Here is the edited output of canonical-livepatch command with the buggy output.
I am not able to verify if the kernel is really patched for this CVE.
Later follows the complete output of commands:
snap info canonical-livepatch
canonical-livepatch status --verbose
lsb_release -a
uname -a
journalctl -t canonical-livepatch
snap interfaces
dmesg
________________________________________________________________________________
root@efk:~# canonical-livepatch status --verbose | less
client-version: 9.5.5
architecture: x86_64
cpu-model: Intel(R) Xeon(R) CPU E7-4850 v3 @ 2.20GHz
last-check: 2020-11-25T15:45:02+01:00
boot-time: 2020-05-11T22:34:40Z
uptime: 4744h45m25s
status:
- kernel: 4.15.0-99.100-generic
running: true
livepatch:
checkState: checked
patchState: applied
version: "73.1"
fixes: |-
.
.
.
* CVE-2020-2732
A flaw was discovered in the way that the KVM hypervisor handled
instruction emulation for an L2 guest when nested virtualisation is
enabled. Under some circumstances, an L2 guest may trick the L0 guest
into accessing sensitive L1 resources that should be inaccessible to
the L2 guest." "** RESERVED cvelist lib tardir usr This candidate has
been reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
.
.
.
______________________________________________________________________________
root@efk:~# snap info canonical-livepatch
name: canonical-livepatch
summary: Canonical Livepatch Client
publisher: Canonical✓
store-url: https://snapcraft.io/canonical-livepatch
contact: <email address hidden>
license: unset
description: |
Canonical Livepatch Client
commands:
- canonical-livepatch
services:
canonical-livepatch.canonical-livepatchd: simple, enabled, active
snap-id: b96UJ4vttpNhpbaCWctVzfduQcPwQ5wn
tracking: latest/stable
refresh-date: 2020-03-16
channels:
latest/stable: 9.5.5 2020-03-16 (95) 9MB -
latest/candidate: ↑
latest/beta: ↑
latest/edge: 9.5.5 2020-03-16 (95) 9MB -
installed: 9.5.5 (95) 9MB -
root@efk:~#
root@efk:~# canonical-livepatch status --verbose
last check: 38 minutes ago
kernel: 4.15.0-99.100-generic
server check-in: succeeded
patch state: ✓ all applicable livepatch modules inserted
patch version: 73.1
client version: 9.5.5
architecture: x86_64
cpu model: Intel(R) Xeon(R) CPU E7-4850 v3 @ 2.20GHz
boot time: 6 months ago
fixes:
* cve-2013-1798
The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux
kernel through 3.8.4 does not properly handle a certain combination of
invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which
allows guest OS users to obtain sensitive information from host OS
memory or cause a denial of service (host OS OOPS) via a crafted
application.
* cve-2019-0155
Insufficient access control in a subsystem for Intel (R) processor
graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)
Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold
Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series;
Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R)
Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families;
Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or
26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux
Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11,
4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to
potentially enable escalation of privilege via local access.
* cve-2019-0155:
LP bug: 1852141
* cve-2019-14615
Insufficient control flow in certain data structures for some Intel(R)
Processors with Intel(R) Processor Graphics may allow an
unauthenticated user to potentially enable information disclosure via
local access.
* cve-2019-14895
A heap-based buffer overflow was discovered in the Linux kernel, all
versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver.
The flaw could occur when the station attempts a connection negotiation
during the handling of the remote devices country settings. This could
allow the remote device to cause a denial of service (system crash) or
possibly execute arbitrary code.
* cve-2019-14896
A heap-based buffer overflow vulnerability was found in the Linux
kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote
attacker could cause a denial of service (system crash) or, possibly
execute arbitrary code, when the lbs_ibss_join_existing function is
called after a STA connects to an AP.
* cve-2019-14897
A stack-based buffer overflow was found in the Linux kernel, version
kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to
cause a denial of service (system crash) or, possibly execute arbitrary
code, when a STA works in IBSS mode (allows connecting stations
together without the use of an AP) and connects to another STA.
* cve-2019-14901
A heap overflow flaw was found in the Linux kernel, all versions 3.x.x
and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability
allows a remote attacker to cause a system crash, resulting in a denial
of service, or execute arbitrary code. The highest threat with this
vulnerability is with the availability of the system. If code execution
occurs, the code will run with the permissions of root. This will
affect both confidentiality and integrity of files on the system.
* cve-2019-18885
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a
btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs
image because fs_devices->devices is mishandled within find_device, aka
CID-09ba3bc9dd15.
* cve-2019-19642
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS
02.68, the Virtual Media feature allows OS Command Injection by
authenticated attackers who can send HTTP requests to the IPMI IP
address. This requires a POST to /rpc/setvmdrive.asp with shell
metacharacters in ShareHost or ShareName. The attacker can achieve a
persistent backdoor.
* cve-2019-20096
In the Linux kernel before 5.1, there is a memory leak in
__feat_register_sp() in net/dccp/feat.c, which may cause denial of
service, aka CID-1d3ff0950e2b.
