ID CVE-2016-1583
Summary The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.
References
Vulnerable Configurations
  • Linux Kernel 4.6.2
    cpe:2.3:o:linux:linux_kernel:4.6.2
  • cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:11.0:sp4
    cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:11.0:sp4
  • cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4
    cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4
  • Novell SUSE Linux Enterprise Desktop 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12
    cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12
  • cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra
    cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra
  • cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4
    cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4
  • Novell SUSE Linux Enterprise Server 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_server:12.0
  • Novell SUSE Linux Enterprise Server 12.0 Service Pack 1
    cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
  • Novell SUSE Linux Enterprise Software Development Kit 12.0 Service Pack 1
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
CVSS
Base: 7.2 (as of 18-08-2016 - 14:45)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Linux - ecryptfs and /proc/$pid/environ Privilege Escalation. CVE-2016-1583. Local exploit for linux platform
file exploits/linux/local/39992.md
id EDB-ID:39992
last seen 2016-06-21
modified 2016-06-21
platform linux
port
published 2016-06-21
reporter Google Security Research
source https://www.exploit-db.com/download/39992/
title Linux - ecryptfs and /proc/$pid/environ Privilege Escalation
type local
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0162.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - acpi: Disable ACPI table override if securelevel is set (Linn Crosetto) [Orabug: 25058966] (CVE-2016-3699) - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060060] (CVE-2016-6480) (CVE-2016-6480) - audit: fix a double fetch in audit_log_single_execve_arg (Paul Moore) [Orabug: 25059969] (CVE-2016-6136) - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 25023269] (CVE-2016-1583) (CVE-2016-1583) - Revert 'ecryptfs: forbid opening files without mmap handler' (Chuck Anderson) [Orabug: 24971921] (CVE-2016-1583) - percpu: fix synchronization between synchronous map extension and chunk destruction (Tejun Heo) [Orabug: 25060084] (CVE-2016-4794) - percpu: fix synchronization between chunk->map_extend_work and chunk destruction (Tejun Heo) [Orabug: 25060084] (CVE-2016-4794) - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059898] (CVE-2016-4578) - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898] (CVE-2016-4578) - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059752] (CVE-2016-4569) - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058894] (CVE-2015-8956) - ASN.1: Fix non-match detection failure on data overrun (David Howells) [Orabug: 25059037] (CVE-2016-2053) - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059188] (CVE-2016-3070) - uek-rpm ol7: change uek-rpm/ol7/update-el release value from 7.1 to 7.3 (Chuck Anderson) [Orabug: 25050614]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 95045
    published 2016-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95045
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0162)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0333-1.NASL
    description The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed : - CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710). - CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-8399: An out of bounds read in the ping protocol handler could have lead to information disclosure (bsc#1014746). - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531). - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542). - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832). - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecified removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716). - CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711). - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507). - CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467). - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150). - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2017-5551: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. This CVE tracks the fix for the tmpfs filesystem. (bsc#1021258). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96903
    published 2017-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96903
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2016-104.NASL
    description According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Stack overflow via ecryptfs and /proc/$pid/environ. It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. - Use after free in tcp_xmit_retransmit_queue. A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection. - block: fix use-after-free in seq file. Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed. - block: fix use-after-free in sys_ioprio_get(). Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 121162
    published 2019-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121162
    title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2016-104)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3607.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140 Ralf Spenneberg of OpenSource Security reported that various USB drivers do not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). - CVE-2016-0821 Solar Designer noted that the list 'poisoning' feature, intended to mitigate the effects of bugs in list manipulation in the kernel, used poison values within the range of virtual addresses that can be allocated by user processes. - CVE-2016-1237 David Sinquin discovered that nfsd does not check permissions when setting ACLs, allowing users to grant themselves permissions to a file by setting the ACL. - CVE-2016-1583 Jann Horn of Google Project Zero reported that the eCryptfs filesystem could be used together with the proc filesystem to cause a kernel stack overflow. If the ecryptfs-utils package is installed, local users could exploit this, via the mount.ecryptfs_private program, for denial of service (crash) or possibly for privilege escalation. - CVE-2016-2117 Justin Yackoski of Cryptonite discovered that the Atheros L2 ethernet driver incorrectly enables scatter/gather I/O. A remote attacker could take advantage of this flaw to obtain potentially sensitive information from kernel memory. - CVE-2016-2143 Marcin Koscielnicki discovered that the fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash). - CVE-2016-3070 Jan Stancek of Red Hat discovered a local denial of service vulnerability in AIO handling. - CVE-2016-3134 The Google Project Zero team found that the netfilter subsystem does not sufficiently validate filter table entries. A user with the CAP_NET_ADMIN capability could use this for denial of service (crash) or possibly for privilege escalation. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this allows privilege escalation. - CVE-2016-3156 Solar Designer discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. - CVE-2016-3157 / XSA-171 Andy Lutomirski discovered that the x86_64 (amd64) task switching implementation did not correctly update the I/O permission level when running as a Xen paravirtual (PV) guest. In some configurations this would allow local users to cause a denial of service (crash) or to escalate their privileges within the guest. - CVE-2016-3672 Hector Marco and Ismael Ripoll noted that it was possible to disable Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs by removing the stack resource limit. This made it easier for local users to exploit security flaws in programs that have the setuid or setgid flag set. - CVE-2016-3951 It was discovered that the cdc_ncm driver would free memory prematurely if certain errors occurred during its initialisation. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash) or possibly to escalate their privileges. - CVE-2016-3955 Ignat Korchagin reported that the usbip subsystem did not check the length of data received for a USB buffer. This allowed denial of service (crash) or privilege escalation on a system configured as a usbip client, by the usbip server or by an attacker able to impersonate it over the network. A system configured as a usbip server might be similarly vulnerable to physically present users. - CVE-2016-3961 / XSA-174 Vitaly Kuznetsov of Red Hat discovered that Linux allowed the use of hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen paravirtualised (PV) guest, although Xen does not support huge pages. This allowed users with access to /dev/hugepages to cause a denial of service (crash) in the guest. - CVE-2016-4470 David Howells of Red Hat discovered that a local user can trigger a flaw in the Linux kernel's handling of key lookups in the keychain subsystem, leading to a denial of service (crash) or possibly to privilege escalation. - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244 Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA timer, x25, tipc, and rds facilities leaked information from the kernel stack. - CVE-2016-4565 Jann Horn of Google Project Zero reported that various components in the InfiniBand stack implemented unusual semantics for the write() operation. On a system with InfiniBand drivers loaded, local users could use this for denial of service or privilege escalation. - CVE-2016-4581 Tycho Andersen discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local user can take advantage of this flaw to cause a denial of service (system crash). - CVE-2016-4805 Baozeng Ding discovered a use-after-free in the generic PPP layer in the Linux kernel. A local user can take advantage of this flaw to cause a denial of service (system crash), or potentially escalate their privileges. - CVE-2016-4913 Al Viro found that the ISO9660 filesystem implementation did not correctly count the length of certain invalid name entries. Reading a directory containing such name entries would leak information from kernel memory. Users permitted to mount disks or disk images could use this to obtain sensitive information. - CVE-2016-4997 / CVE-2016-4998 Jesse Hertz and Tim Newsham discovered that missing input sanitising in Netfilter socket handling may result in denial of service. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this also allows privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91886
    published 2016-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91886
    title Debian DSA-3607-1 : linux - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2002-1.NASL
    description This update for the Linux Kernel 3.12.51-52_34 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93276
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93276
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2002-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2124.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. Bug Fix(es) : * In some cases, a kernel crash or file system corruption occurred when running journal mode 'ordered'. The kernel crash was caused by a NULL pointer dereference due to a race condition between two journal functions. The file system corruption occurred due to a race condition between the do_get_write_access() function and buffer writeout. This update fixes both race conditions. As a result, neither the kernel crash, nor the file system corruption now occur. (BZ#1067708) * Prior to this update, some Global File System 2 (GFS2) files had incorrect time stamp values due to two problems with handling time stamps of such files. The first problem concerned the atime time stamp, which ended up with an arbitrary value ahead of the actual value, when a GFS2 file was accessed. The second problem was related to the mtime and ctime time stamp updates, which got lost when a GFS2 file was written to from one node and read from or written to from another node. With this update, a set of patches has been applied that fix these problems. As a result, the time stamps of GFS2 files are now handled correctly. (BZ#1374861)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94431
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94431
    title RHEL 5 : kernel (RHSA-2016:2124) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3004-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91566
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91566
    title Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-3004-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3002-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91564
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91564
    title Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-3002-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1696-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.59 to receive various security and bugfixes. Main feature additions : - Improved support for Clustered File System (CephFS, fate#318586). - Addition of kGraft patches now produces logging messages to simplify auditing (fate#317827). The following security bugs were fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2014-9717: fs/namespace.c in the Linux kernel processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allowed local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace (bnc#928547). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bsc#970948). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126 971793). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911 970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-4482: Fixed information leak in devio (bnc#978401). - CVE-2016-4486: Fixed information leak in rtnetlink ( bsc#978822). - CVE-2016-4569: Fixed information leak in events via snd_timer_user_tinterrupt (bsc#979213). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93168
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93168
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1696-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-753.NASL
    description The openSUSE Leap 42.1 kernel was updated to 4.1.26 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface. (bsc#979548) - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions. (bsc#980371). - CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel did not verify socket existence, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation. (bsc#981058). - CVE-2016-5244: An information leak vulnerability in function rds_inc_info_copy of file net/rds/recv.c was fixed that might have leaked kernel stack data. (bsc#983213). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. (bsc#981267). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4482: A kernel information leak in the usbfs devio connectinfo was fixed, which could expose kernel stack memory to userspace. (bnc#978401). - CVE-2016-4485: A kernel information leak in llc was fixed (bsc#978821). - CVE-2016-4486: A kernel information leak in rtnetlink was fixed, where 4 uninitialized bytes could leak to userspace (bsc#978822). - CVE-2016-4557: A use-after-free via double-fdput in replace_map_fd_with_map_ptr() was fixed, which could allow privilege escalation (bsc#979018). - CVE-2016-4565: When the 'rdma_ucm' infiniband module is loaded, local attackers could escalate their privileges (bsc#979548). - CVE-2016-4569: A kernel information leak in the ALSA timer via events via snd_timer_user_tinterrupt that could leak information to userspace was fixed (bsc#979213). - CVE-2016-4578: A kernel information leak in the ALSA timer via events that could leak information to userspace was fixed (bsc#979879). - CVE-2016-4581: If the first propogated mount copy was being a slave it could oops the kernel (bsc#979913) The following non-security bugs were fixed : - ALSA: hda - Add dock support for ThinkPad X260 (boo#979278). - ALSA: hda - Apply fix for white noise on Asus N550JV, too (boo#979278). - ALSA: hda - Asus N750JV external subwoofer fixup (boo#979278). - ALSA: hda - Fix broken reconfig (boo#979278). - ALSA: hda - Fix headphone mic input on a few Dell ALC293 machines (boo#979278). - ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 (boo#979278). - ALSA: hda - Fix white noise on Asus N750JV headphone (boo#979278). - ALSA: hda - Fix white noise on Asus UX501VW headset (boo#979278). - ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m (boo#979278). - ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294 (boo#979278). - ALSA: hda/realtek - New codec support of ALC225 (boo#979278). - ALSA: hda/realtek - Support headset mode for ALC225 (boo#979278). - ALSA: pcxhr: Fix missing mutex unlock (boo#979278). - ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) (boo#979278). - bluetooth: fix power_on vs close race (bsc#966849). - bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849). - bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849). - bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849). - btrfs: do not use src fd for printk (bsc#980348). - btrfs: fix crash/invalid memory access on fsync when using overlayfs (bsc#977198) - drm: qxl: Workaround for buggy user-space (bsc#981344). - enic: set netdev->vlan_features (bsc#966245). - fs: add file_dentry() (bsc#977198). - IB/IPoIB: Do not set skb truesize since using one linearskb (bsc#980657). - input: i8042 - lower log level for 'no controller' message (bsc#945345). - kabi: Add kabi/severities entries to ignore sound/hda/*, x509_*, efivar_validate, file_open_root and dax_fault - kabi: Add some fixups (module, pci_dev, drm, fuse and thermal) - kabi: file_dentry changes (bsc#977198). - kABI fixes for 4.1.22 - mm/page_alloc.c: calculate 'available' memory in a separate function (bsc#982239). - net: disable fragment reassembly if high_thresh is zero (bsc#970506). - of: iommu: Silence misleading warning. - pstore_register() error handling was wrong -- it tried to release lock before it's acquired, causing spinlock / preemption imbalance. - usb: quirk to stop runtime PM for Intel 7260 (bnc#984460). - Revert 'usb: hub: do not clear BOS field during reset device' (boo#979728). - usb: core: hub: hub_port_init lock controller instead of bus (bnc#978073). - usb: preserve kABI in address0 locking (bnc#978073). - usb: usbip: fix potential out-of-bounds write (bnc#975945). - USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982712). - virtio_balloon: do not change memory amount visible via /proc/meminfo (bsc#982238). - virtio_balloon: export 'available' memory to balloon statistics (bsc#982239).
