This bug was fixed in the package linux - 5.3.0-17.18
---------------
linux (5.3.0-17.18) eoan; urgency=medium
* eoan/linux: 5.3.0-17.18 -proposed tracker (LP: #1846641)
* CVE-2019-17056
- nfc: enforce CAP_NET_RAW for raw sockets
* CVE-2019-17055
- mISDN: enforce CAP_NET_RAW for raw sockets
* CVE-2019-17054
- appletalk: enforce CAP_NET_RAW for raw sockets
* CVE-2019-17053
- ieee802154: enforce CAP_NET_RAW for raw sockets
* CVE-2019-17052
- ax25: enforce CAP_NET_RAW for raw sockets
* CVE-2019-15098
- ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
* xHCI on AMD Stoney Ridge cannot detect USB 2.0 or 1.1 devices.
(LP: #1846470)
- x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
* Re-enable linux-libc-dev build on i386 (LP: #1846508)
- [Packaging] Build only linux-libc-dev for i386
- [Debian] final-checks -- ignore archtictures with no binaries
* arm64: loop on boot after installing linux-generic-hwe-18.04-edge/bionic-
proposed (LP: #1845820)
- [Config] Disable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT
* Revert ESE DASD discard support (LP: #1846219)
- SAUCE: Revert "s390/dasd: Add discard support for ESE volumes"
* Miscellaneous Ubuntu changes
- update dkms package versions
linux (5.3.0-16.17) eoan; urgency=medium
* eoan/linux: 5.3.0-16.17 -proposed tracker (LP: #1846204)
* zfs fails to build on s390x with debug symbols enabled (LP: #1846143)
- SAUCE: s390: Mark atomic const ops always inline
linux (5.3.0-15.16) eoan; urgency=medium
* eoan/linux: 5.3.0-15.16 -proposed tracker (LP: #1845987)
* Drop i386 build for 19.10 (LP: #1845714)
- [Packaging] Remove x32 arch references from control files
- [Debian] final-checks -- Get arch list from debian/control
* ZFS kernel modules lack debug symbols (LP: #1840704)
- [Debian] Fix conditional for setting zfs debug package path
* Use pyhon3-sphinx instead of python-sphinx for building html docs
(LP: #1845808)
- [Packaging] Update sphinx build dependencies to python3 packages
* Kernel panic with 19.10 beta image (LP: #1845454)
- efi/tpm: Don't access event->count when it isn't mapped.
- efi/tpm: don't traverse an event log with no events
- efi/tpm: only set efi_tpm_final_log_size after successful event log
parsing
linux (5.3.0-14.15) eoan; urgency=medium
* eoan/linux: 5.3.0-14.15 -proposed tracker (LP: #1845728)
* Drop i386 build for 19.10 (LP: #1845714)
- [Debian] Remove support for producing i386 kernels
- [Debian] Don't use CROSS_COMPILE for i386 configs
* udevadm trigger will fail when trying to add /sys/devices/vio/
(LP: #1845572)
- SAUCE: powerpc/vio: drop bus_type from parent device
* Trying to online dasd drive results in invalid input/output from the kernel
on z/VM (LP: #1845323)
- SAUCE: s390/dasd: Fix error handling during online processing
* intel-lpss driver conflicts with write-combining MTRR region (LP: #1845584)
- SAUCE: mfd: intel-lpss: add quirk for Dell XPS 13 7390 2-in-1
* Support Hi1620 zip hw accelerator (LP: #1845355)
- [Config] Enable HiSilicon QM/ZIP as modules
- crypto: hisilicon - add queue management driver for HiSilicon QM module
- crypto: hisilicon - add hardware SGL support
- crypto: hisilicon - add HiSilicon ZIP accelerator support
- crypto: hisilicon - add SRIOV support for ZIP
- Documentation: Add debugfs doc for hisi_zip
- crypto: hisilicon - add debugfs for ZIP and QM
- MAINTAINERS: add maintainer for HiSilicon QM and ZIP controller driver
- crypto: hisilicon - fix kbuild warnings
- crypto: hisilicon - add dependency for CRYPTO_DEV_HISI_ZIP
- crypto: hisilicon - init curr_sgl_dma to fix compile warning
- crypto: hisilicon - add missing single_release
- crypto: hisilicon - fix error handle in hisi_zip_create_req_q
- crypto: hisilicon - Fix warning on printing %p with dma_addr_t
- crypto: hisilicon - Fix return value check in hisi_zip_acompress()
- crypto: hisilicon - avoid unused function warning
* SafeSetID LSM should be built but disabled by default (LP: #1845391)
- LSM: SafeSetID: Stop releasing uninitialized ruleset
- [Config] Build SafeSetID LSM but don't enable it by default
* CONFIG_LSM should not specify loadpin since it is not built (LP: #1845383)
- [Config] loadpin shouldn't be in CONFIG_LSM
* Add new pci-id's for CML-S, ICL (LP: #1845317)
- drm/i915/icl: Add missing device ID
