{"id":"MGASA-2018-0347","summary":"Updated kernel-linus packages fix security vulnerabilities","details":"This kernel-linus update is based on the upstream 4.14.65 and adds fixes\nand mitigations for the now publically known security issue affecting\nIntel processors called L1 Terminal Fault (L1TF):\n\nSystems with microprocessors utilizing speculative execution and Intel\nSoftware Guard Extensions (Intel SGX) may allow unauthorized disclosure\nof information residing in the L1 data cache from an enclave to an\nattacker with local user access via side-channel analysis (CVE-2018-3615).\n\nSystems with microprocessors utilizing speculative execution and address\ntranslations may allow unauthorized disclosure of information residing in\nthe L1 data cache to an attacker with local user access via a terminal\npage fault and side-channel analysis (CVE-2018-3620).\n\nSystems with microprocessors utilizing speculative execution and address\ntranslations may allow unauthorized disclosure of information residing in\nthe L1 data cache to an attacker with local user access with guest OS\nprivilege via a terminal page fault and side-channel analysis\n(CVE-2018-3646).\n\nThe impact of the L1TF security issues:\n* Malicious applications may be able to infer the values of data in the\n  operating system memory, or data from other applications.\n* A malicious guest virtual machine (VM) may be able to infer the values\n  of data in the VMM’s memory, or values of data in the memory of other\n  guest VMs.\n* Malicious software running outside of SMM may be able to infer values\n  of data in SMM memory.\n* Malicious software running outside of an Intel® SGX enclave or within an\n  enclave may be able to infer data from within another Intel SGX enclave.\n\nNOTE! You also need to install the 0.20180807-1.mga6.nonfree microcode\nupdate (mga#23457) or a bios update from your hardware vendor containing\nthe updated microcodes to get all current set of fixes and mitigations\nfor L1TF.\n\nFor other upstream fixes in this update, see the referenced changelogs.\n","modified":"2026-04-16T06:24:05.185144154Z","published":"2018-08-19T11:24:54Z","upstream":["CVE-2018-3615","CVE-2018-3620","CVE-2018-3646"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0347.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23460"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23457"},{"type":"WEB","url":"https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault"},{"type":"ADVISORY","url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.63"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.64"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.65"}],"affected":[{"package":{"name":"kernel-linus","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/kernel-linus?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.14.65-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0347.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}