ID CVE-2016-4997
Summary The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
References
Vulnerable Configurations
  • Linux Kernel 4.6.2
    cpe:2.3:o:linux:linux_kernel:4.6.2
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Novell SUSE Linux Enterprise Desktop 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
  • Novell SUSE Linux Enterprise Server 12.0
    cpe:2.3:o:novell:suse_linux_enterprise_server:12.0
  • Novell SUSE Linux Enterprise Server 12.0 Service Pack 1
    cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0
  • Novell SUSE Linux Enterprise Software Development Kit 12.0 Service Pack 1
    cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:sp1
  • cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
    cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0
  • cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
CVSS
Base: 7.2 (as of 03-10-2016 - 15:40)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux kernel 4.6.2 - IP6T_SO_SET_REPLACE Privilege Escalation. CVE-2016-4997. Local exploit for Lin_x86-64 platform
    file exploits/linux/local/40489.txt
    id EDB-ID:40489
    last seen 2016-10-10
    modified 2016-10-10
    platform linux
    port
    published 2016-10-10
    reporter Qian Zhang
    source https://www.exploit-db.com/download/40489/
    title Linux kernel 4.6.2 - IP6T_SO_SET_REPLACE Privilege Escalation
    type local
  • description Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit). CVE-2016-4997. Local exploit for Lin_x86 platform. Tags:
    file exploits/linux_x86/local/40435.rb
    id EDB-ID:40435
    last seen 2016-09-28
    modified 2016-09-27
    platform linux_x86
    port
    published 2016-09-27
    reporter Metasploit
    source https://www.exploit-db.com/download/40435/
    title Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)
    type local
metasploit via4
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-869.NASL
    description The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362) - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux kernel allowed local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (bnc#980265). The following non-security bugs were fixed : - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469). - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization). - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance). - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position updates for /proc/xen/xenbus (bsc#970275). - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a comment). - Refresh patches.xen/xen3-patch-4.1.7-8. - base: make module_create_drivers_dir race-free (bnc#983977). - ipvs: count pre-established TCP states as active (bsc#970114). - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530). - net: thunderx: Fix link status reporting (bsc#986530).
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92308
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92308
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-869)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0333-1.NASL
    description The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed : - CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710). - CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-8399: An out of bounds read in the ping protocol handler could have lead to information disclosure (bsc#1014746). - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531). - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542). - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832). - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecified removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716). - CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711). - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507). - CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467). - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150). - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2017-5551: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. This CVE tracks the fix for the tmpfs filesystem. (bsc#1021258). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability (bnc#991608). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96903
    published 2017-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96903
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3607.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140 Ralf Spenneberg of OpenSource Security reported that various USB drivers do not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). - CVE-2016-0821 Solar Designer noted that the list 'poisoning' feature, intended to mitigate the effects of bugs in list manipulation in the kernel, used poison values within the range of virtual addresses that can be allocated by user processes. - CVE-2016-1237 David Sinquin discovered that nfsd does not check permissions when setting ACLs, allowing users to grant themselves permissions to a file by setting the ACL. - CVE-2016-1583 Jann Horn of Google Project Zero reported that the eCryptfs filesystem could be used together with the proc filesystem to cause a kernel stack overflow. If the ecryptfs-utils package is installed, local users could exploit this, via the mount.ecryptfs_private program, for denial of service (crash) or possibly for privilege escalation. - CVE-2016-2117 Justin Yackoski of Cryptonite discovered that the Atheros L2 ethernet driver incorrectly enables scatter/gather I/O. A remote attacker could take advantage of this flaw to obtain potentially sensitive information from kernel memory. - CVE-2016-2143 Marcin Koscielnicki discovered that the fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash). - CVE-2016-3070 Jan Stancek of Red Hat discovered a local denial of service vulnerability in AIO handling. - CVE-2016-3134 The Google Project Zero team found that the netfilter subsystem does not sufficiently validate filter table entries. A user with the CAP_NET_ADMIN capability could use this for denial of service (crash) or possibly for privilege escalation. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this allows privilege escalation. - CVE-2016-3156 Solar Designer discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. - CVE-2016-3157 / XSA-171 Andy Lutomirski discovered that the x86_64 (amd64) task switching implementation did not correctly update the I/O permission level when running as a Xen paravirtual (PV) guest. In some configurations this would allow local users to cause a denial of service (crash) or to escalate their privileges within the guest. - CVE-2016-3672 Hector Marco and Ismael Ripoll noted that it was possible to disable Address Space Layout Randomisation (ASLR) for x86_32 (i386) programs by removing the stack resource limit. This made it easier for local users to exploit security flaws in programs that have the setuid or setgid flag set. - CVE-2016-3951 It was discovered that the cdc_ncm driver would free memory prematurely if certain errors occurred during its initialisation. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash) or possibly to escalate their privileges. - CVE-2016-3955 Ignat Korchagin reported that the usbip subsystem did not check the length of data received for a USB buffer. This allowed denial of service (crash) or privilege escalation on a system configured as a usbip client, by the usbip server or by an attacker able to impersonate it over the network. A system configured as a usbip server might be similarly vulnerable to physically present users. - CVE-2016-3961 / XSA-174 Vitaly Kuznetsov of Red Hat discovered that Linux allowed the use of hugetlbfs on x86 (i386 and amd64) systems even when running as a Xen paravirtualised (PV) guest, although Xen does not support huge pages. This allowed users with access to /dev/hugepages to cause a denial of service (crash) in the guest. - CVE-2016-4470 David Howells of Red Hat discovered that a local user can trigger a flaw in the Linux kernel's handling of key lookups in the keychain subsystem, leading to a denial of service (crash) or possibly to privilege escalation. - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569, CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244 Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA timer, x25, tipc, and rds facilities leaked information from the kernel stack. - CVE-2016-4565 Jann Horn of