ID CVE-2013-2232
Summary The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
References
Vulnerable Configurations
  • Linux Kernel 3.0.43
    cpe:2.3:o:linux:linux_kernel:3.0.43
  • Linux Kernel 3.0.44
    cpe:2.3:o:linux:linux_kernel:3.0.44
  • Linux Kernel 3.0.37
    cpe:2.3:o:linux:linux_kernel:3.0.37
  • Linux Kernel 3.0.38
    cpe:2.3:o:linux:linux_kernel:3.0.38
  • Linux Kernel 3.0.35
    cpe:2.3:o:linux:linux_kernel:3.0.35
  • Linux Kernel 3.0.36
    cpe:2.3:o:linux:linux_kernel:3.0.36
  • Linux Kernel 3.0.41
    cpe:2.3:o:linux:linux_kernel:3.0.41
  • Linux Kernel 3.0.42
    cpe:2.3:o:linux:linux_kernel:3.0.42
  • Linux Kernel 3.0.39
    cpe:2.3:o:linux:linux_kernel:3.0.39
  • Linux Kernel 3.0.40
    cpe:2.3:o:linux:linux_kernel:3.0.40
  • Linux Kernel 3.2.12
    cpe:2.3:o:linux:linux_kernel:3.2.12
  • Linux Kernel 3.2.13
    cpe:2.3:o:linux:linux_kernel:3.2.13
  • Linux Kernel 3.2.14
    cpe:2.3:o:linux:linux_kernel:3.2.14
  • Linux Kernel 3.2.15
    cpe:2.3:o:linux:linux_kernel:3.2.15
  • Linux Kernel 3.2.16
    cpe:2.3:o:linux:linux_kernel:3.2.16
  • Linux Kernel 3.0.58
    cpe:2.3:o:linux:linux_kernel:3.0.58
  • Linux Kernel 3.1 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.1:rc1
  • Linux Kernel 3.0.59
    cpe:2.3:o:linux:linux_kernel:3.0.59
  • Linux Kernel 3.1 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.1:rc2
  • Linux Kernel 3.0.60
    cpe:2.3:o:linux:linux_kernel:3.0.60
  • Linux Kernel 3.1 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.1:rc3
  • Linux Kernel 3.0.61
    cpe:2.3:o:linux:linux_kernel:3.0.61
  • Linux Kernel 3.1 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.1:rc4
  • Linux Kernel 3.0.62
    cpe:2.3:o:linux:linux_kernel:3.0.62
  • Linux Kernel 3.0 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.0:rc7
  • Linux Kernel 3.0.63
    cpe:2.3:o:linux:linux_kernel:3.0.63
  • Linux Kernel 3.0 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.0:rc4
  • Linux Kernel 3.0.64
    cpe:2.3:o:linux:linux_kernel:3.0.64
  • Linux Kernel 3.0 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.0:rc5
  • Linux Kernel 3.0.65
    cpe:2.3:o:linux:linux_kernel:3.0.65
  • Linux Kernel 3.0 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.0:rc6
  • Linux Kernel 3.0.50
    cpe:2.3:o:linux:linux_kernel:3.0.50
  • Linux Kernel 3.2.1
    cpe:2.3:o:linux:linux_kernel:3.2.1
  • Linux Kernel 3.0.51
    cpe:2.3:o:linux:linux_kernel:3.0.51
  • Linux Kernel 3.0 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.0:rc1
  • Linux Kernel 3.0.52
    cpe:2.3:o:linux:linux_kernel:3.0.52
  • Linux Kernel 3.0 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.0:rc2
  • Linux Kernel 3.0.53
    cpe:2.3:o:linux:linux_kernel:3.0.53
  • Linux Kernel 3.0 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.0:rc3
  • Linux Kernel 3.0.54
    cpe:2.3:o:linux:linux_kernel:3.0.54
  • Linux Kernel 3.0.55
    cpe:2.3:o:linux:linux_kernel:3.0.55
  • Linux Kernel 3.0.56
    cpe:2.3:o:linux:linux_kernel:3.0.56
  • Linux Kernel 3.0.57
    cpe:2.3:o:linux:linux_kernel:3.0.57
  • Linux Kernel 3.0.45
    cpe:2.3:o:linux:linux_kernel:3.0.45
  • Linux Kernel 3.0.47
    cpe:2.3:o:linux:linux_kernel:3.0.47
  • Linux Kernel 3.0.46
    cpe:2.3:o:linux:linux_kernel:3.0.46
  • Linux Kernel 3.2.1 (x86)
    cpe:2.3:o:linux:linux_kernel:3.2.1:-:-:-:-:-:x86
  • Linux Kernel 3.0.49
    cpe:2.3:o:linux:linux_kernel:3.0.49
  • Linux Kernel 3.0.48
    cpe:2.3:o:linux:linux_kernel:3.0.48
  • Linux Kernel 3.0.24
    cpe:2.3:o:linux:linux_kernel:3.0.24
  • Linux Kernel 3.1
    cpe:2.3:o:linux:linux_kernel:3.1
  • Linux Kernel 3.0.22
    cpe:2.3:o:linux:linux_kernel:3.0.22
  • Linux Kernel 3.0.23
    cpe:2.3:o:linux:linux_kernel:3.0.23
  • Linux Kernel 3.0.20
    cpe:2.3:o:linux:linux_kernel:3.0.20
  • Linux Kernel 3.0.21
    cpe:2.3:o:linux:linux_kernel:3.0.21
  • Linux Kernel 3.0.18
    cpe:2.3:o:linux:linux_kernel:3.0.18
  • Linux Kernel 3.0.19
    cpe:2.3:o:linux:linux_kernel:3.0.19
  • Linux Kernel 3.0.16
    cpe:2.3:o:linux:linux_kernel:3.0.16
  • Linux Kernel 3.0.17
    cpe:2.3:o:linux:linux_kernel:3.0.17
  • Linux Kernel 3.0.14
    cpe:2.3:o:linux:linux_kernel:3.0.14
  • Linux Kernel 3.0.15
    cpe:2.3:o:linux:linux_kernel:3.0.15
  • Linux Kernel 3.0.12
    cpe:2.3:o:linux:linux_kernel:3.0.12
  • Linux Kernel 3.0.13
    cpe:2.3:o:linux:linux_kernel:3.0.13
  • Linux Kernel 3.0.10
    cpe:2.3:o:linux:linux_kernel:3.0.10
  • Linux Kernel 3.0.11
    cpe:2.3:o:linux:linux_kernel:3.0.11
  • Linux Kernel 3.2.10
    cpe:2.3:o:linux:linux_kernel:3.2.10
  • Linux Kernel 3.2.11
    cpe:2.3:o:linux:linux_kernel:3.2.11
  • Linux Kernel 3.1.10
    cpe:2.3:o:linux:linux_kernel:3.1.10
  • Linux Kernel 3.1.9
    cpe:2.3:o:linux:linux_kernel:3.1.9
  • Linux Kernel 3.1.8
    cpe:2.3:o:linux:linux_kernel:3.1.8
  • Linux Kernel 3.1.7
    cpe:2.3:o:linux:linux_kernel:3.1.7
  • Linux Kernel 3.1.6
    cpe:2.3:o:linux:linux_kernel:3.1.6
  • Linux Kernel 3.1.5
    cpe:2.3:o:linux:linux_kernel:3.1.5
  • Linux Kernel 3.1.4
    cpe:2.3:o:linux:linux_kernel:3.1.4
  • Linux Kernel 3.1.3
    cpe:2.3:o:linux:linux_kernel:3.1.3
  • Linux Kernel 3.1.2
    cpe:2.3:o:linux:linux_kernel:3.1.2
  • Linux Kernel 3.1.1
    cpe:2.3:o:linux:linux_kernel:3.1.1
  • Linux Kernel 3.2
    cpe:2.3:o:linux:linux_kernel:3.2
  • Linux Kernel 3.0.27
    cpe:2.3:o:linux:linux_kernel:3.0.27
  • Linux Kernel 3.0.26
    cpe:2.3:o:linux:linux_kernel:3.0.26
  • Linux Kernel 3.0.25
    cpe:2.3:o:linux:linux_kernel:3.0.25
  • Linux Kernel 3.0.4
    cpe:2.3:o:linux:linux_kernel:3.0.4
  • Linux Kernel 3.0.3
    cpe:2.3:o:linux:linux_kernel:3.0.3
  • Linux Kernel 3.0.2
    cpe:2.3:o:linux:linux_kernel:3.0.2
  • Linux Kernel 3.0.1
    cpe:2.3:o:linux:linux_kernel:3.0.1
  • Linux Kernel 3.0.34
    cpe:2.3:o:linux:linux_kernel:3.0.34
  • Linux Kernel 3.0.5
    cpe:2.3:o:linux:linux_kernel:3.0.5
  • Linux Kernel 3.0.32
    cpe:2.3:o:linux:linux_kernel:3.0.32
  • Linux Kernel 3.0.33
    cpe:2.3:o:linux:linux_kernel:3.0.33
  • Linux Kernel 3.0.30
    cpe:2.3:o:linux:linux_kernel:3.0.30
  • Linux Kernel 3.0.7
    cpe:2.3:o:linux:linux_kernel:3.0.7
  • Linux Kernel 3.0.31
    cpe:2.3:o:linux:linux_kernel:3.0.31
  • Linux Kernel 3.0.6
    cpe:2.3:o:linux:linux_kernel:3.0.6
  • Linux Kernel 3.0.28
    cpe:2.3:o:linux:linux_kernel:3.0.28
  • Linux Kernel 3.0.9
    cpe:2.3:o:linux:linux_kernel:3.0.9
  • Linux Kernel 3.0.29
    cpe:2.3:o:linux:linux_kernel:3.0.29
  • Linux Kernel 3.0.8
    cpe:2.3:o:linux:linux_kernel:3.0.8
  • Linux Kernel 3.0.68
    cpe:2.3:o:linux:linux_kernel:3.0.68
  • Linux Kernel 3.0.67
    cpe:2.3:o:linux:linux_kernel:3.0.67
  • Linux Kernel 3.0.66
    cpe:2.3:o:linux:linux_kernel:3.0.66
  • Linux Kernel 3.2.25
    cpe:2.3:o:linux:linux_kernel:3.2.25
  • Linux Kernel 3.2.26
    cpe:2.3:o:linux:linux_kernel:3.2.26
  • Linux Kernel 3.2.27
    cpe:2.3:o:linux:linux_kernel:3.2.27
  • Linux Kernel 3.2.28
    cpe:2.3:o:linux:linux_kernel:3.2.28
  • Linux Kernel 3.2.24
    cpe:2.3:o:linux:linux_kernel:3.2.24
  • Linux Kernel 3.2.23
    cpe:2.3:o:linux:linux_kernel:3.2.23
  • Linux Kernel 3.4 release candidate 3 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc3:-:-:-:-:x86
  • Linux Kernel 3.4.13
    cpe:2.3:o:linux:linux_kernel:3.4.13
  • Linux Kernel 3.2.30
    cpe:2.3:o:linux:linux_kernel:3.2.30
  • Linux Kernel 3.5.1
    cpe:2.3:o:linux:linux_kernel:3.5.1
  • Linux Kernel 3.4 release candidate 4 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc4:-:-:-:-:x86
  • Linux Kernel 3.2.29
    cpe:2.3:o:linux:linux_kernel:3.2.29
  • Linux Kernel 3.5.2
    cpe:2.3:o:linux:linux_kernel:3.5.2
  • Linux Kernel 3.4 release candidate 1 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc1:-:-:-:-:x86
  • Linux Kernel 3.2.22
    cpe:2.3:o:linux:linux_kernel:3.2.22
  • Linux Kernel 3.4 release candidate 2 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc2:-:-:-:-:x86
  • Linux Kernel 3.2.21
    cpe:2.3:o:linux:linux_kernel:3.2.21
  • Linux Kernel 3.4.9
    cpe:2.3:o:linux:linux_kernel:3.4.9
  • Linux Kernel 3.4.10
    cpe:2.3:o:linux:linux_kernel:3.4.10
  • Linux Kernel 3.4.11
    cpe:2.3:o:linux:linux_kernel:3.4.11
  • Linux Kernel 3.4.12
    cpe:2.3:o:linux:linux_kernel:3.4.12
  • Linux Kernel 3.4.6
    cpe:2.3:o:linux:linux_kernel:3.4.6
  • Linux Kernel 3.4.7
    cpe:2.3:o:linux:linux_kernel:3.4.7
  • Linux Kernel 3.4.8
    cpe:2.3:o:linux:linux_kernel:3.4.8
  • Linux Kernel 3.4.5
    cpe:2.3:o:linux:linux_kernel:3.4.5
  • Linux Kernel 3.4.32
    cpe:2.3:o:linux:linux_kernel:3.4.32
  • Linux Kernel 3.4.5 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4.5:-:-:-:-:-:x86
  • Linux Kernel 3.4.31
    cpe:2.3:o:linux:linux_kernel:3.4.31
  • Linux Kernel 3.4.30
    cpe:2.3:o:linux:linux_kernel:3.4.30
  • Linux Kernel 3.4.3
    cpe:2.3:o:linux:linux_kernel:3.4.3
  • Linux Kernel 3.4.4
    cpe:2.3:o:linux:linux_kernel:3.4.4
  • Linux Kernel 3.4.29
    cpe:2.3:o:linux:linux_kernel:3.4.29
  • Linux Kernel 3.4 release candidate 6 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc6:-:-:-:-:x86
  • Linux Kernel 3.4 release candidate 5 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc5:-:-:-:-:x86
  • Linux Kernel 3.4 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:-:-:-:-:-:x86
  • Linux Kernel 3.4 release candidate 7 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4:rc7:-:-:-:-:x86
  • Linux Kernel 3.4.2 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4.2:-:-:-:-:-:x86
  • Linux Kernel 3.3.5
    cpe:2.3:o:linux:linux_kernel:3.3.5
  • Linux Kernel 3.4.1 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4.1:-:-:-:-:-:x86
  • Linux Kernel 3.3.3
    cpe:2.3:o:linux:linux_kernel:3.3.3
  • Linux Kernel 3.4.4 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4.4:-:-:-:-:-:x86
  • Linux Kernel 3.3.1
    cpe:2.3:o:linux:linux_kernel:3.3.1
  • Linux Kernel 3.4.3 (x86)
    cpe:2.3:o:linux:linux_kernel:3.4.3:-:-:-:-:-:x86
  • Linux Kernel 3.4 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.4:rc2
  • Linux Kernel 3.4 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.4:rc1
  • Linux Kernel 3.4 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.4:rc4
  • Linux Kernel 3.4 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.4:rc3
  • Linux Kernel 3.4 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.4:rc6
  • Linux Kernel 3.4 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.4:rc5
  • Linux Kernel 3.4
    cpe:2.3:o:linux:linux_kernel:3.4
  • Linux Kernel 3.4 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.4:rc7
  • Linux Kernel 3.4.27
    cpe:2.3:o:linux:linux_kernel:3.4.27
  • Linux Kernel 3.4.28
    cpe:2.3:o:linux:linux_kernel:3.4.28
  • Linux Kernel 3.4.25
    cpe:2.3:o:linux:linux_kernel:3.4.25
  • Linux Kernel 3.4.26
    cpe:2.3:o:linux:linux_kernel:3.4.26
  • Linux Kernel 3.2.17
    cpe:2.3:o:linux:linux_kernel:3.2.17
  • Linux Kernel 3.2.18
    cpe:2.3:o:linux:linux_kernel:3.2.18
  • Linux Kernel 3.2.19
    cpe:2.3:o:linux:linux_kernel:3.2.19
  • Linux Kernel 3.2.20
    cpe:2.3:o:linux:linux_kernel:3.2.20
  • Linux Kernel 3.3.8
    cpe:2.3:o:linux:linux_kernel:3.3.8
  • Linux Kernel 3.2.5
    cpe:2.3:o:linux:linux_kernel:3.2.5
  • Linux Kernel 3.2.4
    cpe:2.3:o:linux:linux_kernel:3.2.4
  • Linux Kernel 3.2.3
    cpe:2.3:o:linux:linux_kernel:3.2.3
  • Linux Kernel 3.2.2
    cpe:2.3:o:linux:linux_kernel:3.2.2
  • Linux Kernel 3.3 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.3:rc7
  • Linux Kernel 3.3 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.3:rc4
  • Linux Kernel 3.3 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.3:rc3
  • Linux Kernel 3.3 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.3:rc6
  • Linux Kernel 3.3 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.3:rc5
  • Linux Kernel 3.2 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.2:rc7
  • Linux Kernel 3.2 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.2:rc6
  • Linux Kernel 3.3 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.3:rc2
  • Linux Kernel 3.3 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.3:rc1
  • Linux Kernel 3.2 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.2:rc3
  • Linux Kernel 3.2 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.2:rc2
  • Linux Kernel 3.2 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.2:rc5
  • Linux Kernel 3.2 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.2:rc4
  • Linux Kernel 3.2.6
    cpe:2.3:o:linux:linux_kernel:3.2.6
  • Linux Kernel 3.2.7
    cpe:2.3:o:linux:linux_kernel:3.2.7
  • Linux Kernel 3.2.8
    cpe:2.3:o:linux:linux_kernel:3.2.8
  • Linux Kernel 3.2.9
    cpe:2.3:o:linux:linux_kernel:3.2.9
  • Linux Kernel 3.3.2
    cpe:2.3:o:linux:linux_kernel:3.3.2
  • Linux Kernel 3.3.4
    cpe:2.3:o:linux:linux_kernel:3.3.4
  • Linux Kernel 3.3.6
    cpe:2.3:o:linux:linux_kernel:3.3.6
  • Linux Kernel 3.3.7
    cpe:2.3:o:linux:linux_kernel:3.3.7
  • Linux Kernel 3.4.2
    cpe:2.3:o:linux:linux_kernel:3.4.2
  • Linux Kernel 3.4.1
    cpe:2.3:o:linux:linux_kernel:3.4.1
  • Linux Kernel 3.3
    cpe:2.3:o:linux:linux_kernel:3.3
  • Linux Kernel 3.4.16
    cpe:2.3:o:linux:linux_kernel:3.4.16
  • Linux Kernel 3.4.17
    cpe:2.3:o:linux:linux_kernel:3.4.17
  • Linux Kernel 3.4.14
    cpe:2.3:o:linux:linux_kernel:3.4.14
  • Linux Kernel 3.4.15
    cpe:2.3:o:linux:linux_kernel:3.4.15
  • Linux Kernel 3.4.20
    cpe:2.3:o:linux:linux_kernel:3.4.20
  • Linux Kernel 3.4.21
    cpe:2.3:o:linux:linux_kernel:3.4.21
  • Linux Kernel 3.2 (x86)
    cpe:2.3:o:linux:linux_kernel:3.2:-:-:-:-:-:x86
  • Linux Kernel 3.4.18
    cpe:2.3:o:linux:linux_kernel:3.4.18
  • Linux Kernel 3.4.19
    cpe:2.3:o:linux:linux_kernel:3.4.19
  • Linux Kernel 3.4.24
    cpe:2.3:o:linux:linux_kernel:3.4.24
  • Linux Kernel 3.4.23
    cpe:2.3:o:linux:linux_kernel:3.4.23
  • Linux Kernel 3.4.22
    cpe:2.3:o:linux:linux_kernel:3.4.22
  • Linux Kernel 3.9 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.9:rc1
  • Linux Kernel 3.9 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.9:rc2
  • Linux Kernel 3.9 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.9:rc4
  • Linux Kernel 3.5.4
    cpe:2.3:o:linux:linux_kernel:3.5.4
  • Linux Kernel 3.9 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.9:rc3
  • Linux Kernel 3.5.5
    cpe:2.3:o:linux:linux_kernel:3.5.5
  • Linux Kernel 3.9 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.9:rc6
  • Linux Kernel 3.9 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.9:rc5
  • Linux Kernel 3.9 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.9:rc7
  • Linux Kernel 3.5.3
    cpe:2.3:o:linux:linux_kernel:3.5.3
  • Linux Kernel 3.8.5
    cpe:2.3:o:linux:linux_kernel:3.8.5
  • Linux Kernel 3.7.10
    cpe:2.3:o:linux:linux_kernel:3.7.10
  • Linux Kernel 3.8.8
    cpe:2.3:o:linux:linux_kernel:3.8.8
  • Linux Kernel 3.7.7
    cpe:2.3:o:linux:linux_kernel:3.7.7
  • Linux Kernel 3.7.8
    cpe:2.3:o:linux:linux_kernel:3.7.8
  • Linux Kernel 3.7.9
    cpe:2.3:o:linux:linux_kernel:3.7.9
  • Linux Kernel 3.8.7
    cpe:2.3:o:linux:linux_kernel:3.8.7
  • Linux Kernel 3.8.6
    cpe:2.3:o:linux:linux_kernel:3.8.6
  • Linux Kernel 3.7.5
    cpe:2.3:o:linux:linux_kernel:3.7.5
  • Linux Kernel 3.7.6
    cpe:2.3:o:linux:linux_kernel:3.7.6
  • Linux Kernel 3.8.3
    cpe:2.3:o:linux:linux_kernel:3.8.3
  • Linux Kernel 3.8.0
    cpe:2.3:o:linux:linux_kernel:3.8.0
  • Linux Kernel 3.9.1
    cpe:2.3:o:linux:linux_kernel:3.9.1
  • Linux Kernel 3.9.2
    cpe:2.3:o:linux:linux_kernel:3.9.2
  • Linux Kernel 3.9.3
    cpe:2.3:o:linux:linux_kernel:3.9.3
  • Linux Kernel 3.9.4
    cpe:2.3:o:linux:linux_kernel:3.9.4
  • Linux Kernel 3.9.0
    cpe:2.3:o:linux:linux_kernel:3.9.0
  • Linux Kernel 3.7.3
    cpe:2.3:o:linux:linux_kernel:3.7.3
  • Linux Kernel 3.7.2
    cpe:2.3:o:linux:linux_kernel:3.7.2
  • Linux Kernel 3.7.4
    cpe:2.3:o:linux:linux_kernel:3.7.4
  • Linux Kernel 3.8.1
    cpe:2.3:o:linux:linux_kernel:3.8.1
  • Linux Kernel 3.8.2
    cpe:2.3:o:linux:linux_kernel:3.8.2
  • Linux Kernel 3.6
    cpe:2.3:o:linux:linux_kernel:3.6
  • Linux Kernel 3.6.11
    cpe:2.3:o:linux:linux_kernel:3.6.11
  • Linux Kernel 3.6.10
    cpe:2.3:o:linux:linux_kernel:3.6.10
  • Linux Kernel 3.6.5
    cpe:2.3:o:linux:linux_kernel:3.6.5
  • Linux Kernel 3.6.4
    cpe:2.3:o:linux:linux_kernel:3.6.4
  • Linux Kernel 3.6.3
