{"id":"MGASA-2023-0237","summary":"Updated kernel packages fix security vulnerabilities","details":"This kernel update is based on upstream 5.15.120 and fixes atleast\nthe following security issues:\n\nA flaw null pointer dereference in the Linux kernel DECnet networking\nprotocol was found. A remote user could use this flaw to crash the\nsystem. This is fixed by removing DECnet support (CVE-2023-3338).\n\nA use-after-free vulnerability was found in the Linux kernel's netfilter\nsubsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with\nNFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same\ntransaction causing a use-after-free vulnerability. This flaw allows a\nlocal attacker with user access to cause a privilege escalation issue\n(CVE-2023-3390).\n\nLinux Kernel nftables Use-After-Free Local Privilege Escalation\nVulnerability; nft_chain_lookup_byid() failed to check whether a chain\nwas active and CAP_NET_ADMIN is in any user or network namespace \n(CVE-2023-31248).\n\nLinux Kernel nftables Out-Of-Bounds Read/Write Vulnerability;\nnft_byteorder poorly handled vm register contents when CAP_NET_ADMIN\nis in any user or network namespace (CVE-2023-35001).\n\nNOTE!!\nThis kernel also contains a fix for dkms builds hanging / stalling during\nupgrade to Mageia 9 (mga#31982) due to the new make 4.4 series utility\nending up in a loop processing Makefile in kernel-devel packages.\nSo if you use dkms packaged drivers, you need to be running this kernel\n(or any later released ones) before you do an online upgrade to avoid the\nupgrade stalling / hanging.\n\nFor other upstream fixes in this update, see the referenced changelogs.\n","modified":"2026-04-16T04:44:24.810796225Z","published":"2023-07-19T19:53:31Z","upstream":["CVE-2023-31248","CVE-2023-3338","CVE-2023-3390","CVE-2023-35001"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0237.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32093"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31982"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.118"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.119"},{"type":"WEB","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.120"}],"affected":[{"package":{"name":"kernel","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kernel?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.120-2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0237.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.8-1.12.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0237.json"}},{"package":{"name":"kmod-xtables-addons","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kmod-xtables-addons?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.23-1.22.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0237.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}