Google Project Zero reported that various components in the InfiniBand stack implemented unusual semantics for the write() operation. On a system with InfiniBand drivers loaded, local users could use this for denial of service or privilege escalation. - CVE-2016-4581 Tycho Andersen discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local user can take advantage of this flaw to cause a denial of service (system crash). - CVE-2016-4805 Baozeng Ding discovered a use-after-free in the generic PPP layer in the Linux kernel. A local user can take advantage of this flaw to cause a denial of service (system crash), or potentially escalate their privileges. - CVE-2016-4913 Al Viro found that the ISO9660 filesystem implementation did not correctly count the length of certain invalid name entries. Reading a directory containing such name entries would leak information from kernel memory. Users permitted to mount disks or disk images could use this to obtain sensitive information. - CVE-2016-4997 / CVE-2016-4998 Jesse Hertz and Tim Newsham discovered that missing input sanitising in Netfilter socket handling may result in denial of service. Debian disables unprivileged user namespaces by default, if locally enabled with the kernel.unprivileged_userns_clone sysctl, this also allows privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91886
    published 2016-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91886
    title Debian DSA-3607-1 : linux - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2018-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93284
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93284
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2018-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-862.NASL
    description ====================================================================== The openSUSE 13.1 kernel was updated to 3.12.59 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362) - CVE-2014-9717: fs/namespace.c in the Linux kernel processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allowed local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namespace (bnc#928547). - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c (bnc#958463). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010 979064). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#961512 968670). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948 bnc#974646). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911 970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401 bsc#978445). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). The following non-security bugs were fixed : - ALSA: timer: Call notifier in the same spinlock (bsc#973378). - ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378). - ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378). - Add fs/ceph as a supported module. - Add mainline tags to some hyperv patches - Btrfs: do not collect ordered extents when logging that inode exists (bsc#977685). - Btrfs: fix deadlock between direct IO reads and buffered writes (bsc#973855). - Btrfs: fix empty symlink after creating symlink and fsync parent dir (bsc#977685). - Btrfs: fix file loss on log replay after renaming a file and fsync (bsc#977685). - Btrfs: fix file/data loss caused by fsync after rename and new inode (bsc#977685). - Btrfs: fix for incorrect directory entries after fsync log replay (bsc#957805, bsc#977685). - Btrfs: fix loading of orphan roots leading to BUG_ON (bsc#972844). - Btrfs: fix race between fsync and lockless direct IO writes (bsc#977685). - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync (bsc#977685). - Btrfs: teach backref walking about backrefs with underflowed offset values (bsc#975371). - CacheFiles: Fix incorrect test for in-memory object collision (bsc#971049). - CacheFiles: Handle object being killed before being set up (bsc#971049). - Ceph: Remove racey watch/notify event infrastructure (bsc#964727) - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739). - Drivers: hv: util: Pass the channel information during the init call (bnc#978527). - Drivers: hv: utils: Invoke the poll function after handshake (bnc#978527). - Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read(). - Export helper function to set irq affinity in pci-hyperv. - FS-Cache: Add missing initialization of ret in cachefiles_write_page() (bsc#971049). - FS-Cache: Count culled objects and objects rejected due to lack of space (bsc#971049). - FS-Cache: Fix cancellation of in-progress operation (bsc#971049). - FS-Cache: Handle a new operation submitted against a killed object (bsc#971049). - FS-Cache: Move fscache_report_unexpected_submission() to make it more available (bsc#971049). - FS-Cache: Out of line fscache_operation_init() (bsc#971049). - FS-Cache: Permit fscache_cancel_op() to cancel in-progress operations too (bsc#971049). - FS-Cache: Put an aborted initialised op so that it is accounted correctly (bsc#971049). - FS-Cache: Reduce cookie ref count if submit fails (bsc#971049). - FS-Cache: Synchronise object death state change vs operation submission (bsc#971049). - FS-Cache: The operation cancellation method needs calling in more places (bsc#971049). - FS-Cache: Timeout for releasepage() (bsc#971049). - FS-Cache: When submitting an op, cancel it if the target object is dying (bsc#971049). - FS-Cache: fscache_object_is_dead() has wrong logic, kill it (bsc#971049). - Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309) - Fix kabi issue (bsc#971049). - Import kabi files from kernel 3.12.55-52.42 - Import kabi files from kernel 3.12.57-60.35 - Input: i8042 - lower log level for 'no controller' message (bsc#945345). - KVM: x86: expose invariant tsc cpuid bit (v2) (bsc#971770). - NFSv4.1: do not use machine credentials for CLOSE when using 'sec=sys' (bsc#972003). - NVMe: Unify controller probe and resume (bsc#979347). - NVMe: init nvme queue before enabling irq (unknown bsc). - PCI/AER: Fix aer_inject error codes (bsc#931448). - PCI/AER: Log actual error causes in aer_inject (bsc#931448). - PCI/AER: Log aer_inject error injections (bsc#931448). - PCI/AER: Use dev_warn() in aer_inject (bsc#931448). - RDMA/ocrdma: Avoid reporting wrong completions in case of error CQEs (bsc#908151). - Remove VIOSRP_HOST_CONFIG_TYPE from ibmvstgt.c in patches.fixes/0001-ibmvscsi-remove-unsupported-host-conf ig-mad.patch. as well. - Revert 'scsi: fix soft lockup in scsi_remove_target() on module removal' (bsc#970609). - SUNRPC: Fix large reads on NFS/RDMA (bsc#908151). - SUNRPC: remove KERN_INFO from dprintk() call sites (bsc#908151). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - Update patches.kernel.org/patch-3.12.55-56 references (add bsc#973570). - Update patches.suse/kgr-0102-add-TAINT_KGRAFT.patch (fate#313296 bsc#974406). - Use mainline variant of hyperv KVP IP failover patch (bnc#978527) - acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - acpi: Disable APEI error injection if securelevel is set (bsc#972891). - apparmor: Skip proc ns files (bsc#959514). - block: do not check request size in blk_cloned_rq_check_limits() (bsc#972124). - bnx2fc-Do-not-log-for-netevents-that-need-no-action.patc h - btrfs: do not return EBUSY on concurrent subvolume mounts (bsc#951844). - btrfs: handle non-fatal errors in btrfs_qgroup_inherit() (bsc#972951). - btrfs: qgroup: return EINVAL if level of parent is not higher than child's (bsc#972951). - cachefiles: perform test on s_blocksize when opening cache file (bsc#971049). - ceph fscache: Introduce a routine for uncaching single no data page from fscache (Fate#318586). - ceph fscache: Uncaching no data page from fscache in readpage() (Fate#318586). - ceph: Asynchronous IO support (Fate#318586). - ceph: Avoid to propagate the invalid page point (Fate#318586). - ceph: Clean up if error occurred in finish_read() (Fate#318586). - ceph: EIO all operations after forced umount (Fate#318586). - ceph: Implement writev/pwritev for sync operation (Fate#318586). - ceph: add acl for cephfs (Fate#318586). - ceph: add acl, noacl options for cephfs mount (Fate#318586). - ceph: add get_name() NFS export callback (Fate#318586). - ceph: add get_parent() NFS export callback (Fate#318586). - ceph: add imported caps when handling cap export message (Fate#318586). - ceph: add inline data to pagecache (Fate#318586). - ceph: add missing init_acl() for mkdir() and