    cpe:2.3:o:linux:linux_kernel:3.6.3
  • Linux Kernel 3.6.2
    cpe:2.3:o:linux:linux_kernel:3.6.2
  • Linux Kernel 3.6.9
    cpe:2.3:o:linux:linux_kernel:3.6.9
  • Linux Kernel 3.6.8
    cpe:2.3:o:linux:linux_kernel:3.6.8
  • Linux Kernel 3.6.7
    cpe:2.3:o:linux:linux_kernel:3.6.7
  • Linux Kernel 3.6.6
    cpe:2.3:o:linux:linux_kernel:3.6.6
  • Linux Kernel 3.8.4
    cpe:2.3:o:linux:linux_kernel:3.8.4
  • Linux Kernel 3.5.6
    cpe:2.3:o:linux:linux_kernel:3.5.6
  • Linux Kernel 3.7
    cpe:2.3:o:linux:linux_kernel:3.7
  • Linux Kernel 3.6.1
    cpe:2.3:o:linux:linux_kernel:3.6.1
  • Linux Kernel 3.7.1
    cpe:2.3:o:linux:linux_kernel:3.7.1
  • Linux Kernel 3.5.7
    cpe:2.3:o:linux:linux_kernel:3.5.7
  • Linux Kernel 3.9.5
    cpe:2.3:o:linux:linux_kernel:3.9.5
  • Linux Kernel 3.9.6
    cpe:2.3:o:linux:linux_kernel:3.9.6
  • Linux Kernel 3.9.7
    cpe:2.3:o:linux:linux_kernel:3.9.7
  • Linux Kernel 3.9.8
    cpe:2.3:o:linux:linux_kernel:3.9.8
  • Linux Kernel 3.9.9
    cpe:2.3:o:linux:linux_kernel:3.9.9
CVSS
Base: 4.9 (as of 05-07-2013 - 10:01)
Impact:
Exploitability:
CWE CWE-20
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Variable Manipulation
    An attacker manipulates variables used by an application to perform a variety of possible attacks. This can either be performed through the manipulation of function call parameters or by manipulating external variables, such as environment variables, that are used by an application. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Embedding Scripts in Non-Script Elements
    This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
  • Flash Injection
    An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
  • Cross-Site Scripting Using Alternate Syntax
    The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • Cross-Site Scripting via Encoded URI Schemes
    An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.
  • XML Injection
    An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
  • Environment Variable Manipulation
    An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Global variable manipulation
    An attacker manipulates global variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Leverage Alternate Encoding
    This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
  • Fuzzing
    Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals.
  • Using Leading 'Ghost' Character Sequences to Bypass Input Filters
    An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes. One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
  • Accessing/Intercepting/Modifying HTTP Cookies
    This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
  • Embedding Scripts in HTTP Query Strings
    A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on.
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • Embedding NULL Bytes
    An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
  • Postfix, Null Terminate, and Backslash
    If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.
  • Simple Script Injection
    An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
  • Using Unicode Encoding to Bypass Validation Logic
    An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
  • URL Encoding
    This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
  • User-Controlled Filename
    An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Using UTF-8 Encoding to Bypass Validation Logic
    This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.
  • Web Logs Tampering
    Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
  • XPath Injection
    An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
  • AJAX Fingerprinting
    This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application. A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
  • Embedding Script (XSS) in HTTP Headers
    An attack of this type exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
  • XSS in IMG Tags
    Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2542.NASL
    description Description of changes: kernel-uek [2.6.32-400.29.3.el5uek] - block: do not pass disk names as format strings (Jerry Snitselaar) [Orabug: 17230124] {CVE-2013-2851} - af_key: initialize satype in key_notify_policy_flush() (Nicolas Dichtel) [Orabug: 17370765] {CVE-2013-2237} - Bluetooth: L2CAP - Fix info leak via getsockname() (Mathias Krause) [Orabug: 17371054] {CVE-2012-6544} - Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) (Mathias Krause) [Orabug: 17371072] {CVE-2012-6544} - ipv6: ip6_sk_dst_check() must not assume ipv6 dst (Eric Dumazet) [Orabug: 17371079] {CVE-2013-2232} - sctp: Use correct sideffect command in duplicate cookie handling (Vlad Yasevich) [Orabug: 17371121] {CVE-2013-2206} - sctp: deal with multiple COOKIE_ECHO chunks (Max Matveev) [Orabug: 17372129] {CVE-2013-2206}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69509
    published 2013-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69509
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2542)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2013-1832-1.NASL
    description The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs. The Following security issues have been fixed : CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password. CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application. CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.' CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c. CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname. CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem. CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field. CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call. CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets. CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process. CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call. CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880. CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character. CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets. CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record. CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash. CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share. CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.' CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets. The following bugs have been fixed : patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856). cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975). - cio: Add timeouts for internal IO (bnc#701550,LTC#72691). kernel: first time swap use results in heavy swapping (bnc#701550,LTC#73132). qla2xxx: Do not be so verbose on underrun detected patches.arch/i386-run-tsc-calibration-5-times.patch: Fix the patch, the logic was wrong (bnc#537165, bnc#826551). xfs: Do not reclaim new inodes in xfs_sync_inodes() (bnc#770980 bnc#811752). kbuild: Fix gcc -x syntax (bnc#773831). e1000e: stop cleaning when we reach tx_ring->next_to_use (bnc#762825). Fix race condition about network device name allocation (bnc#747576). kdump: bootmem map over crash reserved region (bnc#749168, bnc#722400, bnc#742881). tcp: fix race condition leading to premature termination of sockets in FIN_WAIT2 state and connection being reset (bnc#745760) tcp: drop SYN+FIN messages (bnc#765102). net/linkwatch: Handle jiffies wrap-around (bnc#740131). patches.fixes/vm-dirty-bytes: Provide /proc/sys/vm/dirty_{background_,}bytes for tuning (bnc#727597). ipmi: Fix deadlock in start_next_msg() (bnc#730749). cpu-hotplug: release workqueue_mutex properly on CPU hot-remove (bnc#733407). libiscsi: handle init task failures (bnc#721351). NFS/sunrpc: do not use a credential with extra groups (bnc#725878). x86_64: fix reboot hang when 'reboot=b' is passed to the kernel (bnc#721267). nf_nat: do not add NAT extension for confirmed conntracks (bnc#709213). xfs: fix memory reclaim recursion deadlock on locked inode buffer (bnc#699355 bnc#699354 bnc#721830). ipmi: do not grab locks in run-to-completion mode (bnc#717421). cciss: do not attempt to read from a write-only register (bnc#683101). qla2xxx: Disable MSI-X initialization (bnc#693513). Allow balance_dirty_pages to help other filesystems (bnc#709369). - nfs: fix congestion control (bnc#709369). - NFS: Separate metadata and page cache revalidation mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat shutdown race (bnc#752556). x87: Do not synchronize TSCs across cores if they already should be synchronized by HW (bnc#615418 bnc#609220). reiserfs: Fix int overflow while calculating free space (bnc#795075). af_unix: limit recursion level (bnc#656153). bcm43xx: netlink deadlock fix (bnc#850241). jbd: Issue cache flush after checkpointing (bnc#731770). cfq: Fix infinite loop in cfq_preempt_queue() (bnc#724692). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 83603
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83603
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0287-1.NASL
    description This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update to fix a lot of security issues and non-security bugs. The following security bugs have been fixed : CVE-2011-3593: A certain Red Hat patch to the vlan_hwaccel_do_receive function in net/8021q/vlan_core.c in the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows remote attackers to cause a denial of service (system crash) via priority-tagged VLAN frames. (bnc#735347) CVE-2012-1601: The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. (bnc#754898) CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. (bnc#767612) CVE-2012-2372: The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610) CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. (bnc#770695) CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before 3.2.24 does not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allows local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1083. (bnc#769896) CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. (bnc#774523) CVE-2012-3430: The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. (bnc#773383) CVE-2012-3511: Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. (bnc#776885) CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. (bnc#789831) CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#786013) CVE-2012-4565: The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. (bnc#787576) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6538: The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux kernel before 3.6 uses an incorrect C library function for copying a string, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6548: The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809902) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0160: The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. (bnc#797175) CVE-2013-0216: The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. (bnc#800280)(XSA-39) CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (bnc#801178)(XSA-43) CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. (bnc#802642) CVE-2013-0310: The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call. (bnc#804653) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0349: The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call. (bnc#805227) CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. (bnc#804154) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1767: Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. (bnc#806138) CVE-2013-1773: Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. (bnc#806977) CVE-2013-1774: The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (bnc#806976) CVE-2013-1792: Race condition in the install_user_keyrings function in security/keys/process_keys.c in the Linux kernel before 3.8.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) via crafted keyctl system calls that trigger keyring operations in simultaneous threads. (bnc#808358) CVE-2013-1796: The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. (bnc#806980) CVE-2013-1797: Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. (bnc#806980) CVE-2013-1798: The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. (bnc#806980) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (bnc#813735) CVE-2013-1943: The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guests physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. (bnc#828012) CVE-2013-2015: The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (bnc#817377) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (bnc#823260) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2634: net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#810473) CVE-2013-2851: Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (bnc#822575) CVE-2013-2852: Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (bnc#822579) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2889: drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2892: drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-2929: The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3225: The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4345: Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. (bnc#840226) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4511: Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021) CVE-2013-4587: Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-4591: Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the Linux kernel before 3.7.2 allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a getxattr system call for the system.nfs4_acl extended attribute of a pathname on an NFSv4 filesystem. (bnc#851103) CVE-2013-6367: The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051) CVE-2013-6368: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052) CVE-2013-6378: The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - x86: Clear HPET configuration registers on startup (bnc#748896). - sched: fix divide by zero in task_utime() (bnc#761774). - sched: Fix pick_next_highest_task_rt() for cgroups (bnc#760596). - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - cpumask: Partition_sched_domains takes array of cpumask_var_t (bnc#812364). - cpumask: Simplify sched_rt.c (bnc#812364). - kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops (bnc#823618). - memcg: fix init_section_page_cgroup pfn alignment (bnc#835481). - tty: fix up atime/mtime mess, take three (bnc#797175). - tty: fix atime/mtime regression (bnc#815745). - ptrace: ptrace_resume() should not wake up !TASK_TRACED thread (bnc#804154). - kbuild: Fix gcc -x syntax (bnc#773831). - ftrace: Disable function tracing during suspend/resume and hibernation, again (bnc#768668). proc: fix pagemap_read() error case (bnc#787573). net: Upgrade device features irrespective of mask (bnc#715250). - tcp: bind() fix autoselection to share ports (bnc#823618). - tcp: bind() use stronger condition for bind_conflict (bnc#823618). - tcp: ipv6: bind() use stronger condition for bind_conflict (bnc#823618). - netfilter: use RCU safe kfree for conntrack extensions (bnc#827416). - netfilter: prevent race condition breaking net reference counting (bnc#835094). - netfilter: send ICMPv6 message on fragment reassembly timeout (bnc#773577). - netfilter: fix sending ICMPv6 on netfilter reassembly timeout (bnc#773577). - tcp_cubic: limit delayed_ack ratio to prevent divide error (bnc#810045). bonding: in balance-rr mode, set curr_active_slave only if it is up (bnc#789648). scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Always retry internal target error (bnc#745640, bnc#825227). - scsi: kABI fixes (bnc#798050). - scsi: remove check for 'resetting' (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) (bnc#798050). scsi: fix id computation in scsi_eh_target_reset() (bnc#798050). advansys: Remove 'last_reset' references (bnc#798050). - dc395: Move 'last_reset' into internal host structure (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - fc class: fix scanning when devs are offline (bnc#798050). tmscsim: Move 'last_reset' into host structure (bnc#798050). st: Store page order before driver buffer allocation (bnc#769644). - st: Increase success probability in driver buffer allocation (bnc#769644). st: work around broken __bio_add_page logic (bnc#769644). avoid race by ignoring flush_time in cache_check (bnc#814363). writeback: remove the internal 5% low bound on dirty_ratio - writeback: skip balance_dirty_pages() for in-memory fs (Do not dirty throttle ram-based filesystems (bnc#840858)). writeback: Do not sync data dirtied after sync start (bnc#833820). blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). vfs: fix O_DIRECT read past end of block device (bnc#820338). lib/radix-tree.c: make radix_tree_node_alloc() work correctly within interrupt (bnc#763463). xfs: allow writeback from kswapd (bnc#826707). - xfs: skip writeback from reclaim context (bnc#826707). - xfs: Serialize file-extending direct IO (bnc#818371). - xfs: Avoid pathological backwards allocation (bnc#805945). xfs: fix inode lookup race (bnc#763463). cifs: clarify the meaning of tcpStatus == CifsGood (bnc#776024). cifs: do not allow cifs_reconnect to exit with NULL socket pointer (bnc#776024). ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2 (bnc#773320). usb: Fix deadlock in hid_reset when Dell iDRAC is reset (bnc#814716). usb: xhci: Fix command completion after a drop endpoint (bnc#807320). netiucv: Hold rtnl between name allocation and device registration (bnc#824159). rwsem: Test for no active locks in __rwsem_do_wake undo code (bnc#813276). nfs: NFSv3/v2: Fix data corruption with NFS short reads (bnc#818337). - nfs: Allow sec=none mounts in certain cases (bnc#795354). - nfs: Make nfsiod a multi-thread queue (bnc#815352). - nfs: increase number of permitted callback connections (bnc#771706). - nfs: Fix Oops in nfs_lookup_revalidate (bnc#780008). - nfs: do not allow TASK_KILLABLE sleeps to block the freezer (bnc#775182). nfs: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). svcrpc: take lock on turning entry NEGATIVE in cache_check (bnc#803320). - svcrpc: ensure cache_check caller sees updated entry (bnc#803320). - sunrpc/cache: remove races with queuing an upcall (bnc#803320). - sunrpc/cache: use cache_fresh_unlocked consistently and correctly (bnc#803320). - sunrpc/cache: ensure items removed from cache do not have pending upcalls (bnc#803320). - sunrpc/cache: do not schedule update on cache item that has been replaced (bnc#803320). sunrpc/cache: fix test in try_to_negate (bnc#803320). xenbus: fix overflow check in xenbus_dev_write(). - x86: do not corrupt %eip when returning from a signal handler. - scsiback/usbback: move cond_resched() invocations to proper place. netback: fix netbk_count_requests(). dm: add dm_deleting_md function (bnc#785016). - dm: bind new table before destroying old (bnc#785016). - dm: keep old table until after resume succeeded (bnc#785016). dm: rename dm_get_table to dm_get_live_table (bnc#785016). drm/edid: Fix up partially corrupted headers (bnc#780004). drm/edid: Retry EDID fetch up to four times (bnc#780004). i2c-algo-bit: Fix spurious SCL timeouts under heavy load (bnc#780004). hpilo: remove pci_disable_device (bnc#752544). mptsas: handle 'Initializing Command Required' ASCQ (bnc#782178). mpt2sas: Fix race on shutdown (bnc#856917). ipmi: decrease the IPMI message transaction time in interrupt mode (bnc#763654). - ipmi: simplify locking (bnc#763654). ipmi: use a tasklet for handling received messages (bnc#763654). bnx2x: bug fix when loading after SAN boot (bnc#714906). bnx2x: previous driver unload revised (bnc#714906). ixgbe: Address fact that RSC was not setting GSO size for incoming frames (bnc#776144). ixgbe: pull PSRTYPE configuration into a separate function (bnc#780572 bnc#773640 bnc#776144). e1000e: clear REQ and GNT in EECD (82571 && 82572) (bnc#762099). hpsa: do not attempt to read from a write-only register (bnc#777473). aio: Fixup kABI for the aio-implement-request-batching patch (bnc#772849). - aio: bump i_count instead of using igrab (bnc#772849). aio: implement request batching (bnc#772849). Driver core: Do not remove kobjects in device_shutdown (bnc#771992). resources: fix call to alignf() in allocate_resource() (bnc#744955). - resources: when allocate_resource() fails, leave resource untouched (bnc#744955). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83611
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83611
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2014-0536-1.NASL
    description The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed : CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014) CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. (bnc#703156) CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. (bnc#809889) CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809891) CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 3.6 does not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809892) CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809893) CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel before 3.6 has an incorrect return value in certain circumstances, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. (bnc#809894) CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. (bnc#809898) CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 does not properly initialize certain structures, which allows local users to obtain sensitive information from kernel memory via a crafted application. (bnc#809899) CVE-2012-6546: The ATM implementation in the Linux kernel before 3.6 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809900) CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before 3.6 does not initialize a certain structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. (bnc#809901) CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. (bnc#809903) CVE-2013-0343: The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. (bnc#805226) CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. (bnc#808827) CVE-2013-1827: net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. (bnc#811354) CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. (bnc#823267) CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (bnc#824295) CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. (bnc#826102) CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (bnc#827750) CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (bnc#827749) CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (bnc#828119) CVE-2013-2888: Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (bnc#835839) CVE-2013-2893: The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839) CVE-2013-2897: Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839) CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-3235: net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (bnc#816668) CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (bnc#831058) CVE-2013-4387: net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (bnc#843430) CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) CVE-2013-4483: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321) CVE-2013-4588: Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. (bnc#851095) CVE-2013-6383: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558) CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) Also the following non-security bugs have been fixed : - kernel: Remove newline from execve audit log (bnc#827855). - kernel: sclp console hangs (bnc#830344, LTC#95711). - kernel: fix flush_tlb_kernel_range (bnc#825052, LTC#94745). kernel: lost IPIs on CPU hotplug (bnc#825052, LTC#94784). sctp: deal with multiple COOKIE_ECHO chunks (bnc#826102). - net: Uninline kfree_skb and allow NULL argument (bnc#853501). - netback: don't disconnect frontend when seeing oversize packet. netfront: reduce gso_max_size to account for max TCP header. fs/dcache: Avoid race in d_splice_alias and vfs_rmdir (bnc#845028). - fs/proc: proc_task_lookup() fix memory pinning (bnc#827362 bnc#849765). - blkdev_max_block: make private to fs/buffer.c (bnc#820338). - vfs: avoid 'attempt to access beyond end of device' warnings (bnc#820338). - vfs: fix O_DIRECT read past end of block device (bnc#820338). - cifs: don't use CIFSGetSrvInodeNumber in is_path_accessible (bnc#832603). - xfs: Fix kABI breakage caused by AIL list transformation (bnc#806219). - xfs: Replace custom AIL linked-list code with struct list_head (bnc#806219). - reiserfs: fix problems with chowning setuid file w/ xattrs (bnc#790920). - reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry (bnc#822722). jbd: Fix forever sleeping process in do_get_write_access() (bnc#827983). HID: check for NULL field when setting values (bnc#835839). - HID: provide a helper for validating hid reports (bnc#835839). - bcm43xx: netlink deadlock fix (bnc#850241). - bnx2: Close device if tx_timeout reset fails (bnc#857597). - xfrm: invalidate dst on policy insertion/deletion (bnc#842239). - xfrm: prevent ipcomp scratch buffer race condition (bnc#842239). - lpfc: Update to 8.2.0.106 (bnc#798050). - Make lpfc task management timeout configurable (bnc#798050). - dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050). - dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset (bnc#798050). - advansys: Remove 'last_reset' references (bnc#798050). - tmscsim: Move 'last_reset' into host structure (bnc#798050). dc395: Move 'last_reset' into internal host structure (bnc#798050). scsi: remove check for 'resetting' (bnc#798050). - scsi: Allow error handling timeout to be specified (bnc#798050). - scsi: Eliminate error handler overload of the SCSI serial number (bnc#798050). - scsi: Reduce sequential pointer derefs in scsi_error.c and reduce size as well (bnc#798050). - scsi: Reduce error recovery time by reducing use of TURs (bnc#798050). - scsi: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) - scsi: cleanup setting task state in scsi_error_handler() (bnc#798050). - scsi: Add 'eh_deadline' to limit SCSI EH runtime (bnc#798050). - scsi: Fixup compilation warning (bnc#798050). - scsi: fc class: fix scanning when devs are offline (bnc#798050). - scsi: Warn on invalid command completion (bnc#798050). - scsi: Retry failfast commands after EH (bnc#798050). - scsi: kABI fixes (bnc#798050). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 83618
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83618
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-12901.NASL
    description This update contains a number of fixes for vhost-net, bridging, and other bits of the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 68861
    published 2013-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68861
    title Fedora 19 : kernel-3.9.9-302.fc19 (2013-12901)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-1034.NASL
    description The Linux Kernel was updated to fix various security issues and bugs. - sctp: Use correct sideffect command in duplicate cookie handling (bnc#826102, CVE-2013-2206). - Drivers: hv: util: Fix a bug in util version negotiation code (bnc#838346). - vmxnet3: prevent div-by-zero panic when ring resizing uninitialized dev (bnc#833321). - md/raid1,5,10: Disable WRITE SAME until a recovery strategy is in place (bnc#813889). - netback: don't disconnect frontend when seeing oversize packet (bnc#823342). - netfront: reduce gso_max_size to account for max TCP header. - netfront: fix kABI after 'reduce gso_max_size to account for max TCP header'. - backends: Check for insane amounts of requests on the ring. - Refresh other Xen patches (bnc#804198, bnc#814211, bnc#826374). - Fix TLB gather virtual address range invalidation corner cases (TLB gather memory corruption). - mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots (TLB gather memory corruption). - bnx2x: protect different statistics flows (bnc#814336). - Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714). - kabi/severities: Ignore changes in drivers/hv - e1000e: workaround DMA unit hang on I218 (bnc#834647). - e1000e: unexpected 'Reset adapter' message when cable pulled (bnc#834647). - e1000e: 82577: workaround for link drop issue (bnc#834647). - e1000e: helper functions for accessing EMI registers (bnc#834647). - atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring (bnc#812116). - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: locking, release lock around quota operations (bnc#815320). - reiserfs: locking, handle nested locks properly (bnc#815320). - reiserfs: locking, push write lock out of xattr code (bnc#815320). - af_key: fix info leaks in notify messages (bnc#827749 CVE-2013-2234). - af_key: initialize satype in key_notify_policy_flush() (bnc#828119 CVE-2013-2237). - kernel/signal.c: stop info leak via the tkill and the tgkill syscalls (bnc#823267 CVE-2013-2141). - b43: stop format string leaking into error msgs (bnc#822579 CVE-2013-2852). - net: fix incorrect credentials passing (bnc#816708 CVE-2013-1979). - tipc: fix info leaks via msg_name in recv_msg/recv_stream (bnc#816668 CVE-2013-3235). - rose: fix info leak via msg_name in rose_recvmsg() (bnc#816668 CVE-2013-3234). - NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() (bnc#816668 CVE-2013-3233). - netrom: fix info leak via msg_name in nr_recvmsg() (bnc#816668 CVE-2013-3232). - llc: Fix missing msg_namelen update in llc_ui_recvmsg() (bnc#816668 CVE-2013-3231). - l2tp: fix info leak in l2tp_ip6_recvmsg() (bnc#816668 CVE-2013-3230). - iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (bnc#816668 CVE-2013-3229). - irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (bnc#816668 CVE-2013-3228). - caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() (bnc#816668 CVE-2013-3227). - Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg() (bnc#816668 CVE-2013-3226). - Bluetooth: fix possible info leak in bt_sock_recvmsg() (bnc#816668 CVE-2013-3224). - ax25: fix info leak via msg_name in ax25_recvmsg() (bnc#816668 CVE-2013-3223). - atm: update msg_namelen in vcc_recvmsg() (bnc#816668 CVE-2013-3222). - ipv6: call udp_push_pending_frames when uncorking a socket with (bnc#831058, CVE-2013-4162). - tracing: Fix possible NULL pointer dereferences (bnc#815256 CVE-2013-3301). - tg3: fix length overflow in VPD firmware parsing (bnc#813733 CVE-2013-1929). - dcbnl: fix various netlink info leaks (bnc#810473 CVE-2013-2634). - rtnl: fix info leak on RTM_GETLINK request for VF devices (bnc#810473 CVE-2013-2635). - crypto: user - fix info leaks in report API (bnc#809906 CVE-2013-2546 CVE-2013-2547 CVE-2013-2548). - kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER (bnc#808827 CVE-2013-0914). - signal: always clear sa_restorer on execve (bnc#808827 CVE-2013-0914). - signal: Define __ARCH_HAS_SA_RESTORER so we know whether to clear sa_restorer (bnc#808827 CVE-2013-0914). - ipv6: ip6_sk_dst_check() must not assume ipv6 dst (bnc#827750, CVE-2013-2232). - xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end (CVE-2013-1819 bnc#807471). - blk: avoid divide-by-zero with zero discard granularity (bnc#832615). - dlm: check the write size from user (bnc#831956). - drm/i915: Serialize almost all register access (bnc#823633). - drm/i915: initialize gt_lock early with other spin locks (bnc#801341). - drm/i915: fix up gt init sequence fallout (bnc#801341). - drm/nouveau/hwmon: s/fan0/fan1/. - Drivers: hv: balloon: Do not post pressure status if interrupted (bnc#829539). - drm/i915: Clear FORCEWAKE when taking over from BIOS (bnc#801341). - drm/i915: Apply alignment restrictions on scanout surfaces for VT-d (bnc#818561). - fs/notify/inode_mark.c: make fsnotify_find_inode_mark_locked() static (bnc#807188). - fsnotify: change locking order (bnc#807188). - fsnotify: dont put marks on temporary list when clearing marks by group (bnc#807188). - fsnotify: introduce locked versions of fsnotify_add_mark() and fsnotify_remove_mark() (bnc#807188). - fsnotify: pass group to fsnotify_destroy_mark() (bnc#807188). - fsnotify: use a mutex instead of a spinlock to protect a groups mark list (bnc#807188). - fanotify: add an extra flag to mark_remove_from_mask that indicates wheather a mark should be destroyed (bnc#807188). - fsnotify: take groups mark_lock before mark lock (bnc#807188). - fsnotify: use reference counting for groups (bnc#807188). - fsnotify: introduce fsnotify_get_group() (bnc#807188). - inotify, fanotify: replace fsnotify_put_group() with fsnotify_destroy_group() (bnc#807188). - drm/i915: fix long-standing SNB regression in power consumption after resume v2 (bnc#801341). - drm/nouveau: use vmalloc for pgt allocation (bnc#802347). - USB: xhci: correctly enable interrupts (bnc#828191). - drm/i915: Resurrect ring kicking for semaphores, selectively (bnc#823633,bnc#799516). - ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 (bnc#821735). - ALSA: usb-audio - Fix invalid volume resolution on Logitech HD webcam c270 (bnc#821735). - config: sync up config options added with btrfs update - xfs: xfs: fallback to vmalloc for large buffers in xfs_compat_attrlist_by_handle (bnc#818053 bnc#807153). - xfs: fallback to vmalloc for large buffers in xfs_attrlist_by_handle (bnc#818053 bnc#807153). - btrfs: update to v3.10. - block: Add bio_end_sector(). - block: Use bio_sectors() more consistently. - btrfs: handle lookup errors after subvol/snapshot creation. - btrfs: add new ioctl to determine size of compressed file (FATE#306586). - btrfs: reduce btrfs_path size (FATE#306586). - btrfs: simplify move_pages and copy_pages (FATE#306586). - Prefix mount messages with btrfs: for clarity (FATE#306586). - Btrfs: forced readonly when free_log_tree fails (FATE#306586). - Btrfs: forced readonly when orphan_del fails (FATE#306586). - btrfs: abort unlink trans in missed error case. - btrfs: access superblock via pagecache in scan_one_device. - Btrfs: account for orphan inodes properly during cleanup. - Btrfs: add a comment for fs_info->max_inline. - Btrfs: add a incompatible format change for smaller metadata extent refs. - Btrfs: Add a new ioctl to get the label of a mounted file system. - Btrfs: add a plugging callback to raid56 writes. - Btrfs: add a rb_tree to improve performance of ulist search. - Btrfs: Add a stripe cache to raid56. - Btrfs: Add ACCESS_ONCE() to transaction->abort accesses. - Btrfs: add all ioctl checks before user change for quota operations. - Btrfs: add btrfs_scratch_superblock() function. - btrfs: add cancellation points to defrag. - Btrfs: add code to scrub to copy read data to another disk. - btrfs: add debug check for extent_io range alignment. - Btrfs: add fiemap's flag check. - Btrfs: add ioctl to wait for qgroup rescan completion. - btrfs: add missing break in btrfs_print_leaf(). - Btrfs: add new sources for device replace code. - btrfs: add 'no file data' flag to btrfs send ioctl. - Btrfs: add orphan before truncating pagecache. - Btrfs: add path->really_keep_locks. - btrfs: add prefix to sanity tests messages. - Btrfs: add rw argument to merge_bio_hook(). - Btrfs: add some free space cache tests. - Btrfs: add some missing iput()'s in btrfs_orphan_cleanup. - Btrfs: add support for device replace ioctls. - Btrfs: add tree block level sanity check. - Btrfs: add two more find_device() methods. - Btrfs: allocate new chunks if the space is not enough for global rsv. - Btrfs: allow file data clone within a file. - Btrfs: allow for selecting only completely empty chunks. - Btrfs: allow omitting stream header and end-cmd for btrfs send. - Btrfs: allow repair code to include target disk when searching mirrors. - Btrfs: allow running defrag in parallel to administrative tasks. - Btrfs: allow superblock mismatch from older mkfs. - btrfs: annotate intentional switch case fallthroughs. - btrfs: annotate quota tree for lockdep. - Btrfs: automatic rescan after 'quota enable' command. - Btrfs: avoid deadlock on transaction waiting list. - Btrfs: avoid double free of fs_info->qgroup_ulist. - Btrfs: avoid risk of a deadlock in btrfs_handle_error. - Btrfs: bring back balance pause/resume logic. - Btrfs: build up error handling for merge_reloc_roots. - Btrfs: change core code of btrfs to support the device replace operations. - Btrfs: changes to live filesystem are also written to replacement disk. - Btrfs: Check CAP_DAC_READ_SEARCH for BTRFS_IOC_INO_PATHS. - Btrfs: check for actual acls rather than just xattrs when caching no acl. - Btrfs: check for NULL pointer in updating reloc roots. - Btrfs: check if leaf's parent exists before pushing items around. - Btrfs: check if we can nocow if we don't have data space. - Btrfs: check return value of commit when recovering log. - Btrfs: check the return value of btrfs_run_ordered_operations(). - Btrfs: check the return value of btrfs_start_delalloc_inodes(). - btrfs: clean snapshots one by one. - btrfs: clean up transaction abort messages. - Btrfs: cleanup backref search commit root flag stuff. - Btrfs: cleanup, btrfs_read_fs_root_no_name() doesn't return NULL. - Btrfs: cleanup destroy_marked_extents. - Btrfs: cleanup: don't check the same thing twice. - Btrfs: cleanup duplicated division functions. - Btrfs: cleanup for btrfs_btree_balance_dirty. - Btrfs: cleanup for btrfs_wait_order_range. - btrfs: cleanup for open-coded alignment. - Btrfs: cleanup fs roots if we fail to mount. - Btrfs: cleanup of function where btrfs_extend_item() is called. - Btrfs: cleanup of function where fixup_low_keys() is called. - Btrfs: cleanup orphan reservation if truncate fails. - Btrfs: cleanup orphaned root orphan item. - Btrfs: cleanup redundant code in btrfs_submit_direct(). - Btrfs: cleanup scrub bio and worker wait code. - Btrfs: cleanup similar code in delayed inode. - btrfs: Cleanup some redundant codes in btrfs_log_inode(). - btrfs: Cleanup some redundant codes in btrfs_lookup_csums_range(). - Btrfs: cleanup the code of copy_nocow_pages_for_inode(). - Btrfs: cleanup the similar code of the fs root read. - Btrfs: cleanup to make the function btrfs_delalloc_reserve_metadata more logic. - Btrfs: cleanup to remove reduplicate code in transaction.c. - Btrfs: cleanup unnecessary assignment when cleaning up all the residual transaction. - Btrfs: cleanup unnecessary clear when freeing a transaction or a trans handle. - Btrfs: cleanup unused arguments. - Btrfs: cleanup unused arguments in send.c. - Btrfs: cleanup unused arguments of btrfs_csum_data. - Btrfs: cleanup unused function. - Btrfs: clear received_uuid field for new writable snapshots. - Btrfs: Cocci spatch 'memdup.spatch'. - Btrfs: Cocci spatch 'ptr_ret.spatch'. - Btrfs: compare relevant parts of delayed tree refs. - Btrfs: copy everything if we've created an inline extent. - btrfs: cover more error codes in btrfs_decode_error. - Btrfs: creating the subvolume qgroup automatically when enabling quota. - Btrfs: deal with bad mappings in btrfs_map_block. - Btrfs: deal with errors in write_dev_supers. - Btrfs: deal with free space cache errors while replaying log. - btrfs: define BTRFS_MAGIC as a u64 value. - Btrfs: delete inline extents when we find them during logging. - Btrfs: delete unused function. - Btrfs: delete unused parameter to btrfs_read_root_item(). - btrfs: deprecate subvolrootid mount option. - btrfs: device delete to get errors from the kernel. - Btrfs: disable qgroup id 0. - Btrfs: disallow mutually exclusive admin operations from user mode. - Btrfs: disallow some operations on the device replace target device. - btrfs: do away with non-whole_page extent I/O. - Btrfs: do delay iput in sync_fs. - Btrfs: do not allow logged extents to be merged or removed. - Btrfs: do not BUG_ON in prepare_to_reloc. - Btrfs: do not BUG_ON on aborted situation. - Btrfs: do not call file_update_time in aio_write. - Btrfs: do not change inode flags in rename. - Btrfs: do not continue if out of memory happens. - Btrfs: do not delete a subvolume which is in a R/O subvolume. - Btrfs: do not log extents when we only log new names. - Btrfs: do not mark ems as prealloc if we are writing to them. - Btrfs: do not merge logged extents if we've removed them from the tree. - Btrfs: do not overcommit if we don't have enough space for global rsv. - Btrfs: do not pin while under spin lock. - Btrfs: do not warn_on io_ctl->cur in io_ctl_map_page. - Btrfs: don't abort the current transaction if there is no enough space for inode cache. - Btrfs: don't add a NULL extended attribute. - Btrfs: don't allow degraded mount if too many devices are missing. - Btrfs: don't allow device replace on RAID5/RAID6. - Btrfs: don't auto defrag a file when doing directIO. - Btrfs: don't bother copying if we're only logging the inode. - Btrfs: don't BUG_ON() in btrfs_num_copies. - Btrfs: don't call btrfs_qgroup_free if just btrfs_qgroup_reserve fails. - Btrfs: don't call readahead hook until we have read the entire eb. - Btrfs: don't delete fs_roots until after we cleanup the transaction. - Btrfs: don't drop path when printing out tree errors in scrub. - Btrfs: don't flush the delalloc inodes in the while loop if flushoncommit is set. - Btrfs: don't force pages under writeback to finish when aborting. - Btrfs: don't invoke btrfs_invalidate_inodes() in the spin lock context. - Btrfs: don't memset new tokens. - Btrfs: don't NULL pointer deref on abort. - Btrfs: don't panic if we're trying to drop too many refs. - Btrfs: don't re-enter when allocating a chunk. - Btrfs: don't start a new transaction when starting sync. - Btrfs: don't steal the reserved space from the global reserve if their space type is different. - btrfs: don't stop searching after encountering the wrong item. - Btrfs: don't take inode delalloc mutex if we're a free space inode. - Btrfs: don't traverse the ordered operation list repeatedly. - Btrfs: Don't trust the superblock label and simply printk('%s') it. - Btrfs: don't try and free ebs twice in log replay. - btrfs: don't try to notify udev about missing devices. - Btrfs: don't use global block reservation for inode cache truncation. - Btrfs: don't wait for all the writers circularly during the transaction commit. - Btrfs: don't wait on ordered extents if we have a trans open. - Btrfs: dont do log_removal in insert_new_root. - btrfs: Drop inode if inode root is NULL. - Btrfs: eliminate a use-after-free in btrfs_balance(). - Btrfs: enforce min_bytes parameter during extent allocation. - Btrfs: enhance btrfs structures for device replace support. - btrfs: enhance superblock checks. - btrfs: ensure we don't overrun devices_info in __btrfs_alloc_chunk. - Btrfs: exclude logged extents before replying when we are mixed. - Btrfs: explicitly use global_block_rsv for quota_tree. - Btrfs: extend the checksum item as much as possible. - btrfs: fall back to global reservation when removing subvolumes. - Btrfs: fill the global reserve when unpinning space. - Btrfs: fix a bug of per-file nocow. - Btrfs: fix a bug when llseek for delalloc bytes behind prealloc extents. - Btrfs: fix a build warning for an unused label. - Btrfs: fix a deadlock in aborting transaction due to ENOSPC. - Btrfs: fix a double free on pending snapshots in error handling. - Btrfs: fix a mismerge in btrfs_balance(). - Btrfs: fix a regression in balance usage filter. - Btrfs: fix a scrub regression in case of write errors. - Btrfs: fix a warning when disabling quota. - Btrfs: fix a warning when updating qgroup limit. - Btrfs: fix accessing a freed tree root. - Btrfs: fix accessing the root pointer in tree mod log functions. - Btrfs: fix all callers of read_tree_block. - Btrfs: fix an while-loop of listxattr. - Btrfs: fix autodefrag and umount lockup. - Btrfs: fix backref walking race with tree deletions. - Btrfs: fix bad extent logging. - Btrfs: fix broken nocow after balance. - btrfs: fix btrfs_cont_expand() freeing IS_ERR em. - btrfs: fix btrfs_extend_item() comment. - Btrfs: fix BUG() in scrub when first superblock reading gives EIO. - Btrfs: fix check on same raid type flag twice. - Btrfs: fix chunk allocation error handling. - Btrfs: fix cleaner thread not working with inode cache option. - Btrfs: fix cluster alignment for mount -o ssd. - btrfs: fix comment typos. - Btrfs: fix confusing edquot happening case. - Btrfs: fix crash in log replay with qgroups enabled. - Btrfs: fix crash regarding to ulist_add_merge. - Btrfs: fix deadlock due to unsubmitted. - Btrfs: fix double free in the btrfs_qgroup_account_ref(). - Btrfs: fix double free in the iterate_extent_inodes(). - Btrfs: fix EDQUOT handling in btrfs_delalloc_reserve_metadata. - Btrfs: fix EIO from btrfs send in is_extent_unchanged for punched holes. - Btrfs: fix error handling in btrfs_ioctl_send(). - Btrfs: fix error handling in make/read block group. - Btrfs: fix estale with btrfs send. - Btrfs: fix extent logging with O_DIRECT into prealloc. - Btrfs: fix freeing delayed ref head while still holding its mutex. - Btrfs: fix freeze vs auto defrag. - Btrfs: fix hash overflow handling. - Btrfs: fix how we discard outstanding ordered extents on abort. - Btrfs: fix infinite loop when we abort on mount. - Btrfs: fix joining the same transaction handler more than 2 times. - Btrfs: fix lockdep warning. - Btrfs: fix locking on ROOT_REPLACE operations in tree mod log. - Btrfs: fix lots of orphan inodes when the space is not enough. - Btrfs: fix max chunk size on raid5/6. - Btrfs: fix memory leak in btrfs_create_tree(). - Btrfs: fix memory leak in name_cache_insert(). - Btrfs: fix memory leak of log roots. - Btrfs: fix memory leak of pending_snapshot->inherit. - Btrfs: fix memory patcher through fs_info->qgroup_ulist. - btrfs: fix minor typo in comment. - btrfs: fix misleading variable name for flags. - Btrfs: fix missed transaction->aborted check. - Btrfs: fix missing check about ulist_add() in qgroup.c. - Btrfs: fix missing check before creating a qgroup relation. - Btrfs: fix missing check before disabling quota. - Btrfs: fix missing check in the btrfs_qgroup_inherit(). - Btrfs: fix missing deleted items in btrfs_clean_quota_tree. - Btrfs: fix missing flush when committing a transaction. - Btrfs: fix missing i_size update. - Btrfs: fix missing log when BTRFS_INODE_NEEDS_FULL_SYNC is set. - Btrfs: fix missing qgroup reservation before fallocating. - Btrfs: fix missing release of qgroup reservation in commit_transaction(). - Btrfs: fix missing release of the space/qgroup reservation in start_transaction(). - Btrfs: fix missing reserved space release in error path of delalloc reservation. - Btrfs: fix missing write access release in btrfs_ioctl_resize(). - Btrfs: fix 'mutually exclusive op is running' error code. - Btrfs: fix not being able to find skinny extents during relocate. - Btrfs: fix NULL pointer after aborting a transaction. - Btrfs: fix off-by-one error of the reserved size of btrfs_allocate(). - Btrfs: fix off-by-one error of the same page check in btrfs_punch_hole(). - Btrfs: fix off-by-one in fiemap. - Btrfs: fix off-by-one in lseek. - Btrfs: fix oops when recovering the file data by scrub function. - Btrfs: fix panic when recovering tree log. - Btrfs: fix permissions of empty files not affected by umask. - Btrfs: fix permissions of empty files not affected by umask. - Btrfs: fix possible infinite loop in slow caching. - Btrfs: fix possible memory leak in replace_path(). - Btrfs: fix possible memory leak in the find_parent_nodes(). - Btrfs: fix possible stale data exposure. - Btrfs: Fix printk and variable name. - Btrfs: fix qgroup rescan resume on mount. - Btrfs: fix race between mmap writes and compression. - Btrfs: fix race between snapshot deletion and getting inode. - Btrfs: fix race in check-integrity caused by usage of bitfield. - Btrfs: fix reada debug code compilation. - Btrfs: fix remount vs autodefrag. - Btrfs: fix repeated delalloc work allocation. - Btrfs: fix resize a readonly device. - Btrfs: fix several potential problems in copy_nocow_pages_for_inode. - Btrfs: fix space accounting for unlink and rename. - Btrfs: fix space leak when we fail to reserve metadata space. - btrfs: fix the code comments for LZO compression workspace. - Btrfs: fix the comment typo for btrfs_attach_transaction_barrier. - Btrfs: fix the deadlock between the transaction start/attach and commit. - Btrfs: fix the page that is beyond EOF. - Btrfs: fix the qgroup reserved space is released prematurely. - Btrfs: fix the race between bio and btrfs_stop_workers. - Btrfs: fix transaction throttling for delayed refs. - Btrfs: fix tree mod log regression on root split operations. - Btrfs: fix trivial error in btrfs_ioctl_resize(). - Btrfs: Fix typo in fs/btrfs. - Btrfs: fix unblocked autodefraggers when remount. - Btrfs: fix unclosed transaction handler when the async transaction commitment fails. - Btrfs: fix uncompleted transaction. - Btrfs: fix unlock after free on rewinded tree blocks. - Btrfs: fix unlock order in