are aligned
    - crypto: ccp - memset request context to zero during import
    - crypto: keywrap - memzero the correct memory
    - crypto: atmel - fix checks of error code returned by devm_ioremap_resource()
    - crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()
    - crypto: marvell/cesa - forward devm_ioremap_resource() error code
    - X.509: Fix leap year handling again
    - mei: bus: check if the device is enabled before data transfer
    - HID: logitech: fix Dual Action gamepad support
    - HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
    - HID: multitouch: force retrieving of Win8 signature blob
    - HID: fix hid_ignore_special_drivers module parameter
    - staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg
    - staging: android: ion_test: fix check of platform_device_register_simple()
      error code
    - staging: comedi: ni_mio_common: fix the ni_write[blw]() functions
    - tty: Fix GPF in flush_to_ldisc(), part 2
    - net: irda: Fix use-after-free in irtty_open()
    - 8250: use callbacks to access UART_DLL/UART_DLM
    - saa7134: Fix bytesperline not being set correctly for planar formats
    - adv7511: TX_EDID_PRESENT is still 1 after a disconnect
    - bttv: Width must be a multiple of 16 when capturing planar formats
    - coda: fix first encoded frame payload
    - media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32
    - mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild
    - mtip32xx: Fix broken service thread handling
    - mtip32xx: Remove unwanted code from taskfile error handler
    - mtip32xx: Print exact time when an internal command is interrupted
    - mtip32xx: Fix for rmmod crash when drive is in FTL rebuild
    - mtip32xx: Handle safe removal during IO
    - mtip32xx: Handle FTL rebuild failure state during device initialization
    - mtip32xx: Implement timeout handler
    - mtip32xx: Cleanup queued requests after surprise removal
    - ALSA: pcm: Avoid "BUG:" string for warnings again
    - ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
    - ALSA: hda - Don't handle ELD notify from invalid port
    - ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO
    - ALSA: hda - Fix unconditional GPIO toggle via automute
    - tools/hv: Use include/uapi with __EXPORTED_HEADERS__
    - jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path
    - brd: Fix discard request processing
    - IB/srpt: Simplify srpt_handle_tsk_mgmt()
    - bcache: cleaned up error handling around register_cache()
    - bcache: fix race of writeback thread starting before complete initialization
    - bcache: fix cache_set_flush() NULL pointer dereference on OOM
    - mm: memcontrol: reclaim when shrinking memory.high below usage
    - mm: memcontrol: reclaim and OOM kill when shrinking memory.max below usage
    - ia64: define ioremap_uc()
    - watchdog: don't run proc_watchdog_update if new value is same as old
    - watchdog: rc32434_wdt: fix ioctl error handling
    - Bluetooth: Add new AR3012 ID 0489:e095
    - Bluetooth: Fix potential buffer overflow with Add Advertising
    - cgroup: ignore css_sets associated with dead cgroups during migration
    - net: mvneta: enable change MAC address when interface is up
    - of: alloc anywhere from memblock if range not specified
    - vfs: show_vfsstat: do not ignore errors from show_devname method
    - splice: handle zero nr_pages in splice_to_pipe()
    - xtensa: ISS: don't hang if stdin EOF is reached
    - xtensa: fix preemption in {clear,copy}_user_highpage
    - xtensa: clear all DBREAKC registers on start
    - ARC: [BE] readl()/writel() to work in Big Endian CPU configuration
    - ARC: bitops: Remove non relevant comments
    - quota: Fix possible GPF due to uninitialised pointers
    - xfs: fix two memory leaks in xfs_attr_list.c error paths
    - raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang
    - md/raid5: Compare apples to apples (or sectors to sectors)
    - RAID5: check_reshape() shouldn't call mddev_suspend