atomic_open() (Fate#318586). - ceph: add open export target session helper (Fate#318586). - ceph: add request to i_unsafe_dirops when getting unsafe reply (Fate#318586). - ceph: additional debugfs output (Fate#318586). - ceph: always re-send cap flushes when MDS recovers (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_mdsc_close_sessions) (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_get_caps) (Fate#318586). - ceph: avoid block operation when !TASK_RUNNING (ceph_mdsc_sync) (Fate#318586). - ceph: avoid releasing caps that are being used (Fate#318586). - ceph: avoid sending unnessesary FLUSHSNAP message (Fate#318586). - ceph: avoid useless ceph_get_dentry_parent_inode() in ceph_rename() (Fate#318586). - ceph: cast PAGE_SIZE to size_t in ceph_sync_write() (Fate#318586). - ceph: ceph_frag_contains_value can be boolean (Fate#318586). - ceph: ceph_get_parent() can be static (Fate#318586). - ceph: check OSD caps before read/write (Fate#318586). - ceph: check buffer size in ceph_vxattrcb_layout() (Fate#318586). - ceph: check caps in filemap_fault and page_mkwrite (Fate#318586). - ceph: check directory's completeness before emitting directory entry (Fate#318586). - ceph: check inode caps in ceph_d_revalidate (Fate#318586). - ceph: check unsupported fallocate mode (Fate#318586). - ceph: check zero length in ceph_sync_read() (Fate#318586). - ceph: checking for IS_ERR instead of NULL (Fate#318586). - ceph: cleanup unsafe requests when reconnecting is denied (Fate#318586). - ceph: cleanup use of ceph_msg_get (Fate#318586). - ceph: clear directory's completeness when creating file (Fate#318586). - ceph: convert inline data to normal data before data write (Fate#318586). - ceph: do not assume r_old_dentry[_dir] always set together (Fate#318586). - ceph: do not chain inode updates to parent fsync (Fate#318586). - ceph: do not grabs open file reference for aborted request (Fate#318586). - ceph: do not include ceph.{file,dir}.layout vxattr in listxattr() (Fate#318586). - ceph: do not include used caps in cap_wanted (Fate#318586). - ceph: do not invalidate page cache when inode is no longer used (Fate#318586). - ceph: do not mark dirty caps when there is no auth cap (Fate#318586). - ceph: do not pre-allocate space for cap release messages (Fate#318586). - ceph: do not set r_old_dentry_dir on link() (Fate#318586). - ceph: do not trim auth cap when there are cap snaps (Fate#318586). - ceph: do not zero i_wrbuffer_ref when reconnecting is denied (Fate#318586). - ceph: drop cap releases in requests composed before cap reconnect (Fate#318586). - ceph: drop extra open file reference in ceph_atomic_open() (Fate#318586). - ceph: drop unconnected inodes (Fate#318586). - ceph: exclude setfilelock requests when calculating oldest tid (Fate#318586). - ceph: export ceph_session_state_name function (Fate#318586). - ceph: fetch inline data when getting Fcr cap refs (Fate#318586). - ceph: fix __dcache_readdir() (Fate#318586). - ceph: fix a comment typo (Fate#318586). - ceph: fix append mode write (Fate#318586). - ceph: fix atomic_open snapdir (Fate#318586). - ceph: fix bool assignments (Fate#318586). - ceph: fix cache revoke race (Fate#318586). - ceph: fix ceph_dir_llseek() (Fate#318586). - ceph: fix ceph_fh_to_parent() (Fate#318586). - ceph: fix ceph_removexattr() (Fate#318586). - ceph: fix ceph_set_acl() (Fate#318586). - ceph: fix ceph_writepages_start() (Fate#318586). - ceph: fix dcache/nocache mount option (Fate#318586). - ceph: fix dentry leaks (Fate#318586). - ceph: fix directory fsync (Fate#318586). - ceph: fix divide-by-zero in __validate_layout() (Fate#318586). - ceph: fix double page_unlock() in page_mkwrite() (Fate#318586). - ceph: fix dout() compile warnings in ceph_filemap_fault() (Fate#318586). - ceph: fix file lock interruption (Fate#318586). - ceph: fix flush tid comparision (Fate#318586). - ceph: fix flushing caps (Fate#318586). - ceph: fix llistxattr on symlink (Fate#318586). - ceph: fix message length computation (Fate#318586). - ceph: fix mksnap crash (Fate#318586). - ceph: fix NULL pointer dereference in send_mds_reconnect() (Fate#318586). - ceph: fix pr_fmt() redefinition (Fate#318586). - ceph: fix queuing inode to mdsdir's snaprealm (Fate#318586). - ceph: fix reading inline data when i_size > PAGE_SIZE (Fate#318586). - ceph: fix request time stamp encoding (Fate#318586). - ceph: fix reset_readdir() (Fate#318586). - ceph: fix setting empty extended attribute (Fate#318586). - ceph: fix sizeof(struct tYpO *) typo (Fate#318586). - ceph: fix snap context leak in error path (Fate#318586). - ceph: fix trim caps (Fate#318586). - ceph: fix uninline data function (Fate#318586). - ceph: flush cap release queue when trimming session caps (Fate#318586). - ceph: flush inline version (Fate#318586). - ceph: forbid mandatory file lock (Fate#318586). - ceph: fscache: Update object store limit after file writing (Fate#318586). - ceph: fscache: Wait for completion of object initialization (Fate#318586). - ceph: fscache: add an interface to synchronize object store limit (Fate#318586). - ceph: get inode size for each append write (Fate#318586). - ceph: handle -ESTALE reply (Fate#318586). - ceph: handle SESSION_FORCE_RO message (Fate#318586). - ceph: handle cap export race in try_flush_caps() (Fate#318586). - ceph: handle cap import atomically (Fate#318586). - ceph: handle frag mismatch between readdir request and reply (Fate#318586). - ceph: handle race between cap reconnect and cap release (Fate#318586). - ceph: handle session flush message (Fate#318586). - ceph: hold on to exclusive caps on complete directories (Fate#318586). - ceph: implement readv/preadv for sync operation (Fate#318586). - ceph: improve readahead for file holes (Fate#318586). - ceph: improve reference tracking for snaprealm (Fate#318586). - ceph: include time stamp in every MDS request (Fate#318586). - ceph: include time stamp in replayed MDS requests (Fate#318586). - ceph: initial CEPH_FEATURE_FS_FILE_LAYOUT_V2 support (Fate#318586). - ceph: initialize inode before instantiating dentry (Fate#318586). - ceph: introduce a new inode flag indicating if cached dentries are ordered (Fate#318586). - ceph: introduce ceph_fill_fragtree() (Fate#318586). - ceph: introduce global empty snap context (Fate#318586). - ceph: invalidate dirty pages after forced umount (Fate#318586). - ceph: keep i_snap_realm while there are writers (Fate#318586). - ceph: kstrdup() memory handling (Fate#318586). - ceph: let MDS adjust readdir 'frag' (Fate#318586). - ceph: make ceph_forget_all_cached_acls() static inline (Fate#318586). - ceph: make fsync() wait unsafe requests that created/modified inode (Fate#318586). - ceph: make sure syncfs flushes all cap snaps (Fate#318586). - ceph: make sure write caps are registered with auth MDS (Fate#318586). - ceph: match wait_for_completion_timeout return type (Fate#318586). - ceph: message versioning fixes (Fate#318586). - ceph: move ceph_find_inode() outside the s_mutex (Fate#318586). - ceph: move spinlocking into ceph_encode_locks_to_buffer and ceph_count_locks (Fate#318586). - ceph: no need to get parent inode in ceph_open (Fate#318586). - ceph: parse inline data in MClientReply and MClientCaps (Fate#318586). - ceph: pre-allocate ceph_cap struct for ceph_add_cap() (Fate#318586). - ceph: pre-allocate data structure that tracks caps flushing (Fate#318586). - ceph: preallocate buffer for readdir reply (Fate#318586). - ceph: print inode number for LOOKUPINO request (Fate#318586). - ceph: properly apply umask when ACL is enabled (Fate#318586). - ceph: properly handle XATTR_CREATE and XATTR_REPLACE (Fate#318586). - ceph: properly mark empty directory as complete (Fate#318586). - ceph: properly release page upon error (Fate#318586). - ceph: properly zero data pages for file holes (Fate#318586). - ceph: provide separate {inode,file}_operations for snapdir (Fate#318586). - ceph: queue cap release in __ceph_remove_cap() (Fate#318586). - ceph: queue vmtruncate if necessary when handing cap grant/revoke (Fate#318586). - ceph: ratelimit warn messages for MDS closes session (Fate#318586). - ceph: re-send AIO write request when getting -EOLDSNAP error (Fate#318586). - ceph: re-send flushing caps (which are revoked) in reconnect stage (Fate#318586). - ceph: re-send requests when MDS enters reconnecting stage (Fate#318586). - ceph: refactor readpage_nounlock() to make the logic clearer (Fate#318586). - ceph: remember subtree