btrfs_ioctl_resize. - Btrfs: fix unlock order in btrfs_ioctl_rm_dev. - Btrfs: fix unnecessary while loop when search the free space, cache. - Btrfs: fix unprotected defragable inode insertion. - Btrfs: fix unprotected extent map operation when logging file extents. - Btrfs: fix unprotected root node of the subvolume's inode rb-tree. - Btrfs: fix use-after-free bug during umount. - btrfs: fix varargs in __btrfs_std_error. - Btrfs: fix warning of free_extent_map. - Btrfs: fix warning when creating snapshots. - Btrfs: fix wrong comment in can_overcommit(). - Btrfs: fix wrong file extent length. - Btrfs: fix wrong handle at error path of create_snapshot() when the commit fails. - Btrfs: fix wrong max device number for single profile. - Btrfs: fix wrong mirror number tuning. - Btrfs: fix wrong outstanding_extents when doing DIO write. - Btrfs: fix wrong reservation of csums. - Btrfs: fix wrong reserved space in qgroup during snap/subv creation. - Btrfs: fix wrong reserved space when deleting a snapshot/subvolume. - Btrfs: fix wrong return value of btrfs_lookup_csum(). - Btrfs: fix wrong return value of btrfs_truncate_page(). - Btrfs: fix wrong return value of btrfs_wait_for_commit(). - Btrfs: fix wrong sync_writers decrement in btrfs_file_aio_write(). - btrfs: fixup/remove module.h usage as required. - Btrfs: flush all dirty inodes if writeback can not start. - Btrfs: free all recorded tree blocks on error. - Btrfs: free csums when we're done scrubbing an extent. - Btrfs: get better concurrency for snapshot-aware defrag work. - Btrfs: get right arguments for btrfs_wait_ordered_range. - btrfs: get the device in write mode when deleting it. - Btrfs: get write access for qgroup operations. - Btrfs: get write access for scrub. - Btrfs: get write access when doing resize fs. - Btrfs: get write access when removing a device. - Btrfs: get write access when setting the default subvolume. - Btrfs: handle a bogus chunk tree nicely. - Btrfs: handle errors from btrfs_map_bio() everywhere. - Btrfs: handle errors in compression submission path. - btrfs: handle errors returned from get_tree_block_key. - btrfs: handle null fs_info in btrfs_panic(). - Btrfs: handle running extent ops with skinny metadata. - Btrfs: hold the ordered operations mutex when waiting on ordered extents. - Btrfs: hold the tree mod lock in __tree_mod_log_rewind. - Btrfs: if we aren't committing just end the transaction if we error out. - btrfs: ignore device open failures in __btrfs_open_devices. - Btrfs: ignore orphan qgroup relations. - Btrfs: implement unlocked dio write. - Btrfs: improve the delayed inode throttling. - Btrfs: improve the loop of scrub_stripe. - Btrfs: improve the noflush reservation. - Btrfs: improve the performance of the csums lookup. - Btrfs: in scrub repair code, optimize the reading of mirrors. - Btrfs: in scrub repair code, simplify alloc error handling. - Btrfs: Include the device in most error printk()s. - Btrfs: increase BTRFS_MAX_MIRRORS by one for dev replace. - btrfs: Init io_lock after cloning btrfs device struct. - Btrfs: init relocate extent_io_tree with a mapping. - Btrfs: inline csums if we're fsyncing. - Btrfs: introduce a btrfs_dev_replace_item type. - Btrfs: introduce a mutex lock for btrfs quota operations. - Btrfs: introduce GET_READ_MIRRORS functionality for btrfs_map_block(). - Btrfs: introduce grab/put functions for the root of the fs/file tree. - Btrfs: introduce per-subvolume delalloc inode list. - Btrfs: introduce per-subvolume ordered extent list. - Btrfs: introduce qgroup_ulist to avoid frequently allocating/freeing ulist. - Btrfs: just flush the delalloc inodes in the source tree before snapshot creation. - Btrfs: keep track of the extents original block length. - Btrfs: kill replicate code in replay_one_buffer. - Btrfs: kill some BUG_ONs() in the find_parent_nodes(). - Btrfs: kill unnecessary arguments in del_ptr. - Btrfs: kill unused argument of btrfs_pin_extent_for_log_replay. - Btrfs: kill unused argument of update_block_group. - Btrfs: kill unused arguments of cache_block_group. - Btrfs: let allocation start from the right raid type. - btrfs: limit fallocate extent reservation to 256MB. - Btrfs: limit the global reserve to 512mb. - btrfs: list_entry can't return NULL. - Btrfs: log changed inodes based on the extent map tree. - Btrfs: log ram bytes properly. - Btrfs: make __merge_refs() return type be void. - Btrfs: make backref walking code handle skinny metadata. - Btrfs: make delalloc inodes be flushed by multi-task. - Btrfs: make delayed ref lock logic more readable. - Btrfs: make ordered extent be flushed by multi-task. - Btrfs: make ordered operations be handled by multi-task. - btrfs: make orphan cleanup less verbose. - Btrfs: make raid attr array more readable. - btrfs: make static code static & remove dead code. - btrfs: make subvol creation/deletion killable in the early stages. - Btrfs: make sure nbytes are right after log replay. - Btrfs: make sure NODATACOW also gets NODATASUM set. - Btrfs: make sure roots are assigned before freeing their nodes. - Btrfs: make the chunk allocator completely tree lockless. - Btrfs: make the cleaner complete early when the fs is going to be umounted. - Btrfs: make the scrub page array dynamically allocated. - Btrfs: make the snap/subv deletion end more early when the fs is R/O. - Btrfs: make the state of the transaction more readable. - Btrfs: merge inode_list in __merge_refs. - Btrfs: merge pending IO for tree log write back. - btrfs: merge save_error_info helpers into one. - Btrfs: MOD_LOG_KEY_REMOVE_WHILE_MOVING never change node's nritems. - btrfs: more open-coded file_inode(). - Btrfs: move btrfs_truncate_page to btrfs_cont_expand instead of btrfs_truncate. - Btrfs: move checks in set_page_dirty under DEBUG. - Btrfs: move d_instantiate outside the transaction during mksubvol. - Btrfs: move fs/btrfs/ioctl.h to include/uapi/linux/btrfs.h. - btrfs: move ifdef around sanity checks out of init_btrfs_fs. - btrfs: move leak debug code to functions. - Btrfs: move some common code into a subfunction. - Btrfs: move the R/O check out of btrfs_clean_one_deleted_snapshot(). - btrfs: Notify udev when removing device. - Btrfs: only clear dirty on the buffer if it is marked as dirty. - Btrfs: only do the tree_mod_log_free_eb if this is our last ref. - Btrfs: only exclude supers in the range of our block group. - Btrfs: only log the inode item if we can get away with it. - Btrfs: only unlock and relock if we have to. - Btrfs: optimize leaf_space_used. - Btrfs: optimize read_block_for_search. - Btrfs: optimize reada_for_balance. - Btrfs: optimize the error handle of use_block_rsv(). - Btrfs: optionally avoid reads from device replace source drive. - Btrfs: pass fs_info instead of root. - Btrfs: pass fs_info to btrfs_map_block() instead of mapping_tree. - Btrfs: Pass fs_info to btrfs_num_copies() instead of mapping_tree. - Btrfs: pass NULL instead of 0. - Btrfs: pass root object into btrfs_ioctl_{start, wait}_sync(). - Btrfs: pause the space balance when remounting to R/O. - Btrfs: place ordered operations on a per transaction list. - Btrfs: prevent qgroup destroy when there are still relations. - Btrfs: protect devices list with its mutex. - Btrfs: protect fs_info->alloc_start. - Btrfs: punch hole past the end of the file. - Btrfs: put csums on the right ordered extent. - Btrfs: put our inode if orphan cleanup fails. - Btrfs: put raid properties into global table. - btrfs: put some enospc messages under enospc_debug. - Btrfs: RAID5 and RAID6. - btrfs/raid56: Add missing #include . - btrfs: read entire device info under lock. - Btrfs: recheck bio against block device when we map the bio. - Btrfs: record first logical byte in memory. - Btrfs: reduce CPU contention while waiting for delayed extent operations. - Btrfs: reduce lock contention on extent buffer locks. - Btrfs: refactor error handling to drop inode in btrfs_create(). - Btrfs: relax the block group size limit for bitmaps. - btrfs: remove a printk from scan_one_device. - Btrfs: remove almost all of the BUG()'s from tree-log.c. - Btrfs: remove btrfs_sector_sum structure. - Btrfs: remove btrfs_try_spin_lock. - Btrfs: remove BUG_ON() in btrfs_read_fs_tree_no_radix(). - btrfs: remove cache only arguments from defrag path. - Btrfs: remove conflicting check for minimum number of devices in raid56. - Btrfs: remove deprecated comments. - Btrfs: remove extent mapping if we fail to add chunk. - Btrfs: remove reduplicate check about root in the function btrfs_clean_quota_tree. - Btrfs: remove some BUG_ONs() when walking backref tree. - Btrfs: remove some unnecessary spin_lock usages. - Btrfs: remove the block device pointer from the scrub context struct. - Btrfs: remove the code for the impossible case in cleanup_transaction(). - Btrfs: Remove the invalid shrink size check up from btrfs_shrink_dev(). - Btrfs: remove the time check in btrfs_commit_transaction(). - btrfs: remove unnecessary cur_trans set before goto loop in join_transaction. - btrfs: remove unnecessary DEFINE_WAIT() declarations. - Btrfs: remove unnecessary dget_parent/dput when creating the pending snapshot. - Btrfs: remove unnecessary ->s_umount in cleaner_kthread(). - Btrfs: remove unnecessary varient ->num_joined in btrfs_transaction structure. - Btrfs: remove unused argument of btrfs_extend_item(). - Btrfs: remove unused argument of fixup_low_keys(). - Btrfs: remove unused code in btrfs_del_root. - Btrfs: remove unused extent io tree ops V2. - btrfs: remove unused fd in btrfs_ioctl_send(). - btrfs: remove unused fs_info from btrfs_decode_error(). - btrfs: remove unused gfp mask parameter from release_extent_buffer callchain. - btrfs: remove unused 'item' in btrfs_insert_delayed_item(). - Btrfs: remove unused variable in __process_changed_new_xattr(). - Btrfs: remove unused variable in the iterate_extent_inodes(). - Btrfs: remove useless copy in quota_ctl. - Btrfs: remove warn on in free space cache writeout. - Btrfs: rename root_times_lock to root_item_lock. - Btrfs: rename the scrub context structure. - Btrfs: reorder locks and sanity checks in btrfs_ioctl_defrag. - Btrfs: reorder tree mod log operations in deleting a pointer. - Btrfs: rescan for qgroups. - Btrfs: reset path lock state to zero. - Btrfs: restructure btrfs_run_defrag_inodes(). - Btrfs: return as soon as possible when edquot happens. - Btrfs: return EIO if we have extent tree corruption. - Btrfs: return ENOMEM rather than use BUG_ON when btrfs_alloc_path fails. - Btrfs: return errno if possible when we fail to allocate memory. - Btrfs: return error code in btrfs_check_trunc_cache_free_space(). - Btrfs: return error when we specify wrong start to defrag. - Btrfs: return free space in cow error path. - Btrfs: rework the overcommit logic to be based on the total size. - Btrfs: save us a read_lock. - Btrfs: select XOR_BLOCKS in Kconfig. - Btrfs: separate sequence numbers for delayed ref tracking and tree mod log. - Btrfs: serialize unlocked dio reads with truncate. - Btrfs: set/change the label of a mounted file system. - Btrfs: set flushing if we're limited flushing. - Btrfs: set hole punching time properly. - Btrfs: set UUID in root_item for created trees. - Btrfs: share stop worker code. - btrfs: show compiled-in config features at module load time. - Btrfs: simplify unlink reservations. - Btrfs: skip adding an acl attribute if we don't have to. - Btrfs: snapshot-aware defrag. - Btrfs: split btrfs_qgroup_account_ref into four functions. - Btrfs: steal from global reserve if we are cleaning up orphans. - Btrfs: stop all workers before cleaning up roots. - Btrfs: stop using try_to_writeback_inodes_sb_nr to flush delalloc. - Btrfs: stop waiting on current trans if we aborted. - Btrfs: traverse and flush the delalloc inodes once. - btrfs: try harder to allocate raid56 stripe cache. - Btrfs: unlock extent range on enospc in compressed submit. - btrfs: unpin_extent_cache: fix the typo and unnecessary arguements. - Btrfs: unreserve space if our ordered extent fails to work. - btrfs: update kconfig title. - Btrfs: update the global reserve if it is empty. - btrfs: update timestamps on truncate(). - Btrfs: update to use fs_state bit. - Btrfs: use a btrfs bioset instead of abusing bio internals. - Btrfs: use a lock to protect incompat/compat flag of the super block. - Btrfs: use a percpu to keep track of possibly pinned bytes. - Btrfs: use bit operation for ->fs_state. - Btrfs: use common work instead of delayed work. - Btrfs: use ctl->unit for free space calculation instead of block_group->sectorsize. - Btrfs: use existing align macros in btrfs_allocate(). - Btrfs: use helper to cleanup tree roots. - btrfs: use only inline_pages from extent buffer. - Btrfs: use percpu counter for dirty metadata count. - Btrfs: use percpu counter for fs_info->delalloc_bytes. - btrfs: use rcu_barrier() to wait for bdev puts at unmount. - Btrfs: use REQ_META for all metadata IO. - Btrfs: use reserved space for creating a snapshot. - Btrfs: use right range to find checksum for compressed extents. - Btrfs: use seqlock to protect fs_info->avail_{data, metadata, system}_alloc_bits. - Btrfs: use set_nlink if our i_nlink is 0. - Btrfs: use slabs for auto defrag allocation. - Btrfs: use slabs for delayed reference allocation. - Btrfs: use the inode own lock to protect its delalloc_bytes. - Btrfs: use token to avoid times mapping extent buffer. - Btrfs: use tokens where we can in the tree log. - Btrfs: use tree_root to avoid edquot when disabling quota. - btrfs: use unsigned long type for extent state bits. - Btrfs: use wrapper page_offset. - Btrfs: various abort cleanups. - Btrfs: wait on ordered extents at the last possible moment. - Btrfs: wait ordered range before doing direct io. - Btrfs: wake up delayed ref flushing waiters on abort. - clear chunk_alloc flag on retryable failure. - Correct allowed raid levels on balance. - Fix misspellings of 'whether' in comments. - fs/btrfs: drop if around WARN_ON. - fs/btrfs: remove depends on CONFIG_EXPERIMENTAL. - fs/btrfs: use WARN. - Minor format cleanup. - new helper: file_inode(file). - Revert 'Btrfs: fix permissions of empty files not affected by umask'. - Revert 'Btrfs: MOD_LOG_KEY_REMOVE_WHILE_MOVING never change node's nritems'. - Revert 'Btrfs: reorder tree mod log operations in deleting a pointer'. - treewide: Fix typo in printk. - writeback: remove nr_pages_dirtied arg from balance_dirty_pages_ratelimited_nr(). - drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (bnc#824295, CVE-2013-2164). - fanotify: info leak in copy_event_to_user() (CVE-2013-2148 bnc#823517). - block: do not pass disk names as format strings (bnc#822575 CVE-2013-2851). - libceph: Fix NULL pointer dereference in auth client code. (CVE-2013-1059, bnc#826350) - Update patches.drivers/media-rtl28xxu-01-add-NOXON-DAB-DAB-USB- dongle-rev-2.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-02-1b80-d3a8-ASUS-My-Cine ma-U3100Mini-Pl.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-03-add-Gigabyte-U7300-DVB -T-Dongle.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-04-correct-some-device-na mes.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-05-Support-Digivox-Mini-H D.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-06-Add-USB-IDs-for-Compro -VideoMate-U620.patch (bnc#811882). - Update patches.drivers/media-rtl28xxu-07-Add-USB-ID-for-MaxMedi a-HU394-T.patch (bnc#811882). Correct the bnc reference. - Update patches.fixes/block-discard-granularity-might-not-be-pow er-of-2.patch (bnc#823797). - block: discard granularity might not be power of 2. - USB: reset resume quirk needed by a hub (bnc#810144). - NFS: Fix keytabless mounts (bnc#817651). - ipv4: fix redirect handling for TCP packets (bnc#814510). - Always include the git commit in KOTD builds This allows us not to set it explicitly in builds submitted to the official distribution (bnc#821612, bnc#824171). - Btrfs: relocate csums properly with prealloc extents. - gcc4: disable __compiletime_object_size for GCC 4.6+ (bnc#837258). - ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist (bnc#833585).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74878
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74878
    title openSUSE Security Update : kernel (openSUSE-SU-2013:1971-1)
  • NASL family Misc.