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 91736
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91736
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-753)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-862.NASL
    description ====================================================================== The openSUSE 13.1 kernel was updated to 3.12.59 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362) - CVE-2014-9717: fs/namespace.c in the Linux kernel processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allowed local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace (bnc#928547). - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c (bnc#958463). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010 979064). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#961512 968670). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948 bnc#974646). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911 970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401 bsc#978445). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). The following non-security bugs were fixed : - ALSA: timer: Call notifier in the same spinlock (bsc#973378). - ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378). - ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378). - Add fs/ceph as a supported module. - Add mainline tags to some hyperv patches - Btrfs: do not collect ordered extents when logging that inode exists (bsc#977685). - Btrfs: fix deadlock between direct IO reads and buffered writes (bsc#973855). - Btrfs: fix empty symlink after creating symlink and fsync parent dir (bsc#977685). - Btrfs: fix file loss on log replay after renaming a file and fsync (bsc#977685). - Btrfs: fix file/data loss caused by fsync after rename and new inode (bsc#977685). - Btrfs: fix for incorrect directory entries after fsync log replay (bsc#957805, bsc#977685). - Btrfs: fix loading of orphan roots leading to BUG_ON (bsc#972844). - Btrfs: fix race between fsync and lockless direct IO writes (bsc#977685). - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync (bsc#977685). - Btrfs: teach backref walking about backrefs with underflowed offset values (bsc#975371). - CacheFiles: Fix incorrect test for in-memory object collision (bsc#971049). - CacheFiles: Handle object being killed before being set up (bsc#971049). - Ceph: Remove racey watch/notify event infrastructure (bsc#964727) - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739). - Drivers: hv: util: Pass the channel information during the init call (bnc#978527). - Drivers: hv: utils: Invoke the poll function after handshake (bnc#978527). - Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read(). - Export helper function to set irq affinity in pci-hyperv. - FS-Cache: Add missing initialization of ret in cachefiles_write_page() (bsc#971049). - FS-Cache: Count culled objects and objects rejected due to lack of space (bsc#971049). - FS-Cache: Fix cancellation of in-progress operation (bsc#971049). - FS-Cache: Handle a new operation submitted against a killed object (bsc#971049). - FS-Cache: Move fscache_report_unexpected_submission() to make it more available (bsc#971049). - FS-Cache: Out of line fscache_operation_init() (bsc#971049). - FS-Cache: Permit fscache_cancel_op() to cancel in-progress operations too (bsc#971049). - FS-Cache: Put an aborted initialised op so that it is accounted correctly (bsc#971049). - FS-Cache: Reduce cookie ref count if submit fails (bsc#971049). - FS-Cache: Synchronise object death state change vs operation submission (bsc#971049). - FS-Cache: The operation cancellation method needs calling in more places (bsc#971049). - FS-Cache: Timeout for releasepage() (bsc#971049). - FS-Cache: When submitting an op, cancel it if the target object is dying (bsc#971049). - FS-Cache: fscache_object_is_dead() has wrong logic, kill it (bsc#971049). - Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309) - Fix kabi issue (bsc#971049). - Import kabi files from kernel 3.12.55-52.42 - Import kabi files from kernel 3.12.57-60.35 - Input: i8042 - lower log level for 'no controller' message (bsc#945345). - KVM: x86: expose invariant tsc cpuid bit (v2) (bsc#971770). - NFSv4.1: do not use machine credentials for CLOSE when using 'sec=sys' (bsc#972003). - NVMe: Unify controller probe and resume (bsc#979347). - NVMe: init nvme queue before enabling irq (unknown bsc). - PCI/AER: Fix aer_inject error codes (bsc#931448). - PCI/AER: Log actual error causes in aer_inject (bsc#931448). - PCI/AER: Log aer_inject error injections (bsc#931448). - PCI/AER: Use dev_warn() in aer_inject (bsc#931448). - RDMA/ocrdma: Avoid reporting wrong completions in case of error CQEs (bsc#908151). - Remove VIOSRP_HOST_CONFIG_TYPE from ibmvstgt.c in patches.fixes/0001-ibmvscsi-remove-unsupported-host-conf ig-mad.patch. as well. - Revert 'scsi: fix soft lockup in scsi_remove_target() on module removal' (bsc#970609). - SUNRPC: Fix large reads on NFS/RDMA (bsc#908151). - SUNRPC: remove KERN_INFO from dprintk() call sites (bsc#908151). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - Update patches.kernel.org/patch-3.12.55-56 references (add bsc#973570). - Update patches.suse/kgr-0102-add-TAINT_KGRAFT.patch (fate#313296 bsc#974406). - Use mainline variant of hyperv KVP IP failover patch (bnc#978527) - acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - acpi: Disable APEI error injection if securelevel is set (bsc#972891). - apparmor: Skip proc ns files (bsc#959514). - block: do not check request size in blk_cloned_rq_check_limits() (bsc#972124). - bnx2fc-Do-not-log-for-netevents-that-need-no-action.patc h - btrfs: do not return EBUSY on concurrent subvolume mounts (bsc#951844). - btrfs: handle non-fatal errors in btrfs_qgroup_inherit() (bsc#972951). - btrfs: qgroup: return EINVAL if level of parent is not higher than child's (bsc#972951). - cachefiles: perform test on s_blocksize when opening cache file (bsc#971049). - ceph fscache: Introduce a routine for uncaching single no data page from fscache (Fate#318586). - ceph fscache: Uncaching no data page from fscache in readpage() (Fate#318586). - ceph: Asynchronous IO support (Fate#318586). - ceph: Avoid to propagate the invalid page point (Fate#318586). - ceph: Clean up if error occurred in finish_read() (Fate#318586). - ceph: EIO all operations after forced umount (Fate#318586). - ceph: Implement writev/pwritev for sync operation (Fate#318586). - ceph: add acl for cephfs (Fate#318586). - ceph: add acl, noacl options for cephfs mount (Fate#318586). - ceph: add get_name() NFS export callback (Fate#318586). - ceph: add get_parent() NFS export callback (Fate#318586). - ceph: add imported caps when handling cap export message (Fate#318586). - ceph: add inline data to pagecache (Fate#318586). - ceph: add missing init_acl() for mkdir() and atomic_open() (Fate#318586). - ceph: add open export target session helper (Fate#318586). - ceph: add request to i_unsafe_dirops when getting unsafe reply (Fate#318586). - ceph: additional debugfs output (Fate#318586). - ceph: always re-send cap flushes when MDS recovers (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_mdsc_close_sessions) (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_get_caps) (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_mdsc_sync) (Fate#318586). - ceph: avoid releasing caps that are being used (Fate#318586). - ceph: avoid sending unnessesary FLUSHSNAP message (Fate#318586). - ceph: avoid useless ceph_get_dentry_parent_inode() in ceph_rename() (Fate#318586). - ceph: cast PAGE_SIZE to size_t in ceph_sync_write() (Fate#318586). - ceph: ceph_frag_contains_value can be boolean (Fate#318586). - ceph: ceph_get_parent() can be static (Fate#318586). - ceph: check OSD caps before read/write (Fate#318586). - ceph: check buffer size in ceph_vxattrcb_layout() (Fate#318586). - ceph: check caps in filemap_fault and page_mkwrite (Fate#318586). - ceph: check directory's completeness before emitting directory entry (Fate#318586). - ceph: check inode caps in ceph_d_revalidate (Fate#318586). - ceph: check unsupported fallocate mode (Fate#318586). - ceph: check zero length in ceph_sync_read() (Fate#318586). - ceph: checking for IS_ERR instead of NULL (Fate#318586). - ceph: cleanup unsafe requests when reconnecting is denied (Fate#318586). - ceph: cleanup use of ceph_msg_get (Fate#318586). - ceph: clear directory's completeness when creating file (Fate#318586). - ceph: convert inline data to normal data before data write (Fate#318586). - ceph: do not assume r_old_dentry[_dir] always set together (Fate#318586). - ceph: do not chain inode updates to parent fsync (Fate#318586). - ceph: do not grabs open file reference for aborted request (Fate#318586). - ceph: do not include ceph.{file,dir}.layout vxattr in listxattr() (Fate#318586). - ceph: do not include used caps in cap_wanted (Fate#318586). - ceph: do not invalidate page cache when inode is no longer used (Fate#318586). - ceph: do not mark dirty caps when there is no auth cap (Fate#318586). - ceph: do not pre-allocate space for cap release messages (Fate#318586). - ceph: do not set r_old_dentry_dir on link() (Fate#318586). - ceph: do not trim auth cap when there are cap snaps (Fate#318586). - ceph: do not zero i_wrbuffer_ref when reconnecting is denied (Fate#318586). - ceph: drop cap releases in requests composed before cap reconnect (Fate#318586). - ceph: drop extra open file reference in ceph_atomic_open() (Fate#318586). - ceph: drop unconnected inodes (Fate#318586). - ceph: exclude setfilelock requests when calculating oldest tid (Fate#318586). - ceph: export ceph_session_state_name function (Fate#318586). - ceph: fetch inline data when getting Fcr cap refs (Fate#318586). - ceph: fix __dcache_readdir() (Fate#318586). - ceph: fix a comment typo (Fate#318586). - ceph: fix append mode write (Fate#318586). - ceph: fix atomic_open snapdir (Fate#318586). - ceph: fix bool assignments (Fate#318586). - ceph: fix cache revoke race (Fate#318586). - ceph: fix ceph_dir_llseek() (Fate#318586). - ceph: fix ceph_fh_to_parent() (Fate#318586). - ceph: fix ceph_removexattr() (Fate#318586). - ceph: fix ceph_set_acl() (Fate#318586). - ceph: fix ceph_writepages_start() (Fate#318586). - ceph: fix dcache/nocache mount option (Fate#318586). - ceph: fix dentry leaks (Fate#318586). - ceph: fix directory fsync (Fate#318586). - ceph: fix divide-by-zero in __validate_layout() (Fate#318586). - ceph: fix double page_unlock() in page_mkwrite() (Fate#318586). - ceph: fix dout() compile warnings in ceph_filemap_fault() (Fate#318586). - ceph: fix file lock interruption (Fate#318586). - ceph: fix flush tid comparision (Fate#318586). - ceph: fix flushing caps (Fate#318586). - ceph: fix llistxattr on symlink (Fate#318586). - ceph: fix message length computation (Fate#318586). - ceph: fix mksnap crash (Fate#318586). - ceph: fix NULL pointer dereference in send_mds_reconnect() (Fate#318586). - ceph: fix pr_fmt() redefinition (Fate#318586). - ceph: fix queuing inode to mdsdir's snaprealm (Fate#318586). - ceph: fix reading inline data when i_size > PAGE_SIZE (Fate#318586). - ceph: fix request time stamp encoding (Fate#318586). - ceph: fix reset_readdir() (Fate#318586). - ceph: fix setting empty extended attribute (Fate#318586). - ceph: fix sizeof(struct tYpO *) typo (Fate#318586). - ceph: fix snap context leak in error path (Fate#318586). - ceph: fix trim caps (Fate#318586). - ceph: fix uninline data function (Fate#318586). - ceph: flush cap release queue when trimming session caps (Fate#318586). - ceph: flush inline version (Fate#318586). - ceph: forbid mandatory file lock (Fate#318586). - ceph: fscache: Update object store limit after file writing (Fate#318586). - ceph: fscache: Wait for completion of object initialization (Fate#318586). - ceph: fscache: add an interface to synchronize object store limit (Fate#318586). - ceph: get inode size for each append write (Fate#318586). - ceph: handle -ESTALE reply (Fate#318586). - ceph: handle SESSION_FORCE_RO message (Fate#318586). - ceph: handle cap export race in try_flush_caps() (Fate#318586). - ceph: handle cap import atomically (Fate#318586). - ceph: handle frag mismatch between readdir request and reply (Fate#318586). - ceph: handle race between cap reconnect and cap release (Fate#318586). - ceph: handle session flush message (Fate#318586). - ceph: hold on to exclusive caps on complete directories (Fate#318586). - ceph: implement readv/preadv for sync operation (Fate#318586). - ceph: improve readahead for file holes (Fate#318586). - ceph: improve reference tracking for snaprealm (Fate#318586). - ceph: include time stamp in every MDS request (Fate#318586). - ceph: include time stamp in replayed MDS requests (Fate#318586). - ceph: initial CEPH_FEATURE_FS_FILE_LAYOUT_V2 support (Fate#318586). - ceph: initialize inode before instantiating dentry (Fate#318586). - ceph: introduce a new inode flag indicating if cached dentries are ordered (Fate#318586). - ceph: introduce ceph_fill_fragtree() (Fate#318586). - ceph: introduce global empty snap context (Fate#318586). - ceph: invalidate dirty pages after forced umount (Fate#318586). - ceph: keep i_snap_realm while there are writers (Fate#318586). - ceph: kstrdup() memory handling (Fate#318586). - ceph: let MDS adjust readdir 'frag' (Fate#318586). - ceph: make ceph_forget_all_cached_acls() static inline (Fate#318586). - ceph: make fsync() wait unsafe requests that created/modified inode (Fate#318586). - ceph: make sure syncfs flushes all cap snaps (Fate#318586). - ceph: make sure write caps are registered with auth MDS (Fate#318586). - ceph: match wait_for_completion_timeout return type (Fate#318586). - ceph: message versioning fixes (Fate#318586). - ceph: move ceph_find_inode() outside the s_mutex (Fate#318586). - ceph: move spinlocking into ceph_encode_locks_to_buffer and ceph_count_locks (Fate#318586). - ceph: no need to get parent inode in ceph_open (Fate#318586). - ceph: parse inline data in MClientReply and MClientCaps (Fate#318586). - ceph: pre-allocate ceph_cap struct for ceph_add_cap() (Fate#318586). - ceph: pre-allocate data structure that tracks caps flushing (Fate#318586). - ceph: preallocate buffer for readdir reply (Fate#318586). - ceph: print inode number for LOOKUPINO request (Fate#318586). - ceph: properly apply umask when ACL is enabled (Fate#318586). - ceph: properly handle XATTR_CREATE and XATTR_REPLACE (Fate#318586). - ceph: properly mark empty directory as complete (Fate#318586). - ceph: properly release page upon error (Fate#318586). - ceph: properly zero data pages for file holes (Fate#318586). - ceph: provide separate {inode,file}_operations for snapdir (Fate#318586). - ceph: queue cap release in __ceph_remove_cap() (Fate#318586). - ceph: queue vmtruncate if necessary when handing cap grant/revoke (Fate#318586). - ceph: ratelimit warn messages for MDS closes session (Fate#318586). - ceph: re-send AIO write request when getting -EOLDSNAP error (Fate#318586). - ceph: re-send flushing caps (which are revoked) in reconnect stage (Fate#318586). - ceph: re-send requests when MDS enters reconnecting stage (Fate#318586). - ceph: refactor readpage_nounlock() to make the logic clearer (Fate#318586). - ceph: remember subtree root dirfrag's auth MDS (Fate#318586). - ceph: remove exported caps when handling cap import message (Fate#318586). - ceph: remove outdated frag information (Fate#318586). - ceph: remove redundant code for max file size verification (Fate#318586). - ceph: remove redundant declaration (Fate#318586). - ceph: remove redundant memset(0) (Fate#318586). - ceph: remove redundant test of head->safe and silence static analysis warnings (Fate#318586). - ceph: remove the useless judgement (Fate#318586). - ceph: remove unused functions in ceph_frag.h (Fate#318586). - ceph: remove unused stringification macros (Fate#318586). - ceph: remove useless ACL check (Fate#318586). - ceph: remove xattr when null value is given to setxattr() (Fate#318586). - ceph: rename snapshot support (Fate#318586). - ceph: replace comma with a semicolon (Fate#318586). - ceph: request xattrs if xattr_version is zero (Fate#318586). - ceph: reserve caps for file layout/lock MDS requests (Fate#318586). - ceph: reset r_resend_mds after receiving -ESTALE (Fate#318586). - ceph: return error for traceless reply race (Fate#318586). - ceph: rework dcache readdir (Fate#318586). - ceph: send TID of the oldest pending caps flush to MDS (Fate#318586). - ceph: send client metadata to MDS (Fate#318586). - ceph: set caps count after composing cap reconnect message (Fate#318586). - ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference (Fate#318586). - ceph: set mds_wanted when MDS reply changes a cap to auth cap (Fate#318586). - ceph: show nocephx_require_signatures and notcp_nodelay options (Fate#318586). - ceph: show non-default options only (Fate#318586). - ceph: simplify ceph_fh_to_dentry() (Fate#318586). - ceph: simplify two mount_timeout sites (Fate#318586). - ceph: skip invalid dentry during dcache readdir (Fate#318586). - ceph: support inline data feature (Fate#318586). - ceph: switch some GFP_NOFS memory allocation to GFP_KERNEL (Fate#318586). - ceph: sync read inline data (Fate#318586). - ceph: take snap_rwsem when accessing snap realm's cached_context (Fate#318586). - ceph: track pending caps flushing accurately (Fate#318586). - ceph: track pending caps flushing globally (Fate#318586). - ceph: trim unused inodes before reconnecting to recovering MDS (Fate#318586). - ceph: trivial comment fix (Fate#318586). - ceph: update i_max_size even if inode version does not change (Fate#318586). - ceph: update inode fields according to issued caps (Fate#318586). - ceph: use %zu for len in ceph_fill_inline_data() (Fate#318586). - ceph: use ceph_seq_cmp() to compare migrate_seq (Fate#318586). - ceph: use empty snap context for uninline_data and get_pool_perm (Fate#318586). - ceph: use fl->fl_file as owner identifier of flock and posix lock (Fate#318586). - ceph: use fl->fl_type to decide flock operation (Fate#318586). - ceph: use fpos_cmp() to compare dentry positions (Fate#318586). - ceph: use getattr request to fetch inline data (Fate#318586). - ceph: use i_size_{read,write} to get/set i_size (Fate#318586). - ceph: use msecs_to_jiffies for time conversion (Fate#318586). - ceph: use pagelist to present MDS request data (Fate#318586). - ceph: use truncate_pagecache() instead of truncate_inode_pages() (Fate#318586). - ceph_sync_{,direct_}write: fix an oops on ceph_osdc_new_request() failure (Fate#318586). - client: include kernel version in client metadata (Fate#318586). - cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857, bsc#974646). - crush: add chooseleaf_stable tunable (Fate#318586). - crush: decode and initialize chooseleaf_stable (Fate#318586). - crush: ensure bucket id is valid before indexing buckets array (Fate#318586). - crush: ensure take bucket value is valid (Fate#318586). - crush: fix crash from invalid 'take' argument (Fate#318586). - crush: sync up with userspace (Fate#318586). - crypto: testmgr - allow rfc3686 aes-ctr variants in fips mode (bsc#958390). - crypto: testmgr - mark authenticated ctr(aes) also as FIPS able (bsc#958390). - dasd: fix hanging system after LCU changes (bnc#968497, LTC#136671). - drm/core: Preserve the framebuffer after removing it (bsc#968812). - drm/i915: do not warn if backlight unexpectedly enabled (boo#972068). - drm/i915: set backlight duty cycle after backlight enable for gen4 (boo#972780). - drm/radeon: fix-up some float to fixed conversion thinkos (bsc#968813). - drm/radeon: use HDP_MEM_COHERENCY_FLUSH_CNTL for sdma as well (bsc#968813). - ext4: Fix softlockups in SEEK_HOLE and SEEK_DATA implementations (bsc#942262). - ext4: fix races between page faults and hole punching (bsc#972174). - ext4: fix races of writeback with punch hole and zero range (bsc#972174). - fs, seq_file: fallback to vmalloc instead of oom kill processes (bnc#968687). - fs, seqfile: always allow oom killer (bnc#968687). - fs/ceph/debugfs.c: replace seq_printf by seq_puts (Fate#318586). - fs/ceph: replace pr_warning by pr_warn (Fate#318586). - fs/pipe.c: skip file_update_time on frozen fs (bsc#975488). - ibmvscsi: Remove unsupported host config MAD (bsc#973556). - iommu/vt-d: Improve fault handler error messages (bsc#975772). - iommu/vt-d: Ratelimit fault handler (bsc#975772). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: replace global gc_args with local variable (bsc#965319). - kABI: kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel(). - kABI: protect function file_open_root. - kABI: protect include in evm. - kABI: protect struct user_struct. - kabi fix for patches.fixes/reduce-m_start-cost (bsc#966573). - kabi/severities: Allow changes in zpci_* symbols (bsc#974692) - kabi/severities: Whitelist libceph and rbd (bsc#964727). - kabi/severities: Whitelist libceph and rbd (fate#318586). - kabi: kgr, add reserved fields (fate#313296). - kabi: protect struct fc_rport_priv (bsc#953233, bsc#962846). - kabi: protect struct netns_ipv6 after FIB6 GC series (bsc#965319). - kgr: add TAINT_KGRAFT (fate#313296). - kgr: add kgraft annotation to hwrng kthread (fate#313296). - kgr: add kgraft annotations to kthreads' wait_event_freezable() API calls (fate#313296). - kgr: add objname to kgr_patch_fun struct (fate#313296). - kgr: add sympos and objname to error and debug messages (fate#313296). - kgr: add sympos as disambiguator field to kgr_patch_fun structure (fate#313296). - kgr: add sympos to sysfs (fate#313296). - kgr: call kgr_init_ftrace_ops() only for loaded objects (fate#313296). - kgr: change to kallsyms_on_each_symbol iterator (fate#313296). - kgr: define pr_fmt and modify all pr_* messages (fate#313296). - kgr: do not print error for !abort_if_missing symbols (bnc#943989). - kgr: do not return and print an error only if the object is not loaded (fate#313296). - kgr: do not use WQ_MEM_RECLAIM workqueue (bnc#963572). - kgr: fix an asymmetric dealing with delayed module loading (fate#313296). - kgr: fix redirection on s390x arch (bsc#903279). - kgr: fix reversion of a patch already reverted by a replace_all patch (fate#313296). - kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel() (fate#313296). - kgr: handle btrfs kthreads (fate#313296 bnc#889207). - kgr: kmemleak, really mark the kthread safe after an interrupt (fate#313296). - kgr: log when modifying kernel (fate#317827). - kgr: mark kernel unsupported upon patch revert (fate#313296). - kgr: mark some more missed kthreads (bnc#962336). - kgr: remove abort_if_missing flag (fate#313296). - kgr: usb/storage: do not emit thread awakened (bnc#899908). - kgraft/gfs2: Do not block livepatching in the log daemon for too long (fate#313296). - kgraft/xen: Do not block livepatching in the XEN blkif kthread (fate#313296). - libceph: Avoid holding the zero page on ceph_msgr_slab_init errors (Fate#318586). - libceph: Fix ceph_tcp_sendpage()'s more boolean usage (Fate#318586). - libceph: MOSDOpReply v7 encoding (Fate#318586). - libceph: Remove spurious kunmap() of the zero page (Fate#318586). - libceph: a couple tweaks for wait loops (Fate#318586). - libceph: add nocephx_sign_messages option (Fate#318586). - libceph: advertise support for TUNABLES5 (Fate#318586). - libceph: advertise support for keepalive2 (Fate#318586). - libceph: allow setting osd_req_op's flags (Fate#318586). - libceph: check data_len in ->alloc_msg() (Fate#318586). - libceph: clear messenger auth_retry flag if we fault (Fate#318586). - libceph: clear msg->con in ceph_msg_release() only (Fate#318586). - libceph: do not access invalid memory in keepalive2 path (Fate#318586). - libceph: do not spam dmesg with stray reply warnings (Fate#318586). - libceph: drop authorizer check from cephx msg signing routines (Fate#318586). - libceph: evaluate osd_req_op_data() arguments only once (Fate#318586). - libceph: fix authorizer invalidation, take 2 (Fate#318586). - libceph: fix ceph_msg_revoke() (Fate#318586). - libceph: fix wrong name 'Ceph filesystem for Linux' (Fate#318586). - libceph: handle writefull for OSD op extent init (bsc#980706). - libceph: introduce ceph_x_authorizer_cleanup() (Fate#318586). - libceph: invalidate AUTH in addition to a service ticket (Fate#318586). - libceph: kill off ceph_x_ticket_handler::validity (Fate#318586). - libceph: move ceph_file_layout helpers to ceph_fs.h (Fate#318586). - libceph: msg signing callouts do not need con argument (Fate#318586). - libceph: nuke time_sub() (Fate#318586). - libceph: properly release STAT request's raw_data_in (Fate#318586). - libceph: remove con argument in handle_reply() (Fate#318586). - libceph: remove outdated comment (Fate#318586). - libceph: remove the unused macro AES_KEY_SIZE (Fate#318586). - libceph: rename con_work() to ceph_con_workfn() (Fate#318586). - libceph: set 'exists' flag for newly up osd (Fate#318586). - libceph: stop duplicating client fields in messenger (Fate#318586). - libceph: store timeouts in jiffies, verify user input (Fate#318586). - libceph: treat sockaddr_storage with uninitialized family as blank (Fate#318586). - libceph: use keepalive2 to verify the mon session is alive (Fate#318586). - libceph: use list_for_each_entry_safe (Fate#318586). - libceph: use list_next_entry instead of list_entry_next (Fate#318586). - libceph: use local variable cursor instead of msg->cursor (Fate#318586). - libceph: use the right footer size when skipping a message (Fate#318586). - libfc: replace 'rp_mutex' with 'rp_lock' (bsc#953233, bsc#962846). - mds: check cap ID when handling cap export message (Fate#318586). - mmc: Allow forward compatibility for eMMC (bnc#966054). - mmc: sdhci: Allow for irq being shared (bnc#977582). - mpt3sas: Fix use sas_is_tlr_enabled API before enabling MPI2_SCSIIO_CONTROL_TLR_ON flag (bsc#967640). - nfs-rdma: Fix for FMR leaks (bsc#908151). - nfs: fix high load average due to callback thread sleeping (bsc#971170). - nvme: fix max_segments integer truncation (bsc#976471). - ocfs2: do not set fs read-only if rec[0] is empty while committing truncate (bnc#971947). - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (bnc#971947). - ocfs2: extend transaction for ocfs2_remove_rightmost_path() and ocfs2_update_edge_lengths() before to avoid inconsistency between inode and et (bnc#971947). - pipe: limit the per-user amount of pages allocated in pipes (bsc#970948). - powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel (bsc@976821). - powerpc/book3s64: Remove __end_handlers marker (bsc#976821). - rbd: bump queue_max_segments (Fate#318586). - rbd: delete an unnecessary check before rbd_dev_destroy() (Fate#318586). - rbd: do not free rbd_dev outside of the release callback (Fate#318586). - rbd: do not put snap_context twice in rbd_queue_workfn() (Fate#318586). - rbd: drop null test before destroy functions (Fate#318586). - rbd: handle OBJ_REQUEST_SG types for copyup (bsc#983394). - rbd: plug rbd_dev->header.object_prefix memory leak (Fate#318586). - rbd: rbd_wq comment is obsolete (Fate#318586). - rbd: remove duplicate calls to rbd_dev_mapping_clear() (Fate#318586). - rbd: report unsupported features to syslog (bsc#979169). - rbd: return -ENOMEM instead of pool id if rbd_dev_create() fails (Fate#318586). - rbd: set device_type::release instead of device::release (Fate#318586). - rbd: set max_sectors explicitly (Fate#318586). - rbd: store rbd_options in rbd_device (Fate#318586). - rbd: terminate rbd_opts_tokens with Opt_err (Fate#318586). - rbd: timeout watch teardown on unmap with mount_timeout (Fate#318586). - rbd: use GFP_NOIO consistently for request allocations (bsc#971159). - rbd: use writefull op for object size writes (Fate#318586). - reduce m_start() cost.. (bsc#966573). - rpm/modprobe-xen.conf: Revert comment change to allow parallel install (bsc#957986). This reverts commit 6c6d86d3cdc26f7746fe4ba2bef8859b5aeb346c. - s390/compat: correct restore of high gprs on signal return (bnc#968497, LTC#137571). - s390/pageattr: do a single TLB flush for change_page_attr (bsc#940413). - s390/pci: add extra padding to function measurement block (bnc#974692, LTC#139445). - s390/pci: enforce fmb page boundary rule (bnc#974692, LTC#139445). - s390/pci: extract software counters from fmb (bnc#974692, LTC#139445). - s390/pci: remove pdev pointer from arch data (bnc#974692, LTC#139444). - s390/pci_dma: fix DMA table corruption with > 4 TB main memory (bnc#974692, LTC#139401). - s390/pci_dma: handle dma table failures (bnc#974692, LTC#139442). - s390/pci_dma: improve debugging of errors during dma map (bnc#974692, LTC#139442). - s390/pci_dma: unify label of invalid translation table entries (bnc#974692, LTC#139442). - s390/zcrypt: HWRNG registration cause kernel panic on CEX hotplug (bnc#968497, LTC#138409). - scsi-bnx2fc-handle_scsi_retry_delay - scsi-bnx2fc-soft_lockup_when_rmmod - scsi: Add intermediate STARGET_REMOVE state to scsi_target_state (bsc#970609). - scsi: Avoid crashing if device uses DIX but adapter does not support it (bsc#969016). - sd: get disk reference in sd_check_events() (bnc#897662). - supported.conf : - supported.conf: Add bridge.ko for OpenStack (bsc#971600) - supported.conf: add pci-hyperv - supported.conf:Add drivers/infiniband/hw/ocrdma/ocrdma.ko to supported.conf (bsc#964461) - svcrdma: Fence LOCAL_INV work requests (bsc#908151). - svcrdma: advertise the correct max payload (bsc#908151). - svcrdma: fix offset calculation for non-page aligned sge entries (bsc#908151). - svcrdma: fix printk when memory allocation fails (bsc#908151). - svcrdma: refactor marshalling logic (bsc#908151). - svcrdma: send_write() must not overflow the device's max sge (bsc#908151). - target/rbd: do not put snap_context twice (bsc#981143). - target/rbd: remove caw_mutex usage (bsc#981143). - target: Drop incorrect ABORT_TASK put for completed commands (bsc#962872). - target: Fix LUN_RESET active I/O handling for ACK_KREF (bsc#962872). - target: Fix LUN_RESET active TMR descriptor handling (bsc#962872). - target: Fix TAS handling for multi-session se_node_acls (bsc#962872). - target: Fix race with SCF_SEND_DELAYED_TAS handling (bsc#962872). - target: Fix remote-port TMR ABORT + se_cmd fabric stop (bsc#962872). - tcp: convert cached rtt from usec to jiffies when feeding initial rto (bsc#937086). - vgaarb: Add more context to error messages (bsc#976868). - xen/acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - xen: Linux 3.12.58. - xprtrdma: Allocate missing pagelist (bsc#908151). - xprtrdma: Avoid deadlock when credit window is reset (bsc#908151). - xprtrdma: Disconnect on registration failure (bsc#908151). - xprtrdma: Ensure ia->ri_id->qp is not NULL when reconnecting (bsc#908151). - xprtrdma: Fall back to MTHCAFMR when FRMR is not supported (bsc#908151). - xprtrdma: Limit work done by completion handler (bsc#908151). - xprtrdma: Make rpcrdma_ep_destroy() return void (bsc#908151). - xprtrdma: RPC/RDMA must invoke xprt_wake_pending_tasks() in process context (bsc#908151). - xprtrdma: Reduce the number of hardway buffer allocations (bsc#908151). - xprtrdma: Remove BOUNCEBUFFERS memory registration mode (bsc#908151). - xprtrdma: Remove BUG_ON() call sites (bsc#908151). - xprtrdma: Remove MEMWINDOWS registration modes (bsc#908151). - xprtrdma: Remove REGISTER memory registration mode (bsc#908151). - xprtrdma: Remove Tavor MTU setting (bsc#908151). - xprtrdma: Reset connection timeout after successful reconnect (bsc#908151). - xprtrdma: Simplify rpcrdma_deregister_external() synopsis (bsc#908151). - xprtrdma: Split the completion queue (bsc#908151). - xprtrdma: Use macros for reconnection timeout constants (bsc#908151). - xprtrdma: mind the device's max fast register page list depth (bsc#908151). - xprtrdma: mount reports 'Invalid mount option' if memreg mode not supported (bsc#908151). - xprtrmda: Reduce calls to ib_poll_cq() in completion handlers (bsc#908151). - xprtrmda: Reduce lock contention in completion handlers (bsc#908151).
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92007
    published 2016-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92007
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-862)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3635.NASL
    description Description of changes: kernel-uek [4.1.12-61.1.17.el7uek] - sched: panic on corrupted stack end (Jann Horn) [Orabug: 24971921] {CVE-2016-1583} - ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971921] {CVE-2016-1583} - proc: prevent stacking filesystems on top (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}
    last seen 2019-02-21
    modified 2016-11-04
    plugin id 94532
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94532
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3635)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2005-1.NASL
    description This update for the Linux Kernel 3.12.48-52_27 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2015-8019: The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel did not accept a length argument, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call (bsc#979078). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93277
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93277
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2005-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2014-1.NASL