root dirfrag's auth MDS (Fate#318586). - ceph: remove exported caps when handling cap import message (Fate#318586). - ceph: remove outdated frag information (Fate#318586). - ceph: remove redundant code for max file size verification (Fate#318586). - ceph: remove redundant declaration (Fate#318586). - ceph: remove redundant memset(0) (Fate#318586). - ceph: remove redundant test of head->safe and silence static analysis warnings (Fate#318586). - ceph: remove the useless judgement (Fate#318586). - ceph: remove unused functions in ceph_frag.h (Fate#318586). - ceph: remove unused stringification macros (Fate#318586). - ceph: remove useless ACL check (Fate#318586). - ceph: remove xattr when null value is given to setxattr() (Fate#318586). - ceph: rename snapshot support (Fate#318586). - ceph: replace comma with a semicolon (Fate#318586). - ceph: request xattrs if xattr_version is zero (Fate#318586). - ceph: reserve caps for file layout/lock MDS requests (Fate#318586). - ceph: reset r_resend_mds after receiving -ESTALE (Fate#318586). - ceph: return error for traceless reply race (Fate#318586). - ceph: rework dcache readdir (Fate#318586). - ceph: send TID of the oldest pending caps flush to MDS (Fate#318586). - ceph: send client metadata to MDS (Fate#318586). - ceph: set caps count after composing cap reconnect message (Fate#318586). - ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference (Fate#318586). - ceph: set mds_wanted when MDS reply changes a cap to auth cap (Fate#318586). - ceph: show nocephx_require_signatures and notcp_nodelay options (Fate#318586). - ceph: show non-default options only (Fate#318586). - ceph: simplify ceph_fh_to_dentry() (Fate#318586). - ceph: simplify two mount_timeout sites (Fate#318586). - ceph: skip invalid dentry during dcache readdir (Fate#318586). - ceph: support inline data feature (Fate#318586). - ceph: switch some GFP_NOFS memory allocation to GFP_KERNEL (Fate#318586). - ceph: sync read inline data (Fate#318586). - ceph: take snap_rwsem when accessing snap realm's cached_context (Fate#318586). - ceph: track pending caps flushing accurately (Fate#318586). - ceph: track pending caps flushing globally (Fate#318586). - ceph: trim unused inodes before reconnecting to recovering MDS (Fate#318586). - ceph: trivial comment fix (Fate#318586). - ceph: update i_max_size even if inode version does not change (Fate#318586). - ceph: update inode fields according to issued caps (Fate#318586). - ceph: use %zu for len in ceph_fill_inline_data() (Fate#318586). - ceph: use ceph_seq_cmp() to compare migrate_seq (Fate#318586). - ceph: use empty snap context for uninline_data and get_pool_perm (Fate#318586). - ceph: use fl->fl_file as owner identifier of flock and posix lock (Fate#318586). - ceph: use fl->fl_type to decide flock operation (Fate#318586). - ceph: use fpos_cmp() to compare dentry positions (Fate#318586). - ceph: use getattr request to fetch inline data (Fate#318586). - ceph: use i_size_{read,write} to get/set i_size (Fate#318586). - ceph: use msecs_to_jiffies for time conversion (Fate#318586). - ceph: use pagelist to present MDS request data (Fate#318586). - ceph: use truncate_pagecache() instead of truncate_inode_pages() (Fate#318586). - ceph_sync_{,direct_}write: fix an oops on ceph_osdc_new_request() failure (Fate#318586). - client: include kernel version in client metadata (Fate#318586). - cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857, bsc#974646). - crush: add chooseleaf_stable tunable (Fate#318586). - crush: decode and initialize chooseleaf_stable (Fate#318586). - crush: ensure bucket id is valid before indexing buckets array (Fate#318586). - crush: ensure take bucket value is valid (Fate#318586). - crush: fix crash from invalid 'take' argument (Fate#318586). - crush: sync up with userspace (Fate#318586). - crypto: testmgr - allow rfc3686 aes-ctr variants in fips mode (bsc#958390). - crypto: testmgr - mark authenticated ctr(aes) also as FIPS able (bsc#958390). - dasd: fix hanging system after LCU changes (bnc#968497, LTC#136671). - drm/core: Preserve the framebuffer after removing it (bsc#968812). - drm/i915: do not warn if backlight unexpectedly enabled (boo#972068). - drm/i915: set backlight duty cycle after backlight enable for gen4 (boo#972780). - drm/radeon: fix-up some float to fixed conversion thinkos (bsc#968813). - drm/radeon: use HDP_MEM_COHERENCY_FLUSH_CNTL for sdma as well (bsc#968813). - ext4: Fix softlockups in SEEK_HOLE and SEEK_DATA implementations (bsc#942262). - ext4: fix races between page faults and hole punching (bsc#972174). - ext4: fix races of writeback with punch hole and zero range (bsc#972174). - fs, seq_file: fallback to vmalloc instead of oom kill processes (bnc#968687). - fs, seqfile: always allow oom killer (bnc#968687). - fs/ceph/debugfs.c: replace seq_printf by seq_puts (Fate#318586). - fs/ceph: replace pr_warning by pr_warn (Fate#318586). - fs/pipe.c: skip file_update_time on frozen fs (bsc#975488). - ibmvscsi: Remove unsupported host config MAD (bsc#973556). - iommu/vt-d: Improve fault handler error messages (bsc#975772). - iommu/vt-d: Ratelimit fault handler (bsc#975772). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: replace global gc_args with local variable (bsc#965319). - kABI: kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel(). - kABI: protect function file_open_root. - kABI: protect include in evm. - kABI: protect struct user_struct. - kabi fix for patches.fixes/reduce-m_start-cost (bsc#966573). - kabi/severities: Allow changes in zpci_* symbols (bsc#974692) - kabi/severities: Whitelist libceph and rbd (bsc#964727). - kabi/severities: Whitelist libceph and rbd (fate#318586). - kabi: kgr, add reserved fields (fate#313296). - kabi: protect struct fc_rport_priv (bsc#953233, bsc#962846). - kabi: protect struct netns_ipv6 after FIB6 GC series (bsc#965319). - kgr: add TAINT_KGRAFT (fate#313296). - kgr: add kgraft annotation to hwrng kthread (fate#313296). - kgr: add kgraft annotations to kthreads' wait_event_freezable() API calls (fate#313296). - kgr: add objname to kgr_patch_fun struct (fate#313296). - kgr: add sympos and objname to error and debug messages (fate#313296). - kgr: add sympos as disambiguator field to kgr_patch_fun structure (fate#313296). - kgr: add sympos to sysfs (fate#313296). - kgr: call kgr_init_ftrace_ops() only for loaded objects (fate#313296). - kgr: change to kallsyms_on_each_symbol iterator (fate#313296). - kgr: define pr_fmt and modify all pr_* messages (fate#313296). - kgr: do not print error for !abort_if_missing symbols (bnc#943989). - kgr: do not return and print an error only if the object is not loaded (fate#313296). - kgr: do not use WQ_MEM_RECLAIM workqueue (bnc#963572). - kgr: fix an asymmetric dealing with delayed module loading (fate#313296). - kgr: fix redirection on s390x arch (bsc#903279). - kgr: fix reversion of a patch already reverted by a replace_all patch (fate#313296). - kgr: fix subtle race with kgr_module_init(), going notifier and kgr_modify_kernel() (fate#313296). - kgr: handle btrfs kthreads (fate#313296 bnc#889207). - kgr: kmemleak, really mark the kthread safe after an interrupt (fate#313296). - kgr: log when modifying kernel (fate#317827). - kgr: mark kernel unsupported upon patch revert (fate#313296). - kgr: mark some more missed kthreads (bnc#962336). - kgr: remove abort_if_missing flag (fate#313296). - kgr: usb/storage: do not emit thread awakened (bnc#899908). - kgraft/gfs2: Do not block livepatching in the log daemon for too long (fate#313296). - kgraft/xen: Do not block livepatching in the XEN blkif kthread (fate#313296). - libceph: Avoid holding the zero page on ceph_msgr_slab_init errors (Fate#318586). - libceph: Fix ceph_tcp_sendpage()'s more boolean usage (Fate#318586). - libceph: MOSDOpReply v7 encoding (Fate#318586). - libceph: Remove spurious kunmap() of the zero page (Fate#318586). - libceph: a couple tweaks for wait loops (Fate#318586). - libceph: add nocephx_sign_messages option (Fate#318586). - libceph: advertise support for TUNABLES5 (Fate#318586). - libceph: advertise support for keepalive2 (Fate#318586). - libceph: allow setting osd_req_op's flags (Fate#318586). - libceph: check data_len in ->alloc_msg() (Fate#318586). - libceph: clear messenger auth_retry flag if we fault (Fate#318586). - libceph: clear msg->con in ceph_msg_release() only (Fate#318586). - libceph: do not access invalid