- drm/i915/cml: Add Missing PCI IDs
* Thunderbolt support for ICL (LP: #1844680)
- thunderbolt: Correct path indices for PCIe tunnel
- thunderbolt: Move NVM upgrade support flag to struct icm
- thunderbolt: Use 32-bit writes when writing ring producer/consumer
- thunderbolt: Do not fail adding switch if some port is not implemented
- thunderbolt: Hide switch attributes that are not set
- thunderbolt: Expose active parts of NVM even if upgrade is not supported
- thunderbolt: Add support for Intel Ice Lake
- ACPI / property: Add two new Thunderbolt property GUIDs to the list
* Ubuntu 19.10 - Additional PCI patch and fix (LP: #1844668)
- s390/pci: fix MSI message data
* Enhanced Hardware Support - Finalize Naming (LP: #1842774)
- s390: add support for IBM z15 machines
- [Config] CONFIG_MARCH_Z15=n, CONFIG_TUNE_Z15=n
* Eoan update: v5.3.1 upstream stable release (LP: #1845642)
- USB: usbcore: Fix slab-out-of-bounds bug during device reset
- media: tm6000: double free if usb disconnect while streaming
- phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current
- ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit
- net/sched: fix race between deactivation and dequeue for NOLOCK qdisc
- net_sched: let qdisc_put() accept NULL pointer
- udp: correct reuseport selection with connected sockets
- xen-netfront: do not assume sk_buff_head list is empty in error handling
- net: dsa: Fix load order between DSA drivers and taggers
- net: stmmac: Hold rtnl lock in suspend/resume callbacks
- KVM: coalesced_mmio: add bounds checking
- Documentation: sphinx: Add missing comma to list of strings
- firmware: google: check if size is valid when decoding VPD data
- serial: sprd: correct the wrong sequence of arguments
- tty/serial: atmel: reschedule TX after RX was started
- nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
- Revert "arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}"
- ovl: fix regression caused by overlapping layers detection
- phy: qcom-qmp: Correct ready status, again
- floppy: fix usercopy direction
- media: technisat-usb2: break out of loop at end of buffer
- Linux 5.3.1
* ZFS kernel modules lack debug symbols (LP: #1840704)
- [Debian]: Remove hardcoded $(pkgdir) in debug symbols handling
- [Debian]: Handle debug symbols for modules in extras too
- [Debian]: Check/link modules with debug symbols after DKMS modules
- [Debian]: Warn about modules without debug symbols
- [Debian]: dkms-build: new parameter for debug package directory
- [Debian]: dkms-build: zfs: support for debug symbols
- [Debian]: dkms-build: Avoid executing post-processor scripts twice
- [Debian]: dkms-build: Move zfs special-casing into configure script
* /proc/self/maps paths missing on live session (was vlc won't start; eoan
19.10 & bionic 18.04 ubuntu/lubuntu/kubuntu/xubuntu/ubuntu-mate dailies)
(LP: #1842382)
- SAUCE: Revert "UBUNTU: SAUCE: shiftfs: enable overlayfs on shiftfs"
-- Seth Forshee <seth.fors...@canonical.com> Thu, 03 Oct 2019 16:57:05
-0500
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-15098
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17052
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17053
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17054
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17055
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17056
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1845391
Title:
SafeSetID LSM should be built but disabled by default
Status in linux package in Ubuntu:
Fix Released
Bug description:
The SafeSetID LSM is unlikely to be useful, by default, for a general
purpose OS but a system integrator may want to make use of it in
certain cases. We should build SafeSetID but not enable it by default
in Ubuntu. The LSM can be put to use using the lsm= kernel boot
parameter. For example, lsm=capability,yama,safesetid,apparmor could
be specified to make use of SafeSetID in addition to the LSMs that we
use by default in Ubuntu 19.10.
You can verify that it is enabled by reading the lsm file in
securityfs:
$ cat /sys/kernel/security/lsm
capability,yama,safesetid,apparmor
Documentation on configuring SafeSetID can be found here:
https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
