{"id":"USN-4369-2","summary":"linux, linux-raspi2, linux-raspi2-5.3 regression","details":"USN-4369-1 fixed vulnerabilities in the 5.3 Linux kernel. Unfortunately,\nthat update introduced a regression in overlayfs. This update corrects\nthe problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that the btrfs implementation in the Linux kernel did not\n properly detect that a block was marked dirty in some situations. An\n attacker could use this to specially craft a file system image that, when\n unmounted, could cause a denial of service (system crash). (CVE-2019-19377)\n\n Tristan Madani discovered that the file locking implementation in the Linux\n kernel contained a race condition. A local attacker could possibly use this\n to cause a denial of service or expose sensitive information.\n (CVE-2019-19769)\n\n It was discovered that the Serial CAN interface driver in the Linux kernel\n did not properly initialize data. A local attacker could use this to expose\n sensitive information (kernel memory). (CVE-2020-11494)\n\n It was discovered that the linux kernel did not properly validate certain\n mount options to the tmpfs virtual memory file system. A local attacker\n with the ability to specify mount options could use this to cause a denial\n of service (system crash). (CVE-2020-11565)\n\n It was discovered that the OV51x USB Camera device driver in the Linux\n kernel did not properly validate device metadata. A physically proximate\n attacker could use this to cause a denial of service (system crash).\n (CVE-2020-11608)\n\n It was discovered that the STV06XX USB Camera device driver in the Linux\n kernel did not properly validate device metadata. A physically proximate\n attacker could use this to cause a denial of service (system crash).\n (CVE-2020-11609)\n\n It was discovered that the Xirlink C-It USB Camera device driver in the\n Linux kernel did not properly validate device metadata. A physically\n proximate attacker could use this to cause a denial of service (system\n crash). (CVE-2020-11668)\n\n It was discovered that the block layer in the Linux kernel contained a race\n condition leading to a use-after-free vulnerability. A local attacker could\n possibly use this to cause a denial of service (system crash) or execute\n arbitrary code. (CVE-2020-12657)\n","modified":"2026-02-10T04:41:50Z","published":"2020-05-28T22:34:51Z","references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4369-2"},{"type":"REPORT","url":"https://launchpad.net/bugs/1879690"}],"affected":[{"package":{"name":"linux-raspi2-5.3","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/linux-raspi2-5.3@5.3.0-1026.28~18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.3.0-1026.28~18.04.1"}]}],"versions":["5.3.0-1017.19~18.04.1","5.3.0-1018.20~18.04.1","5.3.0-1019.21~18.04.1","5.3.0-1021.23~18.04.1","5.3.0-1022.24~18.04.1","5.3.0-1023.25~18.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"linux-buildinfo-5.3.0-1026-raspi2","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-headers-5.3.0-1026-raspi2","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-image-5.3.0-1026-raspi2","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-modules-5.3.0-1026-raspi2","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-raspi2-5.3-headers-5.3.0-1026","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-raspi2-5.3-tools-5.3.0-1026","binary_version":"5.3.0-1026.28~18.04.1"},{"binary_name":"linux-tools-5.3.0-1026-raspi2","binary_version":"5.3.0-1026.28~18.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4369-2.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:18.04:LTS"}}}],"schema_version":"1.7.3"}