Our triage showed, that the security vulnerability reported in https://copy.fail/ also affected the Linux kernel versions shipped in maintained releases of UCS. The following Errata updates fixed the issue for all maintained releases of UCS:
On the 6.5. Linux Kernel updates have been released for UCS:
- Security and bugfix errata for Univention Corporate Server for UCS 5.2-5 and UCS 5.2-4
- Security and bugfix errata for Univention Corporate Server for UCS 5.0-10
On the 13.5. the following update was release:
- The Errata for Bug #59267 shipped a Kernel update to LTS Linux Kernel 5.10 for UCS 4.4-9 (Extended Maintenance Support)
As workaround for other UCS releases we recommend employing the workaround given in https://copy.fail/ - i.e. disable the algif_aead module in some way. Under UCS one option is to do the following:
ucr set kernel/blacklist="$(ucr get kernel/blacklist);algif_aead"
echo "install algif_aead /bin/false" | sudo tee -a /etc/modprobe.d/copy-fail.conf
rmmod algif_aead 2> /dev/null
echo 3 > /proc/sys/vm/drop_caches
update-initramfs -u -k all