    description This update for the Linux Kernel 3.12.44-52_18 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93283
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93283
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2014-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3001-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91563
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91563
    title Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3001-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2245-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-3955: The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel allowed remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet (bnc#975945). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure was initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. (bsc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability. (bsc#991608) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93370
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93370
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2245-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2006-1.NASL
    description This update for the Linux Kernel 3.12.55-52_42 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93278
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93278
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2006-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3646.NASL
    description Description of changes: [2.6.39-400.290.2.el6uek] - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060055] {CVE-2016-6480} {CVE-2016-6480} - audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [Orabug: 25059962] {CVE-2016-6136} - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 24971918] {CVE-2016-1583} {CVE-2016-1583} - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059900] {CVE-2016-4578} - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059900] {CVE-2016-4578} - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059755] {CVE-2016-4569} - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058905] {CVE-2015-8956} - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059195] {CVE-2016-3070}
    last seen 2019-02-21
    modified 2016-11-22
    plugin id 95044
    published 2016-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95044
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3646)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3006-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Multiple race conditions where discovered in the Linux kernel's ext4 file system. A local user could exploit this flaw to cause a denial of service (disk corruption) by writing to a page that is associated with a different users file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel could overflow reference counters on systems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to infinite. A local unprivileged attacker could use to create a use-after- free situation, causing a denial of service (system crash) or possibly gain administrative privileges. (CVE-2016-4558) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91568
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91568
    title Ubuntu 16.04 LTS : linux vulnerabilities (USN-3006-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3007-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Multiple race conditions where discovered in the Linux kernel's ext4 file system. A local user could exploit this flaw to cause a denial of service (disk corruption) by writing to a page that is associated with a different users file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel could overflow reference counters on systems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to infinite. A local unprivileged attacker could use to create a use-after- free situation, causing a denial of service (system crash) or possibly gain administrative privileges. (CVE-2016-4558) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91569
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91569
    title Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3007-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2124.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. Bug Fix(es) : * In some cases, a kernel crash or file system corruption occurred when running journal mode 'ordered'. The kernel crash was caused by a NULL pointer dereference due to a race condition between two journal functions. The file system corruption occurred due to a race condition between the do_get_write_access() function and buffer writeout. This update fixes both race conditions. As a result, neither the kernel crash, nor the file system corruption now occur. (BZ#1067708) * Prior to this update, some Global File System 2 (GFS2) files had incorrect time stamp values due to two problems with handling time stamps of such files. The first problem concerned the atime time stamp, which ended up with an arbitrary value ahead of the actual value, when a GFS2 file was accessed. The second problem was related to the mtime and ctime time stamp updates, which got lost when a GFS2 file was written to from one node and read from or written to from another node. With this update, a set of patches has been applied that fix these problems. As a result, the time stamps of GFS2 files are now handled correctly. (BZ#1374861)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94409
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94409
    title CentOS 5 : kernel (CESA-2016:2124) (Dirty COW)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2766.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/ environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) * It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate) Bug Fix(es) : * Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. (BZ#1377472) * When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation.(BZ#1372266) * Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. (BZ#1379596) * When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. (BZ#1375637) * When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. (BZ#1381592) * When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: 'Medium access timeout failure. Offlining disk!'. This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation. (BZ#1382620)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94911
    published 2016-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94911
    title RHEL 6 : kernel (RHSA-2016:2766)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3644.NASL
    description Description of changes: kernel-uek [4.1.12-61.1.19.el7uek] - acpi: Disable ACPI table override if securelevel is set (Linn Crosetto) [Orabug: 25058966] {CVE-2016-3699} - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060060] {CVE-2016-6480} {CVE-2016-6480} - audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [Orabug: 25059969] {CVE-2016-6136} - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 25023269] {CVE-2016-1583} {CVE-2016-1583} - Revert 'ecryptfs: forbid opening files without mmap handler' (Chuck Anderson) [Orabug: 24971921] {CVE-2016-1583} - percpu: fix synchronization between synchronous map extension and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794} - percpu: fix synchronization between chunk->map_extend_work and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794} - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578} - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578} - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059752] {CVE-2016-4569} - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058894] {CVE-2015-8956} - ASN.1: Fix non-match detection failure on data overrun (David Howells) [Orabug: 25059037] {CVE-2016-2053} - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059188] {CVE-2016-3070}
    last seen 2019-02-21
    modified 2016-11-22
    plugin id 95042
    published 2016-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95042
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3644)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0181.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/iopl/64: properly context-switch IOPL on Xen PV (Andy Lutomirski) [Orabug: 25269184] (CVE-2016-3157) - net: Fix use after free in the recvmmsg exit path (Arnaldo Carvalho de Melo) [Orabug: 25298618] (CVE-2016-7117) - logging errors that get masked to EIO inside drivers/block/loop.c (Manjunath Patil) [Orabug: 21962821] - sched/core: Clear the root_domain cpumasks in init_rootdomain (Xunlei Pang) [Orabug: 23518650] - bio allocation failure due to bio_get_nr_vecs (Darrick J. Wong) - mlx4: avoid ABBA deadlock (Wengang Wang) [Orabug: 23538548] - mlx4: avoid multiple free on id_map_ent (Wengang Wang) [Orabug: 25022815] - sctp: validate chunk len before actually using it (Marcelo Ricardo Leitner) [Orabug: 25142906] (CVE-2016-9555) - NVMe: reduce queue depth as workaround for Samsung EPIC SQ errata (Ashok Vairavan) [Orabug: 25138146] - RDS: Drop the connection as part of cancel to avoid hangs (Avinash Repaka) [Orabug: 24951873] - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060055] (CVE-2016-6480) (CVE-2016-6480) - audit: fix a double fetch in audit_log_single_execve_arg (Paul Moore) [Orabug: 25059962] (CVE-2016-6136) - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 24971918] (CVE-2016-1583) (CVE-2016-1583) - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059900] (CVE-2016-4578) - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059900] (CVE-2016-4578) - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059755] (CVE-2016-4569) - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058905] (CVE-2015-8956) - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059195] [CVE-2016-3070
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 96073
    published 2016-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96073
    title OracleVM 3.2 : Unbreakable / etc (OVMSA-2016-0181)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1029.NASL