memory in keepalive2 path (Fate#318586). - libceph: do not spam dmesg with stray reply warnings (Fate#318586). - libceph: drop authorizer check from cephx msg signing routines (Fate#318586). - libceph: evaluate osd_req_op_data() arguments only once (Fate#318586). - libceph: fix authorizer invalidation, take 2 (Fate#318586). - libceph: fix ceph_msg_revoke() (Fate#318586). - libceph: fix wrong name 'Ceph filesystem for Linux' (Fate#318586). - libceph: handle writefull for OSD op extent init (bsc#980706). - libceph: introduce ceph_x_authorizer_cleanup() (Fate#318586). - libceph: invalidate AUTH in addition to a service ticket (Fate#318586). - libceph: kill off ceph_x_ticket_handler::validity (Fate#318586). - libceph: move ceph_file_layout helpers to ceph_fs.h (Fate#318586). - libceph: msg signing callouts do not need con argument (Fate#318586). - libceph: nuke time_sub() (Fate#318586). - libceph: properly release STAT request's raw_data_in (Fate#318586). - libceph: remove con argument in handle_reply() (Fate#318586). - libceph: remove outdated comment (Fate#318586). - libceph: remove the unused macro AES_KEY_SIZE (Fate#318586). - libceph: rename con_work() to ceph_con_workfn() (Fate#318586). - libceph: set 'exists' flag for newly up osd (Fate#318586). - libceph: stop duplicating client fields in messenger (Fate#318586). - libceph: store timeouts in jiffies, verify user input (Fate#318586). - libceph: treat sockaddr_storage with uninitialized family as blank (Fate#318586). - libceph: use keepalive2 to verify the mon session is alive (Fate#318586). - libceph: use list_for_each_entry_safe (Fate#318586). - libceph: use list_next_entry instead of list_entry_next (Fate#318586). - libceph: use local variable cursor instead of msg->cursor (Fate#318586). - libceph: use the right footer size when skipping a message (Fate#318586). - libfc: replace 'rp_mutex' with 'rp_lock' (bsc#953233, bsc#962846). - mds: check cap ID when handling cap export message (Fate#318586). - mmc: Allow forward compatibility for eMMC (bnc#966054). - mmc: sdhci: Allow for irq being shared (bnc#977582). - mpt3sas: Fix use sas_is_tlr_enabled API before enabling MPI2_SCSIIO_CONTROL_TLR_ON flag (bsc#967640). - nfs-rdma: Fix for FMR leaks (bsc#908151). - nfs: fix high load average due to callback thread sleeping (bsc#971170). - nvme: fix max_segments integer truncation (bsc#976471). - ocfs2: do not set fs read-only if rec[0] is empty while committing truncate (bnc#971947). - ocfs2: extend enough credits for freeing one truncate record while replaying truncate records (bnc#971947). - ocfs2: extend transaction for ocfs2_remove_rightmost_path() and ocfs2_update_edge_lengths() before to avoid inconsistency between inode and et (bnc#971947). - pipe: limit the per-user amount of pages allocated in pipes (bsc#970948). - powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel (bsc@976821). - powerpc/book3s64: Remove __end_handlers marker (bsc#976821). - rbd: bump queue_max_segments (Fate#318586). - rbd: delete an unnecessary check before rbd_dev_destroy() (Fate#318586). - rbd: do not free rbd_dev outside of the release callback (Fate#318586). - rbd: do not put snap_context twice in rbd_queue_workfn() (Fate#318586). - rbd: drop null test before destroy functions (Fate#318586). - rbd: handle OBJ_REQUEST_SG types for copyup (bsc#983394). - rbd: plug rbd_dev->header.object_prefix memory leak (Fate#318586). - rbd: rbd_wq comment is obsolete (Fate#318586). - rbd: remove duplicate calls to rbd_dev_mapping_clear() (Fate#318586). - rbd: report unsupported features to syslog (bsc#979169). - rbd: return -ENOMEM instead of pool id if rbd_dev_create() fails (Fate#318586). - rbd: set device_type::release instead of device::release (Fate#318586). - rbd: set max_sectors explicitly (Fate#318586). - rbd: store rbd_options in rbd_device (Fate#318586). - rbd: terminate rbd_opts_tokens with Opt_err (Fate#318586). - rbd: timeout watch teardown on unmap with mount_timeout (Fate#318586). - rbd: use GFP_NOIO consistently for request allocations (bsc#971159). - rbd: use writefull op for object size writes (Fate#318586). - reduce m_start() cost.. (bsc#966573). - rpm/modprobe-xen.conf: Revert comment change to allow parallel install (bsc#957986). This reverts commit 6c6d86d3cdc26f7746fe4ba2bef8859b5aeb346c. - s390/compat: correct restore of high gprs on signal return (bnc#968497, LTC#137571). - s390/pageattr: do a single TLB flush for change_page_attr (bsc#940413). - s390/pci: add extra padding to function measurement block (bnc#974692, LTC#139445). - s390/pci: enforce fmb page boundary rule (bnc#974692, LTC#139445). - s390/pci: extract software counters from fmb (bnc#974692, LTC#139445). - s390/pci: remove pdev pointer from arch data (bnc#974692, LTC#139444). - s390/pci_dma: fix DMA table corruption with > 4 TB main memory (bnc#974692, LTC#139401). - s390/pci_dma: handle dma table failures (bnc#974692, LTC#139442). - s390/pci_dma: improve debugging of errors during dma map (bnc#974692, LTC#139442). - s390/pci_dma: unify label of invalid translation table entries (bnc#974692, LTC#139442). - s390/zcrypt: HWRNG registration cause kernel panic on CEX hotplug (bnc#968497, LTC#138409). - scsi-bnx2fc-handle_scsi_retry_delay - scsi-bnx2fc-soft_lockup_when_rmmod - scsi: Add intermediate STARGET_REMOVE state to scsi_target_state (bsc#970609). - scsi: Avoid crashing if device uses DIX but adapter does not support it (bsc#969016). - sd: get disk reference in sd_check_events() (bnc#897662). - supported.conf : - supported.conf: Add bridge.ko for OpenStack (bsc#971600) - supported.conf: add pci-hyperv - supported.conf:Add drivers/infiniband/hw/ocrdma/ocrdma.ko to supported.conf (bsc#964461) - svcrdma: Fence LOCAL_INV work requests (bsc#908151). - svcrdma: advertise the correct max payload (bsc#908151). - svcrdma: fix offset calculation for non-page aligned sge entries (bsc#908151). - svcrdma: fix printk when memory allocation fails (bsc#908151). - svcrdma: refactor marshalling logic (bsc#908151). - svcrdma: send_write() must not overflow the device's max sge (bsc#908151). - target/rbd: do not put snap_context twice (bsc#981143). - target/rbd: remove caw_mutex usage (bsc#981143). - target: Drop incorrect ABORT_TASK put for completed commands (bsc#962872). - target: Fix LUN_RESET active I/O handling for ACK_KREF (bsc#962872). - target: Fix LUN_RESET active TMR descriptor handling (bsc#962872). - target: Fix TAS handling for multi-session se_node_acls (bsc#962872). - target: Fix race with SCF_SEND_DELAYED_TAS handling (bsc#962872). - target: Fix remote-port TMR ABORT + se_cmd fabric stop (bsc#962872). - tcp: convert cached rtt from usec to jiffies when feeding initial rto (bsc#937086). - vgaarb: Add more context to error messages (bsc#976868). - xen/acpi: Disable ACPI table override when UEFI Secure Boot is enabled (bsc#970604). - xen: Linux 3.12.58. - xprtrdma: Allocate missing pagelist (bsc#908151). - xprtrdma: Avoid deadlock when credit window is reset (bsc#908151). - xprtrdma: Disconnect on registration failure (bsc#908151). - xprtrdma: Ensure ia->ri_id->qp is not NULL when reconnecting (bsc#908151). - xprtrdma: Fall back to MTHCAFMR when FRMR is not supported (bsc#908151). - xprtrdma: Limit work done by completion handler (bsc#908151). - xprtrdma: Make rpcrdma_ep_destroy() return void (bsc#908151). - xprtrdma: RPC/RDMA must invoke xprt_wake_pending_tasks() in process context (bsc#908151). - xprtrdma: Reduce the number of hardway buffer allocations (bsc#908151). - xprtrdma: Remove BOUNCEBUFFERS memory registration mode (bsc#908151). - xprtrdma: Remove BUG_ON() call sites (bsc#908151). - xprtrdma: Remove MEMWINDOWS registration modes (bsc#908151). - xprtrdma: Remove REGISTER memory registration mode (bsc#908151). - xprtrdma: Remove Tavor MTU setting (bsc#908151). - xprtrdma: Reset connection timeout after successful reconnect (bsc#908151). - xprtrdma: Simplify rpcrdma_deregister_external() synopsis (bsc#908151). - xprtrdma: Split the completion queue (bsc#908151). - xprtrdma: Use macros for reconnection timeout constants (bsc#908151). - xprtrdma: mind the device's max fast register page list depth (bsc#908151). - xprtrdma: mount reports 'Invalid mount option' if memreg mode not supported (bsc#908151). - xprtrmda: Reduce calls to ib_poll_cq() in completion handlers (bsc#908151). - xprtrmda: Reduce lock contention in completion handlers (bsc#908151).