    NASL id VMWARE_ESX_VMSA-2013-0015_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - Kernel - Netscape Portable Runtime (NSPR) - Network Security Services (NSS)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 89670
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89670
    title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0015) (remote check)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1264.NASL
    description Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.3. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A heap-based buffer overflow flaw was found in the Linux kernel's iSCSI target subsystem. A remote attacker could use a specially crafted iSCSI request to cause a denial of service on a system or, potentially, escalate their privileges on that system. (CVE-2013-2850, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Two flaws were found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use these flaws to cause a denial of service. (CVE-2013-4162, CVE-2013-4163, Moderate) * A flaw was found in the Linux kernel's Chipidea USB driver. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2013-2058, Low) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low) * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2013-2141, CVE-2013-2148, Low) * A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0). (CVE-2013-2851, Low) * A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the 'fwpostfix' b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2013-2852, Low) * A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service. (CVE-2013-3301, Low) Red Hat would like to thank Kees Cook for reporting CVE-2013-2850, CVE-2013-2851, and CVE-2013-2852; and Hannes Frederic Sowa for reporting CVE-2013-4162 and CVE-2013-4163. This update also fixes the following bugs : * The following drivers have been updated, fixing a number of bugs: myri10ge, bna, enic, mlx4, bgmac, bcma, cxgb3, cxgb4, qlcnic, r8169, be2net, e100, e1000, e1000e, igb, ixgbe, brcm80211, cpsw, pch_gbe, bfin_mac, bnx2x, bnx2, cnic, tg3, and sfc. (BZ#974138) * The realtime kernel was not built with the CONFIG_NET_DROP_WATCH kernel configuration option enabled. As such, attempting to run the dropwatch command resulted in the following error : Unable to find NET_DM family, dropwatch can't work Cleaning up on socket creation error With this update, the realtime kernel is built with the CONFIG_NET_DROP_WATCH option, allowing dropwatch to work as expected. (BZ#979417) Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.6.11.5-rt37, and correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76665
    published 2014-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76665
    title RHEL 6 : MRG (RHSA-2013:1264)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2013-0015.NASL
    description a. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 to these issues. b. Update to ESX service console NSPR and NSS This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0791 and CVE-2013-1620 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 71245
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71245
    title VMSA-2013-0015 : VMware ESX updates to third-party libraries
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1173.NASL
    description From Red Hat Security Advisory 2013:1173 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2012-6544, Low) * An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 69492
    published 2013-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69492
    title Oracle Linux 6 : kernel (ELSA-2013-1173)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130820_KERNEL_ON_SL5_X.NASL
    description This update fixes the following security issues : - A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) - It was found that the fix for CVE-2012-3552 released via SLSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) - An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) - Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 69440
    published 2013-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69440
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1938-1.NASL
    description Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows specified to be run as root. A local could exploit this flaw to run commands as root when using the perf tool. user could exploit this (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the Linux kernel when it provides read-only access to a disk that supports TRIM or SCSI UNMAP to a guest OS. A privileged user in the guest OS could exploit this flaw to destroy data on the disk, even though the guest OS should not be able to write to the disk. (CVE-2013-2140) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162) Hannes Frederic Sowa discovered a flaw in the IPv6 subsystem of the Linux kernel when the IPV6_MTU setsockopt option has been specified in combination with the UDP_CORK option. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4163). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 69798
    published 2013-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69798
    title Ubuntu 13.04 : linux vulnerabilities (USN-1938-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1941-1.NASL
    description Chanam Park reported a NULL pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning. (CVE-2013-2164) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851) Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162) Hannes Frederic Sowa discovered a flaw in the IPv6 subsystem of the Linux kernel when the IPV6_MTU setsockopt option has been specified in combination with the UDP_CORK option. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4163). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69809
    published 2013-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69809
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1941-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1166.NASL
    description From Red Hat Security Advisory 2013:1166 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 69456
    published 2013-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69456
    title Oracle Linux 5 : kernel (ELSA-2013-1166)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1166.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69434
    published 2013-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69434
    title CentOS 5 : kernel (CESA-2013:1166)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-218.NASL
    description The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call. The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket. The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 70222
    published 2013-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70222
    title Amazon Linux AMI : kernel (ALAS-2013-218)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1912-1.NASL
    description Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning. (CVE-2013-2164) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) An information leak was discovered in the Linux kernel's IPSec key_socket when using the notify_policy interface. A local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2237) Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69121
    published 2013-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69121
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1912-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1166-1.NASL
    description From Red Hat Security Advisory 2013:1166 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 69455
    published 2013-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69455
    title Oracle Linux 5 : kernel (ELSA-2013-1166-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-194.NASL
    description Multiple vulnerabilities has been found and corrected in the Linux kernel : net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. (CVE-2013-1059) The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. (CVE-2013-2147) The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148) Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851) The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164) The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237) The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (CVE-2013-2234) The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232) The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. (CVE-2012-5517) Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. (CVE-2013-2852) The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call. (CVE-2013-3301) The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. (CVE-2013-0231) The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774) Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet. (CVE-2013-2850) The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 67254
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67254
    title Mandriva Linux Security Advisory : kernel (MDVSA-2013:194)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1944-1.NASL
    description A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service (prevent file creation) for a victim, by creating a file with a specific CRC32C hash value in a directory important to the victim. (CVE-2012-5375) Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the Linux kernel when it provides read-only access to a disk that supports TRIM or SCSI UNMAP to a guest OS. A privileged user in the guest OS could exploit this flaw to destroy data on the disk, even though the guest OS should not be able to write to the disk. (CVE-2013-2140) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162) Hannes Frederic Sowa discovered a flaw in the IPv6 subsystem of the Linux kernel when the IPV6_MTU setsockopt option has been specified in combination with the UDP_CORK option. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4163). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69811
    published 2013-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69811
    title Ubuntu 12.10 : linux vulnerabilities (USN-1944-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2543.NASL
    description Description of changes: [2.6.39-400.109.6.el6uek] - block: do not pass disk names as format strings (Kees Cook) [Orabug: 17230083] {CVE-2013-2851} - libceph: Fix NULL pointer dereference in auth client code (Tyler Hicks) [Orabug: 17230108] {CVE-2013-1059} - ipv6: ip6_sk_dst_check() must not assume ipv6 dst (Eric Dumazet) [Orabug: 17371078] {CVE-2013-2232} - af_key: initialize satype in key_notify_policy_flush() (Nicolas Dichtel) [Orabug: 17370788] {CVE-2013-2237} - Bluetooth: HCI - Fix info leak via getsockname() (Mathias Krause) [Orabug: 17370892] {CVE-2012-6544} - Bluetooth: L2CAP - Fix info leak via getsockname() (Mathias Krause) [Orabug: 17371050] {CVE-2012-6544} - Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) (Mathias Krause) [Orabug: 17371065] {CVE-2012-6544} - sctp: Use correct sideffect command in duplicate cookie handling (Vlad Yasevich) [Orabug: 17371118] {CVE-2013-2206} - sctp: deal with multiple COOKIE_ECHO chunks (Max Matveev) [Orabug: 17372121] {CVE-2013-2206}
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69510
    published 2013-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69510
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2543)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-813.NASL
    description The Linux kernel was updated to 3.4.63, fixing various bugs and security issues. - Linux 3.4.59 (CVE-2013-2237 bnc#828119). - Linux 3.4.57 (CVE-2013-2148 bnc#823517). - Linux 3.4.55 (CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163 bnc#827749 bnc#827750 bnc#831055 bnc#831058). - Drivers: hv: util: Fix a bug in util version negotiation code (bnc#838346). - vmxnet3: prevent div-by-zero panic when ring resizing uninitialized dev (bnc#833321). - bnx2x: protect different statistics flows (bnc#814336). - bnx2x: Avoid sending multiple statistics queries (bnc#814336). - Drivers: hv: util: Fix a bug in version negotiation code for util services (bnc#828714). - Update Xen patches to 3.4.53. - netfront: fix kABI after 'reduce gso_max_size to account for max TCP header'. - netback: don't disconnect frontend when seeing oversize packet (bnc#823342). - netfront: reduce gso_max_size to account for max TCP header. - backends: Check for insane amounts of requests on the ring. - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: locking, release lock around quota operations (bnc#815320). - reiserfs: locking, handle nested locks properly (bnc#815320). - reiserfs: locking, push write lock out of xattr code (bnc#815320). - ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size (bnc#831055, CVE-2013-4163). - af_key: fix info leaks in notify messages (bnc#827749 CVE-2013-2234). - af_key: initialize satype in key_notify_policy_flush() (bnc#828119 CVE-2013-2237). - ipv6: call udp_push_pending_frames when uncorking a socket with (bnc#831058, CVE-2013-4162). - ipv6: ip6_sk_dst_check() must not assume ipv6 dst. - xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end (CVE-2013-1819 bnc#807471). - brcmsmac: don't start device when RfKill is engaged (bnc#787649). - CIFS: Protect i_nlink from being negative (bnc#785542 bnc#789598). - cifs: don't compare uniqueids in cifs_prime_dcache unless server inode numbers are in use (bnc#794988). - xfs: xfs: fallback to vmalloc for large buffers in xfs_compat_attrlist_by_handle (bnc#818053 bnc#807153). - xfs: fallback to vmalloc for large buffers in xfs_attrlist_by_handle (bnc#818053 bnc#807153). - Linux 3.4.53 (CVE-2013-2164 CVE-2013-2851 bnc#822575 bnc#824295). - drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (bnc#824295, CVE-2013-2164). - fanotify: info leak in copy_event_to_user() (CVE-2013-2148 bnc#823517). - block: do not pass disk names as format strings (bnc#822575 CVE-2013-2851). - ext4: avoid hang when mounting non-journal filesystems with orphan list (bnc#817377). - Linux 3.4.49 (CVE-2013-0231 XSA-43 bnc#801178). - Linux 3.4.48 (CVE-2013-1774 CVE-2013-2850 bnc#806976 bnc#821560). - Always include the git commit in KOTD builds This allows us not to set it explicitly in builds submitted to the official distribution (bnc#821612, bnc#824171). - Bluetooth: Really fix registering hci with duplicate name (bnc#783858). - Bluetooth: Fix registering hci with duplicate name (bnc#783858).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75184
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75184
    title openSUSE Security Update : kernel (openSUSE-SU-2013:1619-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-130827.NASL
    description The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to version 3.0.93 and includes various bug and security fixes. The following security bugs have been fixed : - The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148) - The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237) - The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232) - The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (CVE-2013-2234) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel made an incorrect function call for pending data, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - net/ceph/auth_none.