* cve-2019-3016
In a Linux KVM guest that has PV TLB enabled, a process in the guest
kernel may be able to read memory locations from another process in the
same guest. This problem is limit to the host running linux kernel 4.10
with a guest running linux kernel 4.16 or later. The problem mainly
affects AMD processors but Intel CPUs cannot be ruled out.
* cve-2020-10757
A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the
way mremap handled DAX Huge Pages. This flaw allows a local attacker
with access to a DAX enabled storage to escalate their privileges on
the system.
* cve-2020-11494
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the
Linux kernel through 5.6.2. It allows attackers to read uninitialized
can_frame data, potentially containing sensitive information from
kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL,
aka CID-b9258a2cece4.
* cve-2020-11935
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-12114
A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x
before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x
before 4.19.119, and 5.x before 5.3 allows local users to cause a
denial of service (panic) by corrupting a mountpoint reference counter.
* cve-2020-12351
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-12352
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-14386
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption
can be exploited to gain root privileges from unprivileged processes.
The highest threat from this vulnerability is to data confidentiality
and integrity.
* cve-2020-14416
In the Linux kernel before 5.4.16, a race condition in tty->disc_data
handling in the slip and slcan line discipline could lead to a
use-after-free, aka CID-0ace17d56824. This affects
drivers/net/slip/slip.c and drivers/net/can/slcan.c.
* cve-2020-16119
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-16120
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-24490
cvelist lib tardir usr RESERVED cvelist lib tardir usr This candidate
has been reserved by an organization or individual that will use it
when announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-2732
A flaw was discovered in the way that the KVM hypervisor handled
instruction emulation for an L2 guest when nested virtualisation is
enabled. Under some circumstances, an L2 guest may trick the L0 guest
into accessing sensitive L1 resources that should be inaccessible to
the L2 guest." "** RESERVED cvelist lib tardir usr This candidate has
been reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided." "**
RESERVED cvelist lib tardir usr This candidate has been reserved by an
organization or individual that will use it when announcing a new
security problem. When the candidate has been publicized, the details
for this candidate will be provided." "** RESERVED cvelist lib tardir
usr This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided." "** RESERVED cvelist lib tardir usr This candidate has been
reserved by an organization or individual that will use it when
announcing a new security problem. When the candidate has been
publicized, the details for this candidate will be provided.
* cve-2020-8647
There is a use-after-free vulnerability in the Linux kernel through
5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.
* cve-2020-8648
There is a use-after-free vulnerability in the Linux kernel through
5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.
* cve-2020-8649
There is a use-after-free vulnerability in the Linux kernel through
5.5.2 in the vgacon_invert_region function in
drivers/video/console/vgacon.c.
root@efk:~#
root@efk:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
root@efk:~#
root@efk:~# uname -a
Linux efk 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@efk:~# journalctl -t canonical-livepatch
Nov 25 02:45:11 efk canonical-livepatch[740]: Client.Check
Nov 25 02:45:11 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 02:45:12 efk canonical-livepatch[740]: Updated last-check.
Nov 25 02:45:12 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 02:45:12 efk canonical-livepatch[740]: Module already inserted.
Nov 25 03:31:38 efk canonical-livepatch[740]: Client.Check
Nov 25 03:31:38 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 03:31:39 efk canonical-livepatch[740]: Updated last-check.
Nov 25 03:31:39 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 03:31:39 efk canonical-livepatch[740]: Module already inserted.
Nov 25 04:19:41 efk canonical-livepatch[740]: Client.Check
Nov 25 04:19:41 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 04:19:41 efk canonical-livepatch[740]: Updated last-check.
Nov 25 04:19:41 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 04:19:41 efk canonical-livepatch[740]: Module already inserted.
Nov 25 05:29:08 efk canonical-livepatch[740]: Client.Check
Nov 25 05:29:08 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 05:29:08 efk canonical-livepatch[740]: Updated last-check.
Nov 25 05:29:08 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 05:29:08 efk canonical-livepatch[740]: Module already inserted.
Nov 25 06:20:48 efk canonical-livepatch[740]: Client.Check
Nov 25 06:20:48 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 06:20:49 efk canonical-livepatch[740]: Updated last-check.
Nov 25 06:20:49 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 06:20:49 efk canonical-livepatch[740]: Module already inserted.
Nov 25 07:24:19 efk canonical-livepatch[740]: Client.Check
Nov 25 07:24:19 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 07:24:19 efk canonical-livepatch[740]: Updated last-check.
Nov 25 07:24:19 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 07:24:19 efk canonical-livepatch[740]: Module already inserted.
Nov 25 08:18:44 efk canonical-livepatch[740]: Client.Check
Nov 25 08:18:44 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 08:18:44 efk canonical-livepatch[740]: Updated last-check.
Nov 25 08:18:44 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 08:18:44 efk canonical-livepatch[740]: Module already inserted.