    - RAID5: revert e9e4c377e2f563 to fix a livelock
    - raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang
    - md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list
    - md: multipath: don't hardcopy bio in .make_request path
    - Revert "UBUNTU: SAUCE: (noup) fuse: Add reference counting for fuse_io_priv"
    - Revert "UBUNTU: SAUCE: (noup) fuse: do not use iocb after it may have been
      freed"
    - fuse: do not use iocb after it may have been freed
    - fuse: Add reference counting for fuse_io_priv
    - fs/coredump: prevent fsuid=0 dumps into user-controlled directories
    - rapidio/rionet: fix deadlock on SMP
    - ipr: Fix out-of-bounds null overwrite
    - ipr: Fix regression when loading firmware
    - iwlwifi: mvm: Fix paging memory leak
    - drm/radeon: disable runtime pm on PX laptops without dGPU power control
    - drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
    - drm/amdgpu: disable runtime pm on PX laptops without dGPU power control
    - drm/amdgpu: include the right version of gmc header files for iceland
    - IB/ipoib: fix for rare multicast join race condition
    - tracing: Have preempt(irqs)off trace preempt disabled functions
    - tracing: Fix crash from reading trace_pipe with sendfile
    - tracing: Fix trace_printk() to print when not using bprintk()
    - bitops: Do not default to __clear_bit() for __clear_bit_unlock()
    - scripts/coccinelle: modernize &
    - scripts/kconfig: allow building with make 3.80 again
    - kbuild/mkspec: fix grub2 installkernel issue
    - MAINTAINERS: Update mailing list and web page for hwmon subsystem
    - ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list
    - mmc: block: fix ABI regression of mmc_blk_ioctl
    - mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case
    - mmc: sdhci: fix data timeout (part 1)
    - mmc: sdhci: fix data timeout (part 2)
    - mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout
    - clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster
    - clk: rockchip: rk3368: fix cpuclk core dividers
    - clk: rockchip: rk3368: fix parents of video encoder/decoder
    - clk: rockchip: rk3368: fix hdmi_cec gate-register
    - clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks
    - clk: bcm2835: Fix setting of PLL divider clock rates
    - target: Fix target_release_cmd_kref shutdown comp leak
    - iser-target: Fix identification of login rx descriptor type
    - iser-target: Add new state ISER_CONN_BOUND to isert_conn
    - iser-target: Separate flows for np listeners and connections cma events
    - iser-target: Rework connection termination
    - nfsd4: fix bad bounds checking
    - nfsd: fix deadlock secinfo+readdir compound
    - ARM: dts: at91: sama5d3 Xplained: don't disable hsmci regulator
    - ARM: dts: at91: sama5d4 Xplained: don't disable hsmci regulator
    - ACPI / PM: Runtime resume devices when waking from hibernate
    - writeback, cgroup: fix premature wb_put() in
      locked_inode_to_wb_and_lock_list()
    - writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the
      inode
    - Revert "UBUNTU: SAUCE: (noup) Input: synaptics - handle spurious release of
      trackstick buttons, again"
    - Input: synaptics - handle spurious release of trackstick buttons, again
    - Input: ims-pcu - sanity check against missing interfaces
    - Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
    - ocfs2/dlm: fix race between convert and recovery
    - ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
    - mm/page_alloc: prevent merging between isolated and other pageblocks
    - mtd: onenand: fix deadlock in onenand_block_markbad
    - PM / sleep: Clear pm_suspend_global_flags upon hibernate
    - scsi_common: do not clobber fixed sense information
    - sched/cputime: Fix steal time accounting vs. CPU hotplug
    - perf/x86/pebs: Add workaround for broken OVFL status on HSW+
    - perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi
    - perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
    - Linux 4.4.7

