CVE-2019-5489

Name	CVE-2019-5489
Description	The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1823-1, DLA-1824-1, DSA-4465-1, ELA-133-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	jessie, jessie (lts)	3.16.84-1	fixed
	stretch (security)	4.9.320-2	fixed
	stretch (lts), stretch	4.9.320-3	fixed
	buster (security), buster, buster (lts)	4.19.316-1	fixed
	bullseye	5.10.223-1	fixed
	bullseye (security)	5.10.226-1	fixed
	bookworm	6.1.115-1	fixed
	bookworm (security)	6.1.112-1	fixed
	trixie	6.11.7-1	fixed
	sid	6.11.9-1	fixed
linux-4.9 (PTS)	jessie, jessie (lts)	4.9.303-1~deb8u3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
linux	source	wheezy	(unfixed)	end-of-life
linux	source	jessie	3.16.68-2		DLA-1823-1
linux	source	stretch	4.9.168-1+deb9u3		DSA-4465-1
linux	source	(unstable)	4.19.37-4
linux-4.9	source	jessie	4.9.168-1+deb9u3~deb8u1		DLA-1824-1