    description The openSUSE 13.1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975531 bsc#975533). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (bsc#983143) - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. (bnc#978401) - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548 bsc#980363). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. (bsc#979213) - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary. (bnc#986365). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call. (bsc#986569) - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). The following non-security bugs were fixed : - Add wait_event_cmd() (bsc#953048). - alsa: hrtimer: Handle start/stop more properly (bsc#973378). - base: make module_create_drivers_dir race-free (bnc#983977). - btrfs: be more precise on errors when getting an inode from disk (bsc#981038). - btrfs: do not use src fd for printk (bsc#980348). - btrfs: improve performance on fsync against new inode after rename/unlink (bsc#981038). - btrfs: qgroup: Fix qgroup accounting when creating snapshot (bsc#972933). - btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844). - cdc_ncm: workaround for EM7455 'silent' data interface (bnc#988552). - ceph: tolerate bad i_size for symlink inode (bsc#985232). - drm/mgag200: Add support for a new G200eW3 chipset (bsc#983904). - drm/mgag200: Add support for a new rev of G200e (bsc#983904). - drm/mgag200: Black screen fix for G200e rev 4 (bsc#983904). - drm/mgag200: remove unused variables (bsc#983904). - drm: qxl: Workaround for buggy user-space (bsc#981344). - EDAC: Correct channel count limit (bsc#979521). - EDAC: Remove arbitrary limit on number of channels (bsc#979521). - EDAC, sb_edac: Add support for duplicate device IDs (bsc#979521). - EDAC/sb_edac: Fix computation of channel address (bsc#979521). - EDAC, sb_edac: Fix rank lookup on Broadwell (bsc#979521). - EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() (bsc#979521). - EDAC: Use static attribute groups for managing sysfs entries (bsc#979521). - efifb: Add support for 64-bit frame buffer addresses (bsc#973499). - efifb: Fix 16 color palette entry calculation (bsc#983318). - efifb: Fix KABI of screen_info struct (bsc#973499). - ehci-pci: enable interrupt on BayTrail (bnc#947337). - enic: set netdev->vlan_features (bsc#966245). - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - hid-elo: kill not flush the work (bnc#982354). - iommu/vt-d: Enable QI on all IOMMUs before setting root entry (bsc#975772). - ipvs: count pre-established TCP states as active (bsc#970114). - kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544). - kabi/severities: Added raw3270_* PASS to allow IBM LTC changes. (bnc#979922, LTC#141736) - ktime: make ktime_divns exported on 32-bit architectures. - md: be careful when testing resync_max against curr_resync_completed (bsc#953048). - md: do_release_stripe(): No need to call md_wakeup_thread() twice (bsc#953048). - md: make sure MD_RECOVERY_DONE is clear before starting recovery/resync (bsc#953048). - md/raid56: Do not perform reads to support writes until stripe is ready. - md/raid5: add handle_flags arg to break_stripe_batch_list (bsc#953048). - md/raid5: allow the stripe_cache to grow and shrink (bsc#953048). - md/raid5: always set conf->prev_chunk_sectors and ->prev_algo (bsc#953048). - md/raid5: avoid races when changing cache size (bsc#953048). - md/raid5: avoid reading parity blocks for full-stripe write to degraded array (bsc#953048). - md/raid5: be more selective about distributing flags across batch (bsc#953048). - md/raid5: break stripe-batches when the array has failed (bsc#953048). - md/raid5: call break_stripe_batch_list from handle_stripe_clean_event (bsc#953048). - md/raid5: change ->inactive_blocked to a bit-flag (bsc#953048). - md/raid5: clear R5_NeedReplace when no longer needed (bsc#953048). - md/raid5: close race between STRIPE_BIT_DELAY and batching (bsc#953048). - md/raid5: close recently introduced race in stripe_head management. - md/raid5: consider updating reshape_position at start of reshape (bsc#953048). - md/raid5: deadlock between retry_aligned_read with barrier io (bsc#953048). - md/raid5: do not do chunk aligned read on degraded array (bsc#953048). - md/raid5: do not index beyond end of array in need_this_block() (bsc#953048). - md/raid5: do not let shrink_slab shrink too far (bsc#953048). - md/raid5: duplicate some more handle_stripe_clean_event code in break_stripe_batch_list (bsc#953048). - md/raid5: Ensure a batch member is not handled prematurely (bsc#953048). - md/raid5: ensure device failure recorded before write request returns (bsc#953048). - md/raid5: ensure whole batch is delayed for all required bitmap updates (bsc#953048). - md/raid5: fix allocation of 'scribble' array (bsc#953048). - md/raid5: fix another livelock caused by non-aligned writes (bsc#953048). - md/raid5: fix handling of degraded stripes in batches (bsc#953048). - md/raid5: fix init_stripe() inconsistencies (bsc#953048). - md/raid5: fix locking in handle_stripe_clean_event() (bsc#953048). - md/raid5: fix newly-broken locking in get_active_stripe. - md/raid5: For stripe with R5_ReadNoMerge, we replace REQ_FLUSH with REQ_NOMERGE. - md/raid5: handle possible race as reshape completes (bsc#953048). - md/raid5: ignore released_stripes check (bsc#953048). - md/raid5: more incorrect BUG_ON in handle_stripe_fill (bsc#953048). - md/raid5: move max_nr_stripes management into grow_one_stripe and drop_one_stripe (bsc#953048). - md/raid5: need_this_block: start simplifying the last two conditions (bsc#953048). - md/raid5: need_this_block: tidy/fix last condition (bsc#953048). - md/raid5: new alloc_stripe() to allocate an initialize a stripe (bsc#953048). - md/raid5: pass gfp_t arg to grow_one_stripe() (bsc#953048). - md/raid5: per hash value and exclusive wait_for_stripe (bsc#953048). - md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list. - md/raid5: remove condition test from check_break_stripe_batch_list (bsc#953048). - md/raid5: remove incorrect 'min_t()' when calculating writepos (bsc#953048). - md/raid5: remove redundant check in stripe_add_to_batch_list() (bsc#953048). - md/raid5: separate large if clause out of fetch_block() (bsc#953048). - md/raid5: separate out the easy conditions in need_this_block (bsc#953048). - md/raid5: split wait_for_stripe and introduce wait_for_quiescent (bsc#953048). - md/raid5: strengthen check on reshape_position at run (bsc#953048). - md/raid5: switch to use conf->chunk_sectors in place of mddev->chunk_sectors where possible (bsc#953048). - md/raid5: use bio_list for the list of bios to return (bsc#953048). - md/raid5: use ->lock to protect accessing raid5 sysfs attributes (bsc#953048). - md: remove unwanted white space from md.c (bsc#953048). - md: use set_bit/clear_bit instead of shift/mask for bi_flags changes (bsc#953048). - mm: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491). - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721). - net: Account for all vlan headers in skb_mac_gso_segment (bsc#968667). - net: disable fragment reassembly if high_thresh is set to zero (bsc#970506). - netfilter: bridge: do not leak skb in error paths (bsc#982544). - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544). - netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (bsc#982544). - net: fix wrong mac_len calculation for vlans (bsc#968667). - net/qlge: Avoids recursive EEH error (bsc#954847). - net: Start with correct mac_len in skb_network_protocol (bsc#968667). - nvme: don't poll the CQ from the kthread (bsc#975788, bsc#965087). - PCI/AER: Clear error status registers during enumeration and restore (bsc#985978). - perf/rapl: Fix sysfs_show() initialization for RAPL PMU (bsc#979489). - perf/x86/intel: Add Intel RAPL PP1 energy counter support (bsc#979489). - ppp: defer netns reference release for ppp channel (bsc#980371). - qeth: delete napi struct when removing a qeth device (bnc#988215, LTC#143590). - raid5: add a new flag to track if a stripe can be batched (bsc#953048). - raid5: add an option to avoid copy data from bio to stripe cache (bsc#953048). - raid5: avoid release list until last reference of the stripe (bsc#953048). - raid5: batch adjacent full stripe write (bsc#953048). - raid5: check faulty flag for array status during recovery (bsc#953048). - RAID5: check_reshape() shouldn't call mddev_suspend (bsc#953048). - raid5: fix a race of stripe count check. - raid5: fix broken async operation chain (bsc#953048). - raid5: get_active_stripe avoids device_lock. - raid5: handle expansion/resync case with stripe batching (bsc#953048). - raid5: handle io error of batch list (bsc#953048). - raid5: make_request does less prepare wait. - raid5: relieve lock contention in get_active_stripe(). - raid5: relieve lock contention in get_active_stripe(). - raid5: Retry R5_ReadNoMerge flag when hit a read error. - RAID5: revert e9e4c377e2f563 to fix a livelock (bsc#953048). - raid5: speedup sync_request processing (bsc#953048). - raid5: track overwrite disk count (bsc#953048). - raid5: update analysis state for failed stripe (bsc#953048). - raid5: use flex_array for scribble data (bsc#953048). - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469). - s390/3270: add missing tty_kref_put (bnc#979922, LTC#141736). - s390/3270: avoid endless I/O loop with disconnected 3270 terminals (bnc#979922, LTC#141736). - s390/3270: fix garbled output on 3270 tty view (bnc#979922, LTC#141736). - s390/3270: fix view reference counting (bnc#979922, LTC#141736). - s390/3270: handle reconnect of a tty with a different size (bnc#979922, LTC#141736). - s390/3270: hangup the 3270 tty after a disconnect (bnc#979922, LTC#141736). - s390: fix test_fp_ctl inline assembly contraints (bnc#988215, LTC#143138). - s390/mm: fix asce_bits handling with dynamic pagetable levels (bnc#979922, LTC#141456). - s390/spinlock: avoid yield to non existent cpu (bnc#979922, LTC#141106). - sb_edac: correctly fetch DIMM width on Ivy Bridge and Haswell (bsc#979521). - sb_edac: Fix a typo and a thinko in address handling for Haswell (bsc#979521). - sb_edac: Fix support for systems with two home agents per socket (bsc#979521). - sb_edac: look harder for DDRIO on Haswell systems (bsc#979521). - sb_edac: support for Broadwell -EP and -EX (bsc#979521). - sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency (bnc#988498). - sched/cputime: Fix cpu_timer_sample_group() double accounting (bnc#988498). - sched: Provide update_curr callbacks for stop/idle scheduling classes (bnc#988498). - sched/x86: Fix up typo in topology detection (bsc#974165). - scsi: Increase REPORT_LUNS timeout (bsc#982282). - series.conf: move netfilter section at the end of core networking - series.conf: move stray netfilter patches to the right section - target/rbd: do not put snap_context twice (bsc#981143). - target/rbd: remove caw_mutex usage (bsc#981143). - Update patches.drivers/0001-nvme-fix-max_segments-integer-trunc ation.patch (bsc#979419). Fix reference. - Update patches.drivers/nvme-0106-init-nvme-queue-before-enablin g-irq.patch (bsc#962742). Fix incorrect bugzilla referece. - usb: quirk to stop runtime PM for Intel 7260 (bnc#984456). - usb: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982698). - VSOCK: Fix lockdep issue (bsc#977417). - VSOCK: sock_put wasn't safe to call in interrupt context (bsc#977417). - wait: introduce wait_event_exclusive_cmd (bsc#953048). - x86 EDAC, sb_edac.c: Repair damage introduced when 'fixing' channel address (bsc#979521). - x86 EDAC, sb_edac.c: Take account of channel hashing when needed (bsc#979521). - x86/efi: parse_efi_setup() build fix (bsc#979485). - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - x86: Removed the free memblock of hibernat keys to avoid memory corruption (bsc#990058). - x86, sched: Add new topology for multi-NUMA-node CPUs (bsc#974165). - x86: standardize mmap_rnd() usage (bnc#974308). - xen: fix i586 build after SLE12-SP1 commit 2f4c3ff45d5e. - xfs: fix premature enospc on inode allocation (bsc#984148). - xfs: get rid of XFS_IALLOC_BLOCKS macros (bsc#984148). - xfs: get rid of XFS_INODE_CLUSTER_SIZE macros (bsc#984148).