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. (CVE-2013-1059) - The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164) - Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel did not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929) - The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel did not validate block numbers, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map. (CVE-2013-1819) - The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. (CVE-2013-1774) Also the following bugs have been fixed : BTRFS : - btrfs: merge contiguous regions when loading free space cache - btrfs: fix how we deal with the orphan block rsv - btrfs: fix wrong check during log recovery - btrfs: change how we indicate we are adding csums - btrfs: flush delayed inodes if we are short on space. (bnc#801427) - btrfs: rework shrink_delalloc. (bnc#801427) - btrfs: fix our overcommit math. (bnc#801427) - btrfs: delay block group item insertion. (bnc#801427) - btrfs: remove bytes argument from do_chunk_alloc. (bnc#801427) - btrfs: run delayed refs first when out of space. (bnc#801427) - btrfs: do not commit instead of overcommitting. (bnc#801427) - btrfs: do not take inode delalloc mutex if we are a free space inode. (bnc#801427) - btrfs: fix chunk allocation error handling. (bnc#801427) - btrfs: remove extent mapping if we fail to add chunk. (bnc#801427) - btrfs: do not overcommit if we do not have enough space for global rsv. (bnc#801427) - btrfs: rework the overcommit logic to be based on the total size. (bnc#801427) - btrfs: steal from global reserve if we are cleaning up orphans. (bnc#801427) - btrfs: clear chunk_alloc flag on retryable failure. (bnc#801427) - btrfs: use reserved space for creating a snapshot. (bnc#801427) - btrfs: cleanup to make the function btrfs_delalloc_reserve_metadata more logic. (bnc#801427) - btrfs: fix space leak when we fail to reserve metadata space. (bnc#801427) - btrfs: fix space accounting for unlink and rename. (bnc#801427) - btrfs: allocate new chunks if the space is not enough for global rsv. (bnc#801427) - btrfs: various abort cleanups. (bnc#812526 / bnc#801427) - btrfs: simplify unlink reservations (bnc#801427). OTHER : - x86: Add workaround to NMI iret woes. (bnc#831949) - x86: Do not schedule while still in NMI context. (bnc#831949) - bnx2x: Avoid sending multiple statistics queries. (bnc#814336) - bnx2x: protect different statistics flows. (bnc#814336) - futex: Take hugepages into account when generating futex_key. - drivers/hv: util: Fix a bug in version negotiation code for util services. (bnc#828714) - printk: Add NMI ringbuffer. (bnc#831949) - printk: extract ringbuffer handling from vprintk. (bnc#831949) - printk: NMI safe printk. (bnc#831949) - printk: Make NMI ringbuffer size independent on log_buf_len. (bnc#831949) - printk: Do not call console_unlock from nmi context. (bnc#831949) - printk: Do not use printk_cpu from finish_printk. (bnc#831949) - mlx4_en: Adding 40gb speed report for ethtool. (bnc#831410) - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: delay reiserfs lock until journal initialization. (bnc#815320) - reiserfs: do not lock journal_init(). (bnc#815320) - reiserfs: locking, handle nested locks properly. (bnc#815320) - reiserfs: locking, push write lock out of xattr code. (bnc#815320) - reiserfs: locking, release lock around quota operations. (bnc#815320) - NFS: support 'nosharetransport' option (bnc#807502, bnc#828192, FATE#315593). - dm mpath: add retain_attached_hw_handler feature. (bnc#760407) - scsi_dh: add scsi_dh_attached_handler_name. (bnc#760407) - bonding: disallow change of MAC if fail_over_mac enabled. (bnc#827376) - bonding: propagate unicast lists down to slaves. (bnc#773255 / bnc#827372) - bonding: emit address change event also in bond_release. (bnc#773255 / bnc#827372) - bonding: emit event when bonding changes MAC. (bnc#773255 / bnc#827372) - SUNRPC: Ensure we release the socket write lock if the rpc_task exits early. (bnc#830901) - ext4: force read-only unless rw=1 module option is used (fate#314864). - HID: fix unused rsize usage. (bnc#783475) - HID: fix data access in implement(). (bnc#783475) - xfs: fix deadlock in xfs_rtfree_extent with kernel v3.x. (bnc#829622) - r8169: allow multicast packets on sub-8168f chipset. (bnc#805371) - r8169: support new chips of RTL8111F. (bnc#805371) - r8169: define the early size for 8111evl. (bnc#805371) - r8169: fix the reset setting for 8111evl. (bnc#805371) - r8169: add MODULE_FIRMWARE for the firmware of 8111evl. (bnc#805371) - r8169: fix sticky accepts packet bits in RxConfig. (bnc#805371) - r8169: adjust the RxConfig settings. (bnc#805371) - r8169: support RTL8111E-VL. (bnc#805371) - r8169: add ERI functions. (bnc#805371) - r8169: modify the flow of the hw reset. (bnc#805371) - r8169: adjust some registers. (bnc#805371) - r8169: check firmware content sooner. (bnc#805371) - r8169: support new firmware format. (bnc#805371) - r8169: explicit firmware format check. (bnc#805371) - r8169: move the firmware down into the device private data. (bnc#805371) - mm: link_mem_sections make sure nmi watchdog does not trigger while linking memory sections. (bnc#820434) - kernel: lost IPIs on CPU hotplug (bnc#825048, LTC#94784). - iwlwifi: use correct supported firmware for 6035 and 6000g2. (bnc#825887) - watchdog: Update watchdog_thresh atomically. (bnc#829357) - watchdog: update watchdog_tresh properly. (bnc#829357) - watchdog: watchdog-make-disable-enable-hotplug-and-preempt-save.pa tch. (bnc#829357) - include/1/smp.h: define __smp_call_function_single for !CONFIG_SMP. (bnc#829357) - lpfc: Return correct error code on bsg_timeout. (bnc#816043) - dm-multipath: Drop table when retrying ioctl. (bnc#808940) - scsi: Do not retry invalid function error. (bnc#809122) - scsi: Always retry internal target error. (bnc#745640, bnc#825227) - ibmvfc: Driver version 1.0.1. (bnc#825142) - ibmvfc: Fix for offlining devices during error recovery. (bnc#825142) - ibmvfc: Properly set cancel flags when cancelling abort. (bnc#825142) - ibmvfc: Send cancel when link is down. (bnc#825142) - ibmvfc: Support FAST_IO_FAIL in EH handlers. (bnc#825142) - ibmvfc: Suppress ABTS if target gone. (bnc#825142) - fs/dcache.c: add cond_resched() to shrink_dcache_parent(). (bnc#829082) - kmsg_dump: do not run on non-error paths by default. (bnc#820172) - mm: honor min_free_kbytes set by user. (bnc#826960) - hyperv: Fix a kernel warning from netvsc_linkstatus_callback(). (bnc#828574) - RT: Fix up hardening patch to not gripe when avg > available, which lockless access makes possible and happens in -rt kernels running a cpubound ltp realtime testcase. Just keep the output sane in that case. - md/raid10: Fix two bug affecting RAID10 reshape (-). - Allow NFSv4 to run execute-only files. (bnc#765523) - fs/ocfs2/namei.c: remove unnecessary ERROR when removing non-empty directory. (bnc#819363) - block: Reserve only one queue tag for sync IO if only 3 tags are available. (bnc#806396) - drm/i915: Add wait_for in init_ring_common. (bnc#813604) - drm/i915: Mark the ringbuffers as being in the GTT domain. (bnc#813604) - ext4: avoid hang when mounting non-journal filesystems with orphan list. (bnc#817377) - autofs4 - fix get_next_positive_subdir(). (bnc#819523) - ocfs2: Add bits_wanted while calculating credits in ocfs2_calc_extend_credits. (bnc#822077) - re-enable io tracing. (bnc#785901) - SUNRPC: Prevent an rpc_task wakeup race. (bnc#825591) - tg3: Prevent system hang during repeated EEH errors. (bnc#822066) - backends: Check for insane amounts of requests on the ring. - Update Xen patches to 3.0.82. - netiucv: Hold rtnl between name allocation and device registration. (bnc#824159) - drm/edid: Do not print messages regarding stereo or csync by default. (bnc#821235) - net/sunrpc: xpt_auth_cache should be ignored when expired. (bnc#803320) - sunrpc/cache: ensure items removed from cache do not have pending upcalls. (bnc#803320) - sunrpc/cache: remove races with queuing an upcall. (bnc#803320) - sunrpc/cache: use cache_fresh_unlocked consistently and correctly. (bnc#803320) - md/raid10 'enough' fixes. (bnc#773837) - Update config files: disable IP_PNP. (bnc#822825) - Disable efi pstore by default. (bnc#804482 / bnc#820172) - md: Fix problem with GET_BITMAP_FILE returning wrong status. (bnc#812974 / bnc#823497) - USB: xHCI: override bogus bulk wMaxPacketSize values. (bnc#823082) - ALSA: hda - Fix system panic when DMA > 40 bits for Nvidia audio controllers. (bnc#818465) - USB: UHCI: fix for suspend of virtual HP controller. (bnc#817035) - mm: mmu_notifier: re-fix freed page still mapped in secondary MMU. (bnc#821052)
    last seen 2019-02-21
    modified 2015-09-10
    plugin id 70039
    published 2013-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70039
    title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 8263 / 8265 / 8273)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-12990.NASL
    description Update to latest stable upstream release, Linux v3.9.10 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 68974
    published 2013-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68974
    title Fedora 17 : kernel-3.9.10-100.fc17 (2013-12990)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1943-1.NASL
    description Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the Linux kernel when it provides read-only access to a disk that supports TRIM or SCSI UNMAP to a guest OS. A privileged user in the guest OS could exploit this flaw to destroy data on the disk, even though the guest OS should not be able to write to the disk. (CVE-2013-2140) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162) Hannes Frederic Sowa discovered a flaw in the IPv6 subsystem of the Linux kernel when the IPV6_MTU setsockopt option has been specified in combination with the UDP_CORK option. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4163). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69810
    published 2013-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69810
    title Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-1943-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1947-1.NASL
    description A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service (prevent file creation) for a victim, by creating a file with a specific CRC32C hash value in a directory important to the victim. (CVE-2012-5375) Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows specified to be run as root. A local could exploit this flaw to run commands as root when using the perf tool. user could exploit this (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the Linux kernel when it provides read-only access to a disk that supports TRIM or SCSI UNMAP to a guest OS. A privileged user in the guest OS could exploit this flaw to destroy data on the disk, even though the guest OS should not be able to write to the disk. (CVE-2013-2140) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) Hannes Frederic Sowa discovered a flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4162) Hannes Frederic Sowa discovered a flaw in the IPv6 subsystem of the Linux kernel when the IPV6_MTU setsockopt option has been specified in combination with the UDP_CORK option. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-4163). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69812
    published 2013-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69812
    title Ubuntu 12.04 LTS : linux-lts-quantal vulnerabilities (USN-1947-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1913-1.NASL
    description Jonathan Salwan discovered an information leak in the Linux kernel's cdrom driver. A local user can exploit this leak to obtain sensitive information from kernel memory if the CD-ROM drive is malfunctioning. (CVE-2013-2164) A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-2232) An information leak was discovered in the IPSec key_socket implementation in the Linux kernel. An local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2234) An information leak was discovered in the Linux kernel's IPSec key_socket when using the notify_policy interface. A local user could exploit this flaw to examine potentially sensitive information in kernel memory. (CVE-2013-2237) Kees Cook discovered a format string vulnerability in the Linux kernel's disk block layer. A local user with administrator privileges could exploit this flaw to gain kernel privileges. (CVE-2013-2851). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69122
    published 2013-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69122
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1913-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-12530.NASL
    description Update to latest upstream stable release, Linux v3.9.9. This also includes fixes for issues running VM guests some people were seeing. Update to latest stable upstream release, Linux v3.9.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 67343
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67343
    title Fedora 18 : kernel-3.9.9-201.fc18 (2013-12530)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2546.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise Kernel package(s).
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69942
    published 2013-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69942
    title Oracle Linux 5 / 6 : Unbreakable Enterprise Kernel (ELSA-2013-2546)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2766.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-2141 Emese Revfy provided a fix for an information leak in the tkill and tgkill system calls. A local user on a 64-bit system may be able to gain access to sensitive memory contents. - CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. - CVE-2013-2206 Karl Heiss reported an issue in the Linux SCTP implementation. A remote user could cause a denial of service (system crash). - CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. - CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2239 Jonathan Salwan discovered multiple memory leaks in the openvz kernel flavor. Local users could gain access to sensitive kernel memory. - CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2888 Kees Cook reported an issue in the HID driver subsystem. A local user, with the ability to attach a device, could cause a denial of service (system crash). - CVE-2013-2892 Kees Cook reported an issue in the pantherlord HID device driver. Local users with the ability to attach a device could cause a denial of service or possibly gain elevated privileges.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 70200
    published 2013-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70200
    title Debian DSA-2766-1 : linux-2.6 - privilege escalation/denial of service/information leak
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1173.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2012-6544, Low) * An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 69493
    published 2013-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69493
    title RHEL 6 : kernel (RHSA-2013:1173)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1173.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user-space. (CVE-2012-6544, Low) * An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69496
    published 2013-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69496
    title CentOS 6 : kernel (CESA-2013:1173)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130827_KERNEL_ON_SL6_X.NASL
    description This update fixes the following security issues : - A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) - It was found that the fix for CVE-2012-3552 released via SLSA-2012:1304 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) - A flaw was found in the Linux kernel's Performance Events implementation. On systems with certain Intel processors, a local, unprivileged user could use this flaw to cause a denial of service by leveraging the perf subsystem to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1 model-specific registers. (CVE-2013-2146, Moderate) - An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) - Information leak flaws in the Linux kernel's Bluetooth implementation could allow a local, unprivileged user to leak kernel memory to user- space. (CVE-2012-6544, Low) - An information leak flaw in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2237, Low) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 69503
    published 2013-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69503
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1166.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash. (CVE-2013-2206, Important) * It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system. (CVE-2013-2224, Important) * An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination. (CVE-2013-2232, Moderate) * Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space. (CVE-2013-2164, CVE-2013-2147, CVE-2013-2234, CVE-2013-2237, Low) This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69413
    published 2013-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69413
    title RHEL 5 : kernel (RHSA-2013:1166)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2745.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-1059 Chanam Park reported an issue in the Ceph distributed storage system. Remote users can cause a denial of service by sending a specially crafted auth_reply message. - CVE-2013-2148 Dan Carpenter reported an information leak in the filesystem wide access notification subsystem (fanotify). Local users could gain access to sensitive kernel memory. - CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. - CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. - CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. - CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. - CVE-2013-4162 Hannes Frederic Sowa reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). - CVE-2013-4163 Dave Jones reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). This update also includes a fix for a regression in the Xen subsystem.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69505
    published 2013-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69505
    title Debian DSA-2745-1 : linux - privilege escalation/denial of service/information leak
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-130828.NASL