  * QCA9565 / AR9565 bluetooth not work (LP: #1542944)
    - Bluetooth: Add new AR3012 ID 0489:e095

  * The mic mute key and led can't work on a Lenovo AIO machine (LP: #1555912)
    - ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO

  * 13d3:3472 bluetooth not working, 4.2 low latency kernel 14.04.1 on asus ROG
    gl552jx (LP: #1552925)
    - Bluetooth: btusb: Add a new AR3012 ID 13d3:3472

  * Bluetooth cannot detect other devices (Lite-on 3014 + Atheros AR9565)
    (LP: #1546694)
    - Bluetooth: btusb: Add a new AR3012 ID 04ca:3014

  * Atheros AR9462 Bluetooth cannot detect other devices  (LP: #1542564)
    - Bluetooth: btusb: Add new AR3012 ID 13d3:3395

  * s390/pci: add extra padding to function measurement block (LP: #1572291)
    - s390/pci: add extra padding to function measurement block

  * CVE-2016-3951 (LP: #1567191)
    - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
    - usbnet: cleanup after bind() in probe()

  * linux: Add UEFI keyring for externally signed modules (LP: #1569924)
    - efi: Remove redundant efi_set_variable_nonblocking() prototype
    - efi/runtime-wrappers: Add a nonblocking version of QueryVariableInfo()
    - efi: Add nonblocking option to efi_query_variable_store()
    - efi: Add NV memory attribute
    - efi: Reformat GUID tables to follow the format in UEFI spec
    - efi: stub: implement efi_get_random_bytes() based on EFI_RNG_PROTOCOL
    - SAUCE: (noup) Add EFI signature data types
    - crypto: KEYS: convert public key and digsig asym to the akcipher api
    - [Config] CONFIG_EFI_SIGNATURE_LIST_PARSER=y
    - SAUCE: (noup) Add an EFI signature blob parser and key loader.
    - [Config] CONFIG_IMA_MOK_KEYRING=y
    - IMA: create machine owner and blacklist keyrings
    - KEYS: Add an alloc flag to convey the builtinness of a key
    - [Config] CONFIG_MODULE_SIG_UEFI=y, CONFIG_SYSTEM_BLACKLIST_KEYRING=y
    - SAUCE: (noup) KEYS: Add a system blacklist keyring
    - SAUCE: (noup) MODSIGN: Support not importing certs from db

  * Miscellaneous Ubuntu changes
    - [Config] CONFIG_PUBLIC_KEY_ALGO_RSA=y

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Sun, 24 Apr 2016 12:12:13 -0700


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3951

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3955

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1568523

Title:
  CVE-2016-3672

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-snapdragon package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  New
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  New
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux-lts-vivid source package in Trusty:
  New
Status in linux-lts-wily source package in Trusty:
  New
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  New
Status in linux-armadaxp source package in Vivid:
  New
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  New
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  Invalid
Status in linux-lts-xenial source package in Wily:
  Invalid
Status in linux-mako source package in Wily:
  New
Status in linux-manta source package in Wily:
  New
Status in linux-raspi2 source package in Wily:
  New
Status in linux-snapdragon source package in Wily:
  Invalid
Status in linux-ti-omap4 source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Released
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-flo source package in Xenial:
  New
Status in linux-goldfish source package in Xenial:
  New
Status in linux-lts-quantal source package in Xenial:
  Invalid
Status in linux-lts-raring source package in Xenial:
  Invalid
Status in linux-lts-saucy source package in Xenial:
  Invalid
Status in linux-lts-trusty source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid
Status in linux-lts-vivid source package in Xenial:
  Invalid
Status in linux-lts-wily source package in Xenial:
  Invalid
Status in linux-lts-xenial source package in Xenial:
  Invalid
Status in linux-mako source package in Xenial:
  New
Status in linux-manta source package in Xenial:
  Invalid
Status in linux-raspi2 source package in Xenial:
  Fix Committed
Status in linux-snapdragon source package in Xenial:
  Fix Committed
Status in linux-ti-omap4 source package in Xenial:
  Invalid
Status in linux source package in Yakkety:
  Fix Committed
Status in linux-armadaxp source package in Yakkety:
  Invalid
Status in linux-flo source package in Yakkety:
  New
Status in linux-goldfish source package in Yakkety:
  New
Status in linux-lts-quantal source package in Yakkety:
  Invalid
Status in linux-lts-raring source package in Yakkety:
  Invalid
Status in linux-lts-saucy source package in Yakkety:
  Invalid
Status in linux-lts-trusty source package in Yakkety:
  Invalid
Status in linux-lts-utopic source package in Yakkety:
  Invalid
Status in linux-lts-vivid source package in Yakkety:
  Invalid
Status in linux-lts-wily source package in Yakkety:
  Invalid
Status in linux-lts-xenial source package in Yakkety:
  Invalid
Status in linux-mako source package in Yakkety:
  New
Status in linux-manta source package in Yakkety:
  Invalid
Status in linux-raspi2 source package in Yakkety:
  New
Status in linux-snapdragon source package in Yakkety:
  New
Status in linux-ti-omap4 source package in Yakkety:
  Invalid

Bug description:
  The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux
  kernel through 4.5.2 does not properly randomize the legacy base
  address, which makes it easier for local users to defeat the intended
  restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR
  protection mechanism for a setuid or setgid program, by disabling
  stack-consumption resource limits.

  Break-Fix: - 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1568523/+subscriptions


References