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92007
    published 2016-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92007
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-862)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3338-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 100990
    published 2017-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100990
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-3338-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0133.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Btrfs: fix truncation of compressed and inlined extents (Ashish Samant) [Orabug: 22307285] (CVE-2015-8374) - Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307285] (CVE-2015-8374) - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682074] (CVE-2016-4997) (CVE-2016-4998) - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682074] (CVE-2016-4997) (CVE-2016-4998) - rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 24624195] - ib_core: make wait_event uninterruptible in ib_flush_fmr_pool (Avinash Repaka) [Orabug: 24655952] - net/mlx4: Support shutdown interface (Gavin Shan) [Orabug: 24624181]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 93680
    published 2016-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93680
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0133)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0158.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: 24928646] (CVE-2016-5195) - HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands (Scott Bauer) [Orabug: 24798694] (CVE-2016-5829) - Revert 'rds: skip rx/tx work when destroying connection' (Brian Maly) [Orabug: 24790158] - netfilter: x_tables: speed up jump target validation (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES (Pablo Neira Ayuso) [Orabug: 24690302] (CVE-2016-3134) - netfilter: remove unused comefrom hookmask argument (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: introduce and use xt_copy_counters_from_user (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: do compat validation via translate_table (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: ip6_tables: simplify translate_compat_table args (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: ip_tables: simplify translate_compat_table args (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: arp_tables: simplify translate_compat_table args (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: don't reject valid target size on some architectures (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: validate all offsets and sizes in a rule (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: check for bogus target offset (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: check standard target size too (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: add compat version of xt_check_entry_offsets (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: assert minimum target size (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: kill check_entry helper (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: add and use xt_check_entry_offsets (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: validate targets of jumps (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: fix unconditional helper (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: validate targets of jumps (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: don't move to non-existent next rule (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: fix unconditional helper (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - netfilter: x_tables: check for size overflow (Florian Westphal) [Orabug: 24690302] (CVE-2016-3134) - ocfs2: Fix double put of recount tree in ocfs2_lock_refcount_tree (Ashish Samant) [Orabug: 24587406] - TTY: do not reset master's packet mode (Jiri Slaby) [Orabug: 24569399] - ocfs2: Fix start offset to ocfs2_zero_range_for_truncate (Ashish Samant) [Orabug: 24500401] - rds: skip rx/tx work when destroying connection (Wengang Wang) - Revert 'IPoIB: serialize changing on tx_outstanding' (Wengang Wang) - xen/events: document behaviour when scanning the start word for events (Dongli Zhang) [Orabug: 23083945] - xen/events: mask events when changing their VCPU binding (Dongli Zhang) [Orabug: 23083945] - xen/events: initialize local per-cpu mask for all possible events (Dongli Zhang) [Orabug: 23083945] - IB/mlx4: Replace kfree with kvfree in mlx4_ib_destroy_srq (Wengang Wang) [Orabug: 22570922] - NFS: Remove BUG_ON calls from the generic writeback code (Trond Myklebust) [Orabug: 22386565] - ocfs2: return non-zero st_blocks for inline data (John Haxby) - oracleasm: Classify device connectivity issues as global errors (Martin K. Petersen) [Orabug: 21760143] - Btrfs: fix truncation of compressed and inlined extents (Divya Indi) [Orabug: 22307286] (CVE-2015-8374) - Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307286] (CVE-2015-8374) - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682073] (CVE-2016-4997) (CVE-2016-4998) - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682071] (CVE-2016-4997) (CVE-2016-4998) - rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 22819661] - ib_core: make wait_event uninterruptible in ib_flush_fmr_pool (Avinash Repaka) [Orabug: 24525022] - net/mlx4: Support shutdown interface (Ajaykumar Hotchandani) - KEYS: potential uninitialized variable (Dan Carpenter) [Orabug: 24393863] (CVE-2016-4470) - atl2: Disable unimplemented scatter/gather feature (Ben Hutchings) [Orabug: 23703990] (CVE-2016-2117) - mlx4_core: add module parameter to disable background init (Mukesh Kacker) [Orabug: 23292107] - NFSv4: Don't decode fs_locations if we didn't ask for them... (Trond Myklebust) [Orabug: 23633714] - mm/slab: Improve performance of slabinfo stats gathering (Aruna Ramakrishna) [Orabug: 23050884] - offload ib subnet manager port and node get info query handling. (Rama Nichanamatlu) [Orabug: 22521735] - fix typo/thinko in get_random_bytes (Tony Luck) [Orabug: 23726807]
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94929
    published 2016-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94929
    title OracleVM 3.2 : Unbreakable / etc (OVMSA-2016-0158) (Dirty COW)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1048.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.(CVE-2016-3134) - The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.(CVE-2016-4997) - The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.(CVE-2016-4998) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 99811
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99811
    title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1048)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-1847.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Bug Fix(es) : * In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947) * Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040) * Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302) * Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972) Enhancement(s) : * With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774) * With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352) * The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161) Additional Changes : Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93594
    published 2016-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93594
    title CentOS 7 : kernel (CESA-2016:1847)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2245-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-3955: The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel allowed remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet (bnc#975945). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the PIT counter values during state restoration, which allowed guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions (bnc#960689). - CVE-2013-4312: The Linux kernel allowed local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure was initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bnc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandled NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. (bsc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a 'double fetch' vulnerability. (bsc#991608) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93370
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93370
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2245-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0134.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682076] (CVE-2016-4997) (CVE-2016-4998) - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682076] (CVE-2016-4997) (CVE-2016-4998)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 93709
    published 2016-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93709
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0134)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3019-1.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91882
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91882
    title Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-3019-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-718.NASL
    description A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitary kernel memory when unloading a kernel module. This action is usually restricted to root-priveledged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS. (CVE-2016-4997) An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998) A vulnerability was found in the Linux kernel. The pointer to the netlink socket attribute is not checked, which could cause a NULL pointer dereference when parsing the nested attributes in function tipc_nl_publ_dump(). This allows local users to cause a DoS. (CVE-2016-4951) A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. (CVE-2016-9806) (Updated on 2016-07-14: CVE-2016-4998 and CVE-2016-4951 were fixed in this version, but was not previously listed in this errata.) (Updated on 2017-01-19: CVE-2016-9806 was fixed in this release but was previously not part of this errata.)
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 91858
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91858
    title Amazon Linux AMI : kernel (ALAS-2016-718)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3018-1.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91880
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91880
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3018-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3018-2.NASL
    description USN-3018-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Jann Horn discovered that the InfiniBand interfaces within the Linux kernel could be coerced into overwriting kernel memory. A local unprivileged attacker could use this to possibly gain administrative privileges on systems where InifiniBand related kernel modules are loaded. (CVE-2016-4565) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91881
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91881
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3018-2)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3617.NASL
    description Description of changes: kernel-uek [3.8.13-118.11.2.el7uek] - Btrfs: fix truncation of compressed and inlined extents (Ashish Samant) [Orabug: 22307285] {CVE-2015-8374} - Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307285] {CVE-2015-8374} - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682074] {CVE-2016-4997} {CVE-2016-4998} - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682074] {CVE-2016-4997} {CVE-2016-4998} [3.8.13-118.11.1.el7uek] - rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 24624195] - ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() (Avinash Repaka) [Orabug: 24655952] - net/mlx4: Support shutdown() interface (Gavin Shan) [Orabug: 24624181] - tcp: make challenge acks less predictable (Eric Dumazet) [Orabug: 24010012] [Orabug: 2401010] {CVE-2016-5696} [3.8.13-118.10.1.el7uek] - ocfs2: call ocfs2_journal_access_di() before ocfs2_journal_dirty() in ocfs2_write_end_nolock() (yangwenfang) [Orabug: 19601200] - ocfs2: improve recovery performance (Junxiao Bi) [Orabug: 24395691]
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 93676
    published 2016-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93676
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3617)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3017-2.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91878
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91878
    title Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-3017-2)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3618.NASL
    description Description of changes: [2.6.39-400.284.2.el6uek] - Btrfs: fix truncation of compressed and inlined extents (Divya Indi) [Orabug: 22307286] {CVE-2015-8374} - Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307286] {CVE-2015-8374} - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682073] {CVE-2016-4997} {CVE-2016-4998} - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682071] {CVE-2016-4997} {CVE-2016-4998} [2.6.39-400.284.1.el6uek] - rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 22819661] - ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() (Avinash Repaka) [Orabug: 24525022] - net/mlx4: Support shutdown() interface (Ajaykumar Hotchandani) [Orabug: 24616261]
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 93677
    published 2016-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93677
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3618)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2658-1.NASL
    description This update for the Linux Kernel 3.12.60-52_49 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004419). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986377). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94325
    published 2016-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94325
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2658-1) (Dirty COW)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1029.NASL
    description The openSUSE 13.1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975531 bsc#975533). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (bsc#983143) - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. (bnc#978401) - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548 bsc#980363). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. (bsc#979213) - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary. (bnc#986365). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call. (bsc#986569) - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). The following non-security bugs were fixed : - Add wait_event_cmd() (bsc#953048). - alsa: hrtimer: Handle start/stop more properly (bsc#973378). - base: make module_create_drivers_dir race-free (bnc#983977). - btrfs: be more precise on errors when getting an inode from disk (bsc#981038). - btrfs: do not use src fd for printk (bsc#980348). - btrfs: improve performance on fsync against new inode after rename/unlink (bsc#981038). - btrfs: qgroup: Fix qgroup accounting when creating snapshot (bsc#972933). - btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844). - cdc_ncm: workaround for EM7455 'silent' data interface (bnc#988552). - ceph: tolerate bad i_size for symlink inode (bsc#985232). - drm/mgag200: Add support for a new G200eW3 chipset (bsc#983904). - drm/mgag200: Add support for a new rev of G200e (bsc#983904). - drm/mgag200: Black screen fix for G200e rev 4 (bsc#983904). - drm/mgag200: remove unused variables (bsc#983904). - drm: qxl: Workaround for buggy user-space (bsc#981344). - EDAC: Correct channel count limit (bsc#979521). - EDAC: Remove arbitrary limit on number of channels (bsc#979521). - EDAC, sb_edac: Add support for duplicate device IDs (bsc#979521). - EDAC/sb_edac: Fix computation of channel address (bsc#979521). - EDAC, sb_edac: Fix rank lookup on Broadwell (bsc#979521). - EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs() (bsc#979521). - EDAC: Use static attribute groups for managing sysfs entries (bsc#979521). - efifb: Add support for 64-bit frame buffer addresses (bsc#973499). - efifb: Fix 16 color palette entry calculation (bsc#983318). - efifb: Fix KABI of screen_info struct (bsc#973499). - ehci-pci: enable interrupt on BayTrail (bnc#947337). - enic: set netdev->vlan_features (bsc#966245). - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - hid-elo: kill not flush the work (bnc#982354). - iommu/vt-d: Enable QI on all IOMMUs before setting root entry (bsc#975772). - ipvs: count pre-established TCP states as active (bsc#970114). - kabi: prevent spurious modversion changes after bsc#982544 fix (bsc#982544). - kabi/severities: Added raw3270_* PASS to allow IBM LTC changes. (bnc#979922, LTC#141736) - ktime: make ktime_divns exported on 32-bit architectures. - md: be careful when testing resync_max against curr_resync_completed (bsc#953048). - md: do_release_stripe(): No need to call md_wakeup_thread() twice (bsc#953048). - md: make sure MD_RECOVERY_DONE is clear before starting recovery/resync (bsc#953048). - md/raid56: Do not perform reads to support writes until stripe is ready. - md/raid5: add handle_flags arg to break_stripe_batch_list (bsc#953048). - md/raid5: allow the stripe_cache to grow and shrink (bsc#953048). - md/raid5: always set conf->prev_chunk_sectors and ->prev_algo (bsc#953048). - md/raid5: avoid races when changing cache size (bsc#953048). - md/raid5: avoid reading parity blocks for full-stripe write to degraded array (bsc#953048). - md/raid5: be more selective about distributing flags across batch (bsc#953048). - md/raid5: break stripe-batches when the array has failed (bsc#953048). - md/raid5: call break_stripe_batch_list from handle_stripe_clean_event (bsc#953048). - md/raid5: change ->inactive_blocked to a bit-flag (bsc#953048). - md/raid5: clear R5_NeedReplace when no longer needed (bsc#953048). - md/raid5: close race between STRIPE_BIT_DELAY and batching (bsc#953048). - md/raid5: close recently introduced race in stripe_head management. - md/raid5: consider updating reshape_position at start of reshape (bsc#953048). - md/raid5: deadlock between retry_aligned_read with barrier io (bsc#953048). - md/raid5: do not do chunk aligned read on degraded array (bsc#953048). - md/raid5: do not index beyond end of array in need_this_block() (bsc#953048). - md/raid5: do not let shrink_slab shrink too far (bsc#953048). - md/raid5: duplicate some more handle_stripe_clean_event code in break_stripe_batch_list (bsc#953048). - md/raid5: Ensure a batch member is not handled prematurely (bsc#953048). - md/raid5: ensure device failure recorded before write request returns (bsc#953048). - md/raid5: ensure whole batch is delayed for all required bitmap updates (bsc#953048). - md/raid5: fix allocation of 'scribble' array (bsc#953048). - md/raid5: fix another livelock caused by non-aligned writes (bsc#953048). - md/raid5: fix handling of degraded stripes in batches (bsc#953048). - md/raid5: fix init_stripe() inconsistencies (bsc#953048). - md/raid5: fix locking in handle_stripe_clean_event() (bsc#953048). - md/raid5: fix newly-broken locking in get_active_stripe. - md/raid5: For stripe with R5_ReadNoMerge, we replace REQ_FLUSH with REQ_NOMERGE. - md/raid5: handle possible race as reshape completes (bsc#953048). - md/raid5: ignore released_stripes check (bsc#953048). - md/raid5: more incorrect BUG_ON in handle_stripe_fill (bsc#953048). - md/raid5: move max_nr_stripes management into grow_one_stripe and drop_one_stripe (bsc#953048). - md/raid5: need_this_block: start simplifying the last two conditions (bsc#953048). - md/raid5: need_this_block: tidy/fix last condition (bsc#953048). - md/raid5: new alloc_stripe() to allocate an initialize a stripe (bsc#953048). - md/raid5: pass gfp_t arg to grow_one_stripe() (bsc#953048). - md/raid5: per hash value and exclusive wait_for_stripe (bsc#953048). - md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list. - md/raid5: remove condition test from check_break_stripe_batch_list (bsc#953048). - md/raid5: remove incorrect 'min_t()' when calculating writepos (bsc#953048). - md/raid5: remove redundant check in stripe_add_to_batch_list() (bsc#953048). - md/raid5: separate large if clause out of fetch_block() (bsc#953048). - md/raid5: separate out the easy conditions in need_this_block (bsc#953048). - md/raid5: split wait_for_stripe and introduce wait_for_quiescent (bsc#953048). - md/raid5: strengthen check on reshape_position at run (bsc#953048). - md/raid5: switch to use conf->chunk_sectors in place of mddev->chunk_sectors where possible (bsc#953048). - md/raid5: use bio_list for the list of bios to return (bsc#953048). - md/raid5: use ->lock to protect accessing raid5 sysfs attributes (bsc#953048). - md: remove unwanted white space from md.c (bsc#953048). - md: use set_bit/clear_bit instead of shift/mask for bi_flags changes (bsc#953048). - mm: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491). - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721). - net: Account for all vlan headers in skb_mac_gso_segment (bsc#968667). - net: disable fragment reassembly if high_thresh is set to zero (bsc#970506). - netfilter: bridge: do not leak skb in error paths (bsc#982544). - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544). - netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (bsc#982544). - net: fix wrong mac_len calculation for vlans (bsc#968667). - net/qlge: Avoids recursive EEH error (bsc#954847). - net: Start with correct mac_len in skb_network_protocol (bsc#968667). - nvme: don't poll the CQ from the kthread (bsc#975788, bsc#965087). - PCI/AER: Clear error status registers during enumeration and restore (bsc#985978). - perf/rapl: Fix sysfs_show() initialization for RAPL PMU (bsc#979489). - perf/x86/intel: Add Intel RAPL PP1 energy counter support (bsc#979489). - ppp: defer netns reference release for ppp channel (bsc#980371). - qeth: delete napi struct when removing a qeth device (bnc#988215, LTC#143590). - raid5: add a new flag to track if a stripe can be batched (bsc#953048). - raid5: add an option to avoid copy data from bio to stripe cache (bsc#953048). - raid5: avoid release list until last reference of the stripe (bsc#953048). - raid5: batch adjacent full stripe write (bsc#953048). - raid5: check faulty flag for array status during recovery (bsc#953048). - RAID5: check_reshape() shouldn't call mddev_suspend (bsc#953048). - raid5: fix a race of stripe count check. - raid5: fix broken async operation chain (bsc#953048). - raid5: get_active_stripe avoids device_lock. - raid5: handle expansion/resync case with stripe batching (bsc#953048). - raid5: handle io error of batch list (bsc#953048). - raid5: make_request does less prepare wait. - raid5: relieve lock contention in get_active_stripe(). - raid5: relieve lock contention in get_active_stripe(). - raid5: Retry R5_ReadNoMerge flag when hit a read error. - RAID5: revert e9e4c377e2f563 to fix a livelock (bsc#953048). - raid5: speedup sync_request processing (bsc#953048). - raid5: track overwrite disk count (bsc#953048). - raid5: update analysis state for failed stripe (bsc#953048). - raid5: use flex_array for scribble data (bsc#953048). - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469). - s390/3270: add missing tty_kref_put (bnc#979922, LTC#141736). - s390/3270: avoid endless I/O loop with disconnected 3270 terminals (bnc#979922, LTC#141736). - s390/3270: fix garbled output on 3270 tty view (bnc#979922, LTC#141736). - s390/3270: fix view reference counting (bnc#979922, LTC#141736). - s390/3270: handle reconnect of a tty with a different size (bnc#979922, LTC#141736). - s390/3270: hangup the 3270 tty after a disconnect (bnc#979922, LTC#141736). - s390: fix test_fp_ctl inline assembly contraints (bnc#988215, LTC#143138). - s390/mm: fix asce_bits handling with dynamic pagetable levels (bnc#979922, LTC#141456). - s390/spinlock: avoid yield to non existent cpu (bnc#979922, LTC#141106). - sb_edac: correctly fetch DIMM width on Ivy Bridge and Haswell (bsc#979521). - sb_edac: Fix a typo and a thinko in address handling for Haswell (bsc#979521). - sb_edac: Fix support for systems with two home agents per socket (bsc#979521). - sb_edac: look harder for DDRIO on Haswell systems (bsc#979521). - sb_edac: support for Broadwell -EP and -EX (bsc#979521). - sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency (bnc#988498). - sched/cputime: Fix cpu_timer_sample_group() double accounting (bnc#988498). - sched: Provide update_curr callbacks for stop/idle scheduling classes (bnc#988498). - sched/x86: Fix up typo in topology detection (bsc#974165). - scsi: Increase REPORT_LUNS timeout (bsc#982282). - series.conf: move netfilter section at the end of core networking - series.conf: move stray netfilter patches to the right section - target/rbd: do not put snap_context twice (bsc#981143). - target/rbd: remove caw_mutex usage (bsc#981143). - Update patches.drivers/0001-nvme-fix-max_segments-integer-trunc ation.patch (bsc#979419). Fix reference. - Update patches.drivers/nvme-0106-init-nvme-queue-before-enablin g-irq.patch (bsc#962742). Fix incorrect bugzilla referece. - usb: quirk to stop runtime PM for Intel 7260 (bnc#984456). - usb: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982698). - VSOCK: Fix lockdep issue (bsc#977417). - VSOCK: sock_put wasn't safe to call in interrupt context (bsc#977417). - wait: introduce wait_event_exclusive_cmd (bsc#953048). - x86 EDAC, sb_edac.c: Repair damage introduced when 'fixing' channel address (bsc#979521). - x86 EDAC, sb_edac.c: Take account of channel hashing when needed (bsc#979521). - x86/efi: parse_efi_setup() build fix (bsc#979485). - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620). - x86: Removed the free memblock of hibernat keys to avoid memory corruption (bsc#990058). - x86, sched: Add new topology for multi-NUMA-node CPUs (bsc#974165). - x86: standardize mmap_rnd() usage (bnc#974308). - xen: fix i586 build after SLE12-SP1 commit 2f4c3ff45d5e. - xfs: fix premature enospc on inode allocation (bsc#984148). - xfs: get rid of XFS_IALLOC_BLOCKS macros (bsc#984148). - xfs: get rid of XFS_INODE_CLUSTER_SIZE macros (bsc#984148).
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 93216
    published 2016-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93216
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-1029)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1015.NASL
    description The openSUSE 13.2 kernel was updated to fix various bugs and security issues. The following security bugs were fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandles NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971919 971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401 bsc#978445). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548 bsc#980363). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4581: fs/pnode.c in the Linux kernel did not properly traverse a mount propagation tree in a certain case involving a slave mount, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls (bnc#979913). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2015-3288: A security flaw was found in the Linux kernel that there was a way to arbitrary change zero page memory. (bnc#979021). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948 974646). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2015-8830: Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allowed local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression (bnc#969354 bsc#969355). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent recursive callback access, which allowed local users to cause a denial of service (deadlock) via a crafted ioctl call (bnc#968013). - CVE-2016-2547: sound/core/timer.c in the Linux kernel employs a locking approach that did not consider slave timer instances, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#968011). - CVE-2016-2548: sound/core/timer.c in the Linux kernel retains certain linked lists after a close or stop action, which allowed local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions (bnc#968012). - CVE-2016-2546: sound/core/timer.c in the Linux kernel uses an incorrect type of mutex, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#967975). - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel did not properly maintain a certain linked list, which allowed local users to cause a denial of service (race condition and system crash) via a crafted ioctl call (bnc#967974). - CVE-2016-2544: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time (bnc#967973). - CVE-2016-2543: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO assignment before proceeding with FIFO clearing, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call (bnc#967972). - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the Linux kernel mishandles uid and gid