Nov 25 09:19:27 efk canonical-livepatch[740]: Client.Check
Nov 25 09:19:27 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 09:19:27 efk canonical-livepatch[740]: Updated last-check.
Nov 25 09:19:27 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 09:19:27 efk canonical-livepatch[740]: Module already inserted.
Nov 25 10:14:30 efk canonical-livepatch[740]: Client.Check
Nov 25 10:14:30 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 10:14:31 efk canonical-livepatch[740]: Updated last-check.
Nov 25 10:14:31 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 10:14:31 efk canonical-livepatch[740]: Module already inserted.
Nov 25 11:18:56 efk canonical-livepatch[740]: Client.Check
Nov 25 11:18:56 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 11:18:56 efk canonical-livepatch[740]: Updated last-check.
Nov 25 11:18:56 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 11:18:56 efk canonical-livepatch[740]: Module already inserted.
Nov 25 12:29:40 efk canonical-livepatch[740]: Client.Check
Nov 25 12:29:40 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 12:29:40 efk canonical-livepatch[740]: Updated last-check.
Nov 25 12:29:40 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 12:29:40 efk canonical-livepatch[740]: Module already inserted.
Nov 25 13:42:12 efk canonical-livepatch[740]: Client.Check
Nov 25 13:42:12 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 13:42:12 efk canonical-livepatch[740]: Updated last-check.
Nov 25 13:42:12 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 13:42:12 efk canonical-livepatch[740]: Module already inserted.
Nov 25 14:33:41 efk canonical-livepatch[740]: Client.Check
Nov 25 14:33:41 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 14:33:41 efk canonical-livepatch[740]: Updated last-check.
Nov 25 14:33:41 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 14:33:41 efk canonical-livepatch[740]: Module already inserted.
Nov 25 15:45:02 efk canonical-livepatch[740]: Client.Check
Nov 25 15:45:02 efk canonical-livepatch[740]: Checking with livepatch service.
Nov 25 15:45:02 efk canonical-livepatch[740]: Updated last-check.
Nov 25 15:45:02 efk canonical-livepatch[740]: No updates available at this time.
Nov 25 15:45:02 efk canonical-livepatch[740]: Module already inserted.
lines 21715-21784/21784 (END)
root@efk:~# snap interfaces | less
:accounts-service -
:adb-support -
:alsa -
:appstream-metadata -
:audio-playback -
:audio-record -
:autopilot-introspection -
:avahi-control -
:avahi-observe -
:block-devices -
:bluetooth-control -
:bluez -
:broadcom-asic-control -
:browser-support -
:calendar-service -
:camera -
:can-bus -
:cifs-mount -
:classic-support -
:contacts-service -
:core-support -
:cpu-control -
:cups-control -
:daemon-notify -
:dcdbas-control -
:desktop -
:desktop-legacy -
:device-buttons -
:display-control -
:docker-support -
:dvb -
:firewall-control -
:framebuffer -
:fuse-support -
:fwupd
'snap interfaces' is deprecated; use 'snap connections'.
-
:gconf -
:gpg-keys -
:gpg-public-keys -
:gpio-control -
:gpio-memory-control -
:greengrass-support -
:gsettings -
:hardware-observe canonical-livepatch
:hardware-random-control -
:hardware-random-observe -
:home -
:hostname-control -
:hugepages-control -
:intel-mei -
:io-ports-control -
:jack1 -
:joystick -
:juju-client-observe -
:kernel-crypto-api -
:kernel-module-control canonical-livepatch
:kernel-module-observe -
:kubernetes-support -
:kvm -
:libvirt -
:locale-control -
:log-observe -
:login-session-control -
:login-session-observe -
:lxd-support -
:modem-manager -
:mount-observe -
:multipass-support -
:netlink-audit -
:netlink-connector -
:network -
:network-bind canonical-livepatch
:network-control canonical-livepatch
:network-manager canonical-livepatch
:network-manager-observe -
:network-observe -
:network-setup-control -
:network-setup-observe -
:network-status -
:ofono -
:opengl -
:openvswitch -
:openvswitch-support -
:optical-drive -
:packagekit-control -
:password-manager-service -
:personal-files -
:physical-memory-control -
:physical-memory-observe -
:power-control -
:ppp -
:process-control -
:pulseaudio -
:raw-usb -
:removable-media -
:screen-inhibit-control -
:screencast-legacy -
:shutdown -
:snapd-control -
:ssh-keys -
:ssh-public-keys -
:system-backup -
:system-files -
:system-observe canonical-livepatch
:system-packages-doc -
:system-source-code -
:system-trace -
:time-control -
:timeserver-control -
:timezone-control -
:tpm -
:u2f-devices -
:udisks2 -
:uhid -
:uinput -
:unity7 -
:upower-observe -
:vcio -
:wayland -
:x11 -
(END)
The `canonical-
Please clarify which part of the output is garbled.
Best regards,
Domas Monkus