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 93216
    published 2016-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93216
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-1029)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3636.NASL
    description Description of changes: kernel-uek [3.8.13-118.14.1.el7uek] - ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971919] {CVE-2016-1583} - RDS: IB: fix panic with handlers running post teardown (Santosh Shilimkar) [Orabug: 24395795]
    last seen 2019-02-21
    modified 2016-11-04
    plugin id 94533
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94533
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3636)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-73A733F4D9.NASL
    description The 4.5.7-202 kernel update contains a number of important security fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92256
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92256
    title Fedora 23 : kernel (2016-73a733f4d9)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1015.NASL
    description The openSUSE 13.2 kernel was updated to fix various bugs and security issues. The following security bugs were fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandles NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971919 971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401 bsc#978445). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548 bsc#980363). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4581: fs/pnode.c in the Linux kernel did not properly traverse a mount propagation tree in a certain case involving a slave mount, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls (bnc#979913). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2015-3288: A security flaw was found in the Linux kernel that there was a way to arbitrary change zero page memory. (bnc#979021). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948 974646). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2015-8830: Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allowed local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression (bnc#969354 bsc#969355). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent recursive callback access, which allowed local users to cause a denial of service (deadlock) via a crafted ioctl call (bnc#968013). - CVE-2016-2547: sound/core/timer.c in the Linux kernel employs a locking approach that did not consider slave timer instances, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#968011). - CVE-2016-2548: sound/core/timer.c in the Linux kernel retains certain linked lists after a close or stop action, which allowed local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions (bnc#968012). - CVE-2016-2546: sound/core/timer.c in the Linux kernel uses an incorrect type of mutex, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#967975). - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel did not properly maintain a certain linked list, which allowed local users to cause a denial of service (race condition and system crash) via a crafted ioctl call (bnc#967974). - CVE-2016-2544: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time (bnc#967973). - CVE-2016-2543: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO assignment before proceeding with FIFO clearing, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call (bnc#967972). - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the Linux kernel mishandles uid and gid mappings, which allowed local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states 'there is no kernel bug here (bnc#959709 960561 ). - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel did not properly identify error conditions, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets (bnc#966437). - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor (bnc#966693). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572 986573). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362 986365 986377). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755 984764). - CVE-2015-6526: The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel on ppc64 platforms allowed local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace (bnc#942702). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). The following non-security bugs were fixed : - ALSA: hrtimer: Handle start/stop more properly (bsc#973378). - ALSA: pcm: Fix potential deadlock in OSS emulation (bsc#968018). - ALSA: rawmidi: Fix race at copying & updating the position (bsc#968018). - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018). - ALSA: seq: Fix double port list deletion (bsc#968018). - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() (bsc#968018). - ALSA: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - ALSA: seq: Fix lockdep warnings due to double mutex locks (bsc#968018). - ALSA: seq: Fix race at closing in virmidi driver (bsc#968018). - ALSA: seq: Fix yet another races among ALSA timer accesses (bsc#968018). - ALSA: timer: Call notifier in the same spinlock (bsc#973378). - ALSA: timer: Code cleanup (bsc#968018). - ALSA: timer: Fix leftover link at closing (bsc#968018). - ALSA: timer: Fix link corruption due to double start or stop (bsc#968018). - ALSA: timer: Fix race between stop and interrupt (bsc#968018). - ALSA: timer: Fix wrong instance passed to slave callbacks (bsc#968018). - ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378). - ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378). - Bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849). - Bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849). - Bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849). - Btrfs: do not use src fd for printk (bsc#980348). - Refresh patches.drivers/ALSA-hrtimer-Handle-start-stop-more-prop erly. Fix the build error on 32bit architectures. - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469). - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position updates on /proc/xen/xenbus (bsc#970275). - Subject: [PATCH] USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982706). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - backends: guarantee one time reads of shared ring contents (bsc#957988). - btrfs: do not go readonly on existing qgroup items (bsc#957052). - btrfs: remove error message from search ioctl for nonexistent tree. - drm/i915: Fix missing backlight update during panel disablement (bsc#941113 boo#901754). - enic: set netdev->vlan_features (bsc#966245). - ext4: fix races between buffered IO and collapse / insert range (bsc#972174). - ext4: fix races between page faults and hole punching (bsc#972174). - ext4: fix races of writeback with punch hole and zero range (bsc#972174). - ext4: move unlocked dio protection from ext4_alloc_file_blocks() (bsc#972174). - ipv4/fib: do not warn when primary address is missing if in_dev is dead (bsc#971360). - ipvs: count pre-established TCP states as active (bsc#970114). - net: core: Correct an over-stringent device loop detection (bsc#945219). - netback: do not use last request to determine minimum Tx credit (bsc#957988). - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY. - pciback: Save the number of MSI-X entries to be copied later. - pciback: guarantee one time reads of shared ring contents (bsc#957988). - series.conf: move cxgb3 patch to network drivers section - usb: quirk to stop runtime PM for Intel 7260 (bnc#984464). - x86: standardize mmap_rnd() usage (bnc#974308).
    last seen 2019-02-21
    modified 2017-10-02
    plugin id 93104
    published 2016-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93104
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2760.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/ environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) Bug Fix(es) : * Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. As a result, mmap now works as expected under the described circumstances. (BZ#1474721)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103350
    published 2017-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103350
    title RHEL 6 : kernel (RHSA-2017:2760)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1672-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable changes in this kernel : - It is now possible to mount a NFS export on the exporting host directly. The following security bugs were fixed : - CVE-2016-5244: A kernel information leak in rds_inc_info_copy was fixed that could leak kernel stack memory to userspace (bsc#983213). - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandles NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacked a bulk-out endpoint (bnc#961512). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93164
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93164
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2016:1672-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2010-1.NASL
    description This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93280
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93280
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2010-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-516.NASL
    description This update fixes the CVEs described below. CVE-2016-0821 Solar Designer noted that the list 'poisoning' feature, intended to mitigate the effects of bugs in list manipulation in the kernel, used poison values within the range of virtual addresses that can be allocated by user processes. CVE-2016-1583 Jann Horn of Google Project Zero reported that the eCryptfs filesystem could be used together with the proc filesystem to cause a kernel stack overflow. If the ecryptfs-utils package was installed, local users could exploit this, via the mount.ecryptfs_private program, for denial of service (crash) or possibly for privilege escalation. CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140 Ralf Spenneberg of OpenSource Security reported that various USB drivers do not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). Not all the drivers have yet been fixed. CVE-2016-3134 The Google Project Zero team found that the netfilter subsystem does not sufficiently validate filter table entries. A user with the CAP_NET_ADMIN capability could use this for denial of service (crash) or possibly for privilege escalation. CVE-2016-3157 / XSA-171 Andy Lutomirski discovered that the x86_64 (amd64) task switching implementation did not correctly update the I/O permission level when running as a Xen paravirtual (PV) guest. In some configurations this would allow local users to cause a denial of service (crash) or to escalate their privileges within the guest. CVE-2016-3672 Hector Marco and Ismael Ripoll noted that it was still possible to disable Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs by removing the stack resource limit. This made it easier for local users to exploit security flaws in programs that have the setuid or setgid flag set. CVE-2016-3951 It was discovered that the cdc_ncm driver would free memory prematurely if certain errors occurred during its initialisation. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash) or possibly to escalate their privileges. CVE-2016-3955 Ignat Korchagin reported that the usbip subsystem did not check the length of data received for a USB buffer. This allowed denial of service (crash) or privilege escalation on a system configured as a usbip client, by the usbip server or by an attacker able to impersonate it over the network. A system configured as a usbip server might be similarly vulnerable to physically present users. CVE-2016-3961 / XSA-174 Vitaly Kuznetsov of Red Hat discovered that Linux allowed use of hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen paravirtualised (PV) guest, although Xen does not support huge pages. This allowed users with access to /dev/hugepages to cause a denial of service (crash) in the guest. CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244 Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA timer, x25, tipc, and rds facilities leaked information from the kernel stack. CVE-2016-4565 Jann Horn of Google Project Zero reported that various components in the InfiniBand stack implemented unusual semantics for the write() operation. On a system with InfiniBand drivers loaded, local users could use this for denial of service or privilege escalation. CVE-2016-4913 Al Viro found that the ISO9660 filesystem implementation did not correctly count the length of certain invalid name entries. Reading a directory containing such name entries would leak information from kernel memory. Users permitted to mount disks or disk images could use this to obtain sensitive information. For Debian 7 'Wheezy', these problems have been fixed in version 3.2.81-1. This update also fixes bug #627782, which caused data corruption in some applications running on an aufs filesystem, and includes many other bug fixes from upstream stable updates 3.2.79, 3.2.80 and 3.2.81. For Debian 8 'Jessie', these problems will be fixed soon. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91687
    published 2016-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91687
    title Debian DLA-516-1 : linux security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2998-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91560
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91560
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2998-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2105-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983143). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bsc#978401). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bsc#979213). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction an exec system call (bsc#986569). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93299
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93299
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2105-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0154.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - sched: panic on corrupted stack end (Jann Horn) [Orabug: 24971921] (CVE-2016-1583) - ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971921] (CVE-2016-1583) - proc: prevent stacking filesystems on top (Jann Horn) [Orabug: 24971921] (CVE-2016-1583)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94534
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94534
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0154)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1596-1.NASL
    description The SUSE Linux Enterprise 12 GA kernel was updated to fix one security issue. The following security bug was fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91669
    published 2016-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91669
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1596-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-1C409313F4.NASL