    description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to version 3.0.93 and to fix various bugs and security issues. The following features have been added : - NFS: Now supports a 'nosharetransport' option (bnc#807502, bnc#828192, FATE#315593). - ALSA: virtuoso: Xonar DSX support was added (FATE#316016). The following security issues have been fixed : - The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148) - The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237) - The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. (CVE-2013-2232) - The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel made an incorrect function call for pending data, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-2234) - net/ceph/auth_none.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. (CVE-2013-1059) - The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. (CVE-2013-2164) - Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel did not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929) - The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel did not validate block numbers, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map. (CVE-2013-1819) Also the following non-security bugs have been fixed : - ACPI / APEI: Force fatal AER severity when component has been reset. (bnc#828886 / bnc#824568) - PCI/AER: Move AER severity defines to aer.h. (bnc#828886 / bnc#824568) - PCI/AER: Set dev->__aer_firmware_first only for matching devices. (bnc#828886 / bnc#824568) - PCI/AER: Factor out HEST device type matching. (bnc#828886 / bnc#824568) - PCI/AER: Do not parse HEST table for non-PCIe devices. (bnc#828886 / bnc#824568) - PCI/AER: Reset link for devices below Root Port or Downstream Port. (bnc#828886 / bnc#824568) - zfcp: fix lock imbalance by reworking request queue locking (bnc#835175, LTC#96825). - qeth: Fix crash on initial MTU size change (bnc#835175, LTC#96809). - qeth: change default standard blkt settings for OSA Express (bnc#835175, LTC#96808). - x86: Add workaround to NMI iret woes. (bnc#831949) - x86: Do not schedule while still in NMI context. (bnc#831949) - drm/i915: no longer call drm_helper_resume_force_mode. (bnc#831424,bnc#800875) - bnx2x: protect different statistics flows. (bnc#814336) - bnx2x: Avoid sending multiple statistics queries. (bnc#814336) - bnx2x: protect different statistics flows. (bnc#814336) - ALSA: hda - Fix unbalanced runtime pm refount. (bnc#834742) - xhci: directly calling _PS3 on suspend. (bnc#833148) - futex: Take hugepages into account when generating futex_key. - e1000e: workaround DMA unit hang on I218. (bnc#834647) - e1000e: unexpected 'Reset adapter' message when cable pulled. (bnc#834647) - e1000e: 82577: workaround for link drop issue. (bnc#834647) - e1000e: helper functions for accessing EMI registers. (bnc#834647) - e1000e: workaround DMA unit hang on I218. (bnc#834647) - e1000e: unexpected 'Reset adapter' message when cable pulled. (bnc#834647) - e1000e: 82577: workaround for link drop issue. (bnc#834647) - e1000e: helper functions for accessing EMI registers. (bnc#834647) - Drivers: hv: util: Fix a bug in version negotiation code for util services. (bnc#828714) - printk: Add NMI ringbuffer. (bnc#831949) - printk: extract ringbuffer handling from vprintk. (bnc#831949) - printk: NMI safe printk. (bnc#831949) - printk: Make NMI ringbuffer size independent on log_buf_len. (bnc#831949) - printk: Do not call console_unlock from nmi context. (bnc#831949) - printk: Do not use printk_cpu from finish_printk. (bnc#831949) - zfcp: fix schedule-inside-lock in scsi_device list loops (bnc#833073, LTC#94937). - uvc: increase number of buffers. (bnc#822164, bnc#805804) - drm/i915: Adding more reserved PCI IDs for Haswell. (bnc#834116) - Refresh patches.xen/xen-netback-generalize. (bnc#827378) - Update Xen patches to 3.0.87. - mlx4_en: Adding 40gb speed report for ethtool. (bnc#831410) - drm/i915: Retry DP aux_ch communications with a different clock after failure. (bnc#831422) - drm/i915: split aux_clock_divider logic in a separated function for reuse. (bnc#831422) - drm/i915: dp: increase probe retries. (bnc#831422) - drm/i915: Only clear write-domains after a successful wait-seqno. (bnc#831422) - drm/i915: Fix write-read race with multiple rings. (bnc#831422) - drm/i915: Retry DP aux_ch communications with a different clock after failure. (bnc#831422) - drm/i915: split aux_clock_divider logic in a separated function for reuse. (bnc#831422) - drm/i915: dp: increase probe retries. (bnc#831422) - drm/i915: Only clear write-domains after a successful wait-seqno. (bnc#831422) - drm/i915: Fix write-read race with multiple rings. (bnc#831422) - xhci: Add xhci_disable_ports boot option. (bnc#822164) - xhci: set device to D3Cold on shutdown. (bnc#833097) - reiserfs: Fixed double unlock in reiserfs_setattr failure path. - reiserfs: locking, release lock around quota operations. (bnc#815320) - reiserfs: locking, push write lock out of xattr code. (bnc#815320) - reiserfs: locking, handle nested locks properly. (bnc#815320) - reiserfs: do not lock journal_init(). (bnc#815320) - reiserfs: delay reiserfs lock until journal initialization. (bnc#815320) - NFS: support 'nosharetransport' option (bnc#807502, bnc#828192, FATE#315593). - HID: hyperv: convert alloc+memcpy to memdup. - Drivers: hv: vmbus: Implement multi-channel support (fate#316098). - Drivers: hv: Add the GUID fot synthetic fibre channel device (fate#316098). - tools: hv: Check return value of setsockopt call. - tools: hv: Check return value of poll call. - tools: hv: Check return value of strchr call. - tools: hv: Fix file descriptor leaks. - tools: hv: Improve error logging in KVP daemon. - drivers: hv: switch to use mb() instead of smp_mb(). - drivers: hv: check interrupt mask before read_index. - drivers: hv: allocate synic structures before hv_synic_init(). - storvsc: Increase the value of scsi timeout for storvsc devices (fate#316098). - storvsc: Update the storage protocol to win8 level (fate#316098). - storvsc: Implement multi-channel support (fate#316098). - storvsc: Support FC devices (fate#316098). - storvsc: Increase the value of STORVSC_MAX_IO_REQUESTS (fate#316098). - hyperv: Fix the NETIF_F_SG flag setting in netvsc. - Drivers: hv: vmbus: incorrect device name is printed when child device is unregistered. - Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration. (bnc#828714) - ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size. (bnc#831055, CVE-2013-4163) - ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size. (bnc#831055, CVE-2013-4163) - dm mpath: add retain_attached_hw_handler feature. (bnc#760407) - scsi_dh: add scsi_dh_attached_handler_name. (bnc#760407) - af_key: fix info leaks in notify messages. (bnc#827749 / CVE-2013-2234) - af_key: initialize satype in key_notify_policy_flush(). (bnc#828119 / CVE-2013-2237) - ipv6: call udp_push_pending_frames when uncorking a socket with. (bnc#831058, CVE-2013-4162) - tg3: fix length overflow in VPD firmware parsing. (bnc#813733 / CVE-2013-1929) - xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end. (CVE-2013-1819 / bnc#807471) - ipv6: ip6_sk_dst_check() must not assume ipv6 dst. (bnc#827750, CVE-2013-2232) - dasd: fix hanging devices after path events (bnc#831623, LTC#96336). - kernel: z90crypt module load crash (bnc#831623, LTC#96214). - ata: Fix DVD not detected at some platform with Wellsburg PCH. (bnc#822225) - drm/i915: edp: add standard modes. (bnc#832318) - Do not switch camera on yet more HP machines. (bnc#822164) - Do not switch camera on HP EB 820 G1. (bnc#822164) - xhci: Avoid NULL pointer deref when host dies. (bnc#827271) - bonding: disallow change of MAC if fail_over_mac enabled. (bnc#827376) - bonding: propagate unicast lists down to slaves. (bnc#773255 / bnc#827372) - net/bonding: emit address change event also in bond_release. (bnc#773255 / bnc#827372) - bonding: emit event when bonding changes MAC. (bnc#773255 / bnc#827372) - usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0. (bnc#797909) - xhci: fix NULL pointer dereference on ring_doorbell_for_active_rings. (bnc#827271) - updated reference for security issue fixed inside. (CVE-2013-3301 / bnc#815256) - qla2xxx: Clear the MBX_INTR_WAIT flag when the mailbox time-out happens. (bnc#830478) - drm/i915: initialize gt_lock early with other spin locks. (bnc#801341) - drm/i915: fix up gt init sequence fallout. (bnc#801341) - drm/i915: initialize gt_lock early with other spin locks. (bnc#801341) - drm/i915: fix up gt init sequence fallout. (bnc#801341) - timer_list: Correct the iterator for timer_list. (bnc#818047) - firmware: do not spew errors in normal boot (bnc#831438, fate#314574). - ALSA: virtuoso: Xonar DSX support (FATE#316016). - SUNRPC: Ensure we release the socket write lock if the rpc_task exits early. (bnc#830901) - ext4: Re-add config option Building ext4 as the ext4-writeable KMP uses CONFIG_EXT4_FS_RW=y to denote that read-write module should be enabled. This update just defaults allow_rw to true if it is set. - e1000: fix vlan processing regression. (bnc#830766) - ext4: force read-only unless rw=1 module option is used (fate#314864). - dm mpath: fix ioctl deadlock when no paths. (bnc#808940) - HID: fix unused rsize usage. (bnc#783475) - add reference for b43 format string flaw. (bnc#822579 / CVE-2013-2852) - HID: fix data access in implement(). (bnc#783475) - xfs: fix deadlock in xfs_rtfree_extent with kernel v3.x. (bnc#829622) - kernel: sclp console hangs (bnc#830346, LTC#95711). - Refresh patches.fixes/rtc-add-an-alarm-disable-quirk.patch. - Delete patches.drm/1209-nvc0-fb-shut-up-pmfb-interrupt-after-th e-first-occurrence. It was removed from series.conf in 063ed686e5a3cda01a7ddbc49db1499da917fef5 but the file was not deleted. - Drivers: hv: balloon: Do not post pressure status if interrupted. (bnc#829539) - Drivers: hv: balloon: Fix a bug in the hot-add code. (bnc#829539) - drm/i915: Fix incoherence with fence updates on Sandybridge+. (bnc#809463) - drm/i915: merge {i965, sandybridge}_write_fence_reg(). (bnc#809463) - drm/i915: Fix incoherence with fence updates on Sandybridge+. (bnc#809463) - drm/i915: merge {i965, sandybridge}_write_fence_reg(). (bnc#809463) - Refresh patches.fixes/rtc-add-an-alarm-disable-quirk.patch. - r8169: allow multicast packets on sub-8168f chipset. (bnc#805371) - r8169: support new chips of RTL8111F. (bnc#805371) - r8169: define the early size for 8111evl. (bnc#805371) - r8169: fix the reset setting for 8111evl. (bnc#805371) - r8169: add MODULE_FIRMWARE for the firmware of 8111evl. (bnc#805371) - r8169: fix sticky accepts packet bits in RxConfig. (bnc#805371) - r8169: adjust the RxConfig settings. (bnc#805371) - r8169: support RTL8111E-VL. (bnc#805371) - r8169: add ERI functions. (bnc#805371) - r8169: modify the flow of the hw reset. (bnc#805371) - r8169: adjust some registers. (bnc#805371) - r8169: check firmware content sooner. (bnc#805371) - r8169: support new firmware format. (bnc#805371) - r8169: explicit firmware format check. (bnc#805371) - r8169: move the firmware down into the device private data. (bnc#805371) - r8169: allow multicast packets on sub-8168f chipset. (bnc#805371) - r8169: support new chips of RTL8111F. (bnc#805371) - r8169: define the early size for 8111evl. (bnc#805371) - r8169: fix the reset setting for 8111evl. (bnc#805371) - r8169: add MODULE_FIRMWARE for the firmware of 8111evl. (bnc#805371) - r8169: fix sticky accepts packet bits in RxConfig. (bnc#805371) - r8169: adjust the RxConfig settings. (bnc#805371) - r8169: support RTL8111E-VL. (bnc#805371) - r8169: add ERI functions. (bnc#805371) - r8169: modify the flow of the hw reset. (bnc#805371) - r8169: adjust some registers. (bnc#805371) - r8169: check firmware content sooner. (bnc#805371) - r8169: support new firmware format. (bnc#805371) - r8169: explicit firmware format check. (bnc#805371) - r8169: move the firmware down into the device private data. (bnc#805371) - patches.fixes/mm-link_mem_sections-touch-nmi-watchdog.pa tch: mm: link_mem_sections make sure nmi watchdog does not trigger while linking memory sections. (bnc#820434) - drm/i915: fix long-standing SNB regression in power consumption after resume v2. (bnc#801341) - RTC: Add an alarm disable quirk. (bnc#805740) - drm/i915: Fix bogus hotplug warnings at resume. (bnc#828087) - drm/i915: Serialize all register access. (bnc#809463,bnc#812274,bnc#822878,bnc#828914) - drm/i915: Resurrect ring kicking for semaphores, selectively. (bnc#828087) - drm/i915: Fix bogus hotplug warnings at resume. (bnc#828087) - drm/i915: Serialize all register access. (bnc#809463,bnc#812274,bnc#822878,bnc#828914) - drm/i915: Resurrect ring kicking for semaphores, selectively. (bnc#828087) - drm/i915: use lower aux clock divider on non-ULT HSW. (bnc#800875) - drm/i915: preserve the PBC bits of TRANS_CHICKEN2. (bnc#828087) - drm/i915: set CPT FDI RX polarity bits based on VBT. (bnc#828087) - drm/i915: hsw: fix link training for eDP on port-A. (bnc#800875) - drm/i915: use lower aux clock divider on non-ULT HSW. (bnc#800875) - drm/i915: preserve the PBC bits of TRANS_CHICKEN2. (bnc#828087) - drm/i915: set CPT FDI RX polarity bits based on VBT. (bnc#828087) - drm/i915: hsw: fix link training for eDP on port-A. (bnc#800875) - patches.arch/s390-66-02-smp-ipi.patch: kernel: lost IPIs on CPU hotplug (bnc#825048, LTC#94784). - patches.fixes/iwlwifi-use-correct-supported-firmware-for -6035-and-.patch: iwlwifi: use correct supported firmware for 6035 and 6000g2. (bnc#825887) - patches.fixes/watchdog-update-watchdog_thresh-atomically .patch: watchdog: Update watchdog_thresh atomically. (bnc#829357) - patches.fixes/watchdog-update-watchdog_tresh-properly.pa tch: watchdog: update watchdog_tresh properly. (bnc#829357) - patches.fixes/watchdog-make-disable-enable-hotplug-and-p reempt-save.patch: watchdog-make-disable-enable-hotplug-and-preempt-save.pa tch. (bnc#829357) - kabi/severities: Ignore changes in drivers/hv - patches.drivers/lpfc-return-correct-error-code-on-bsg_ti meout.patch: lpfc: Return correct error code on bsg_timeout. (bnc#816043) - patches.fixes/dm-drop-table-reference-on-ioctl-retry.pat ch: dm-multipath: Drop table when retrying ioctl. (bnc#808940) - scsi: Do not retry invalid function error. (bnc#809122) - patches.suse/scsi-do-not-retry-invalid-function-error.pa tch: scsi: Do not retry invalid function error. (bnc#809122) - scsi: Always retry internal target error. (bnc#745640, bnc#825227) - patches.suse/scsi-always-retry-internal-target-error.pat ch: scsi: Always retry internal target error. (bnc#745640, bnc#825227) - patches.drivers/drm-edid-Don-t-print-messages-regarding- stereo-or-csync-by-default.patch: Refresh: add upstream commit ID. - patches.suse/acpiphp-match-to-Bochs-dmi-data.patch: Refresh. . (bnc#824915) - Refresh patches.suse/acpiphp-match-to-Bochs-dmi-data.patch. (bnc#824915) - Update kabi files. - ACPI:remove panic in case hardware has changed after S4. (bnc#829001) - ibmvfc: Driver version 1.0.1. (bnc#825142) - ibmvfc: Fix for offlining devices during error recovery. (bnc#825142) - ibmvfc: Properly set cancel flags when cancelling abort. (bnc#825142) - ibmvfc: Send cancel when link is down. (bnc#825142) - ibmvfc: Support FAST_IO_FAIL in EH handlers. (bnc#825142) - ibmvfc: Suppress ABTS if target gone. (bnc#825142) - fs/dcache.c: add cond_resched() to shrink_dcache_parent(). (bnc#829082) - drivers/cdrom/cdrom.c: use kzalloc() for failing hardware. (bnc#824295, CVE-2013-2164) - kmsg_dump: do not run on non-error paths by default. (bnc#820172) - supported.conf: mark tcm_qla2xxx as supported - mm: honor min_free_kbytes set by user. (bnc#826960) - Drivers: hv: util: Fix a bug in version negotiation code for util services. (bnc#828714) - hyperv: Fix a kernel warning from netvsc_linkstatus_callback(). (bnc#828574) - RT: Fix up hardening patch to not gripe when avg > available, which lockless access makes possible and happens in -rt kernels running a cpubound ltp realtime testcase. Just keep the output sane in that case. - kabi/severities: Add exception for aer_recover_queue() There should not be any user besides ghes.ko. - Fix rpm changelog - PCI / PM: restore the original behavior of pci_set_power_state(). (bnc#827930) - fanotify: info leak in copy_event_to_user(). (CVE-2013-2148 / bnc#823517) - usb: xhci: check usb2 port capabilities before adding hw link PM support. (bnc#828265) - aerdrv: Move cper_print_aer() call out of interrupt context. (bnc#822052, bnc#824568) - PCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put(). (bnc#822052, bnc#824568) - patches.fixes/block-do-not-pass-disk-names-as-format-str ings.patch: block: do not pass disk names as format strings. (bnc#822575 / CVE-2013-2851) - powerpc: POWER8 cputable entries. (bnc#824256) - libceph: Fix NULL pointer dereference in auth client code. (CVE-2013-1059, bnc#826350) - md/raid10: Fix two bug affecting RAID10 reshape. - Allow NFSv4 to run execute-only files. (bnc#765523) - fs/ocfs2/namei.c: remove unnecessary ERROR when removing non-empty directory. (bnc#819363) - block: Reserve only one queue tag for sync IO if only 3 tags are available. (bnc#806396) - btrfs: merge contiguous regions when loading free space cache - btrfs: fix how we deal with the orphan block rsv. - btrfs: fix wrong check during log recovery. - btrfs: change how we indicate we are adding csums.
    last seen 2019-02-21
    modified 2015-09-10
    plugin id 70040
    published 2013-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70040
    title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 8269 / 8270 / 8283)
redhat via4
advisories
  • rhsa
    id RHSA-2013:1166
  • rhsa
    id RHSA-2013:1173
rpms
  • kernel-0:2.6.18-348.16.1.el5
  • kernel-PAE-0:2.6.18-348.16.1.el5
  • kernel-PAE-devel-0:2.6.18-348.16.1.el5
  • kernel-debug-0:2.6.18-348.16.1.el5
  • kernel-debug-devel-0:2.6.18-348.16.1.el5
  • kernel-devel-0:2.6.18-348.16.1.el5
  • kernel-doc-0:2.6.18-348.16.1.el5
  • kernel-headers-0:2.6.18-348.16.1.el5
  • kernel-kdump-0:2.6.18-348.16.1.el5
  • kernel-kdump-devel-0:2.6.18-348.16.1.el5
  • kernel-xen-0:2.6.18-348.16.1.el5
  • kernel-xen-devel-0:2.6.18-348.16.1.el5
  • kernel-0:2.6.32-358.18.1.el6
  • kernel-bootwrapper-0:2.6.32-358.18.1.el6
  • kernel-debug-0:2.6.32-358.18.1.el6
  • kernel-debug-devel-0:2.6.32-358.18.1.el6
  • kernel-devel-0:2.6.32-358.18.1.el6
  • kernel-doc-0:2.6.32-358.18.1.el6
  • kernel-firmware-0:2.6.32-358.18.1.el6
  • kernel-headers-0:2.6.32-358.18.1.el6
  • kernel-kdump-0:2.6.32-358.18.1.el6
  • kernel-kdump-devel-0:2.6.32-358.18.1.el6
  • perf-0:2.6.32-358.18.1.el6
  • python-perf-0:2.6.32-358.18.1.el6
refmap via4
confirm
debian DSA-2766
mlist [oss-security] 20130702 Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg
suse
  • SUSE-SU-2013:1473
  • SUSE-SU-2013:1474
  • openSUSE-SU-2013:1971
ubuntu
  • USN-1912-1
  • USN-1913-1
  • USN-1938-1
  • USN-1941-1
  • USN-1942-1
  • USN-1943-1
  • USN-1944-1
  • USN-1945-1
  • USN-1946-1
  • USN-1947-1
vmware via4
description The ESX service console kernel is updated to resolve multiple security issues.
id VMSA-2013-0015
last_updated 2013-12-05T00:00:00
published 2013-12-05T00:00:00
title Update to ESX service console kernel
Last major update 06-02-2014 - 23:46
Published 04-07-2013 - 17:55
Back to Top