    description Rebase to latest upstream 4.6 release, 4.6.3. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92232
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92232
    title Fedora 24 : kernel (2016-1c409313f4)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2996-1.NASL
    description Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184) Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185) Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3137) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140) It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156) Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91559
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91559
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-2996-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2766.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/ environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) * It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate) Bug Fix(es) : * Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. (BZ#1377472) * When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation.(BZ#1372266) * Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. (BZ#1379596) * When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. (BZ#1375637) * When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. (BZ#1381592) * When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: 'Medium access timeout failure. Offlining disk!'. This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation. (BZ#1382620)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94980
    published 2016-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94980
    title CentOS 6 : kernel (CESA-2016:2766)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0155.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971919] (CVE-2016-1583) - RDS: IB: fix panic with handlers running post teardown (Santosh Shilimkar) [Orabug: 24395795]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94535
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94535
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0155)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2124.NASL
    description From Red Hat Security Advisory 2016:2124 : An update for kernel is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) Red Hat would like to thank Phil Oester for reporting CVE-2016-5195. Bug Fix(es) : * In some cases, a kernel crash or file system corruption occurred when running journal mode 'ordered'. The kernel crash was caused by a NULL pointer dereference due to a race condition between two journal functions. The file system corruption occurred due to a race condition between the do_get_write_access() function and buffer writeout. This update fixes both race conditions. As a result, neither the kernel crash, nor the file system corruption now occur. (BZ#1067708) * Prior to this update, some Global File System 2 (GFS2) files had incorrect time stamp values due to two problems with handling time stamps of such files. The first problem concerned the atime time stamp, which ended up with an arbitrary value ahead of the actual value, when a GFS2 file was accessed. The second problem was related to the mtime and ctime time stamp updates, which got lost when a GFS2 file was written to from one node and read from or written to from another node. With this update, a set of patches has been applied that fix these problems. As a result, the time stamps of GFS2 files are now handled correctly. (BZ#1374861)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94429
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94429
    title Oracle Linux 5 : kernel (ELSA-2016-2124) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3008-1.NASL
    description Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91570
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91570
    title Ubuntu 16.04 LTS : linux-snapdragon vulnerability (USN-3008-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161028_KERNEL_ON_SL5_X.NASL
    description Security Fix(es) : - A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important) - It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) Bug Fix(es) : - In some cases, a kernel crash or file system corruption occurred when running journal mode 'ordered'. The kernel crash was caused by a NULL pointer dereference due to a race condition between two journal functions. The file system corruption occurred due to a race condition between the do_get_write_access() function and buffer writeout. This update fixes both race conditions. As a result, neither the kernel crash, nor the file system corruption now occur. - Prior to this update, some Global File System 2 (GFS2) files had incorrect time stamp values due to two problems with handling time stamps of such files. The first problem concerned the atime time stamp, which ended up with an arbitrary value ahead of the actual value, when a GFS2 file was accessed. The second problem was related to the mtime and ctime time stamp updates, which got lost when a GFS2 file was written to from one node and read from or written to from another node. With this update, a set of patches has been applied that fix these problems. As a result, the time stamps of GFS2 files are now handled correctly.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 94432
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94432
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2999-1.NASL
    description Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91561
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91561
    title Ubuntu 14.04 LTS : linux vulnerability (USN-2999-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-63EE0999E4.NASL
    description The 4.4.14 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92442
    published 2016-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92442
    title Fedora 22 : kernel (2016-63ee0999e4)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3003-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91565
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91565
    title Ubuntu 15.10 : linux vulnerabilities (USN-3003-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0167.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060055] (CVE-2016-6480) (CVE-2016-6480) - audit: fix a double fetch in audit_log_single_execve_arg (Paul Moore) [Orabug: 25059962] (CVE-2016-6136) - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 24971918] (CVE-2016-1583) (CVE-2016-1583) - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059900] (CVE-2016-4578) - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059900] (CVE-2016-4578) - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059755] (CVE-2016-4569) - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058905] (CVE-2015-8956) - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059195] (CVE-2016-3070) - intel_idle: Fix C0 state for BDW (Guru Anbalagane) [Orabug: 25024180] - intel_idle: update Broadwell cstates (Brian Maly) [Orabug: 25024180] - Revert 'ecryptfs: forbid opening files without mmap handler' (Brian Maly) [Orabug: 24971918] - ocfs2: o2hb: fix hb hung time (Junxiao Bi) - ocfs2: o2hb: don't negotiate if last hb fail (Junxiao Bi) - ocfs2: o2hb: add some user/debug log (Junxiao Bi) - ocfs2: o2hb: add NEGOTIATE_APPROVE message (Junxiao Bi) - ocfs2: o2hb: add NEGO_TIMEOUT message (Junxiao Bi) - ocfs2: o2hb: add negotiate timer (Junxiao Bi) - ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971919] (CVE-2016-1583) - RDS: IB: fix panic with handlers running post teardown (Santosh Shilimkar) [Orabug: 24314773] - ocfs2: improve recovery performance (Junxiao Bi) [Orabug: 24589532] - ocfs2: call ocfs2_journal_access_di before ocfs2_journal_dirty in ocfs2_write_end_nolock (Junxiao Bi) [Orabug: 24606864]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 95366
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95366
    title OracleVM 3.2 : Unbreakable / etc (OVMSA-2016-0167)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1995-1.NASL
    description This update for the Linux Kernel 3.12.51-52_31 fixes several issues. The following security bugs were fixed : - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983144). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2015-8019: The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel did not accept a length argument, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call (bsc#979078). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bsc#979064). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bsc#971793). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bsc#973570, bsc#955837). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93270
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93270
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:1995-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3005-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Multiple race conditions where discovered in the Linux kernel's ext4 file system. A local user could exploit this flaw to cause a denial of service (disk corruption) by writing to a page that is associated with a different users file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash). (CVE-2016-3961) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel could overflow reference counters on systems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to infinite. A local unprivileged attacker could use to create a use-after- free situation, causing a denial of service (system crash) or possibly gain administrative privileges. (CVE-2016-4558) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91567
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91567
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3005-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3000-1.NASL
    description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117) Jann Horn discovered that eCryptfs improperly attempted to use the mmap() handler of a lower filesystem that did not implement one, causing a recursive page fault to occur. A local unprivileged attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-1583) Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004) Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3137) Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140) Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672) It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689) Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951) It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955) Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485) Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486) It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91562
    published 2016-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91562
    title Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-3000-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2766.NASL
    description From Red Hat Security Advisory 2016:2766 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) * It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate) Bug Fix(es) : * Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. (BZ#1377472) * When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation.(BZ#1372266) * Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. (BZ#1379596) * When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. (BZ#1375637) * When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. (BZ#1381592) * When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: 'Medium access timeout failure. Offlining disk!'. This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation. (BZ#1382620)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94908
    published 2016-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94908
    title Oracle Linux 6 : kernel (ELSA-2016-2766)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161115_KERNEL_ON_SL6_X.NASL
    description Security Fix(es) : - It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important) - It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate) Bug Fix(es) : - Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. - When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation. - Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. - When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. - When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. - When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: 'Medium access timeout failure. Offlining disk!'. This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95050
    published 2016-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95050
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
redhat via4
advisories
  • rhsa
    id RHSA-2016:2124
  • rhsa
    id RHSA-2016:2766
  • rhsa
    id RHSA-2017:2760
rpms
  • kernel-0:2.6.18-416.el5
  • kernel-PAE-0:2.6.18-416.el5
  • kernel-PAE-devel-0:2.6.18-416.el5
  • kernel-debug-0:2.6.18-416.el5
  • kernel-debug-devel-0:2.6.18-416.el5
  • kernel-devel-0:2.6.18-416.el5
  • kernel-doc-0:2.6.18-416.el5
  • kernel-headers-0:2.6.18-416.el5
  • kernel-kdump-0:2.6.18-416.el5
  • kernel-kdump-devel-0:2.6.18-416.el5
  • kernel-xen-0:2.6.18-416.el5
  • kernel-xen-devel-0:2.6.18-416.el5
  • kernel-0:2.6.32-642.11.1.el6
  • kernel-abi-whitelists-0:2.6.32-642.11.1.el6
  • kernel-bootwrapper-0:2.6.32-642.11.1.el6
  • kernel-debug-0:2.6.32-642.11.1.el6
  • kernel-debug-devel-0:2.6.32-642.11.1.el6
  • kernel-devel-0:2.6.32-642.11.1.el6
  • kernel-doc-0:2.6.32-642.11.1.el6
  • kernel-firmware-0:2.6.32-642.11.1.el6
  • kernel-headers-0:2.6.32-642.11.1.el6
  • kernel-kdump-0:2.6.32-642.11.1.el6
  • kernel-kdump-devel-0:2.6.32-642.11.1.el6
  • perf-0:2.6.32-642.11.1.el6
  • python-perf-0:2.6.32-642.11.1.el6
refmap via4
bid 91157
confirm
debian DSA-3607
exploit-db 39992
misc
mlist
  • [oss-security] 20160610 [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ
  • [oss-security] 20160622 Re: [vs-plain] Linux kernel stack overflow via ecryptfs and /proc/$pid/environ
sectrack 1036763
suse
  • SUSE-SU-2016:1596
  • SUSE-SU-2016:1672
  • SUSE-SU-2016:1696
  • SUSE-SU-2016:1937
  • SUSE-SU-2016:1961
  • SUSE-SU-2016:1985
  • SUSE-SU-2016:1994
  • SUSE-SU-2016:1995
  • SUSE-SU-2016:2000
  • SUSE-SU-2016:2002
  • SUSE-SU-2016:2005
  • SUSE-SU-2016:2006
  • SUSE-SU-2016:2007
  • SUSE-SU-2016:2009
  • SUSE-SU-2016:2010
  • SUSE-SU-2016:2014
  • SUSE-SU-2016:2105
  • openSUSE-SU-2016:1641
  • openSUSE-SU-2016:2184
ubuntu
  • USN-2996-1
  • USN-2997-1
  • USN-2998-1
  • USN-2999-1
  • USN-3000-1
  • USN-3001-1
  • USN-3002-1
  • USN-3003-1
  • USN-3004-1
  • USN-3005-1
  • USN-3006-1
  • USN-3007-1
  • USN-3008-1
Last major update 28-11-2016 - 15:00
Published 27-06-2016 - 06:59
Last modified 06-12-2018 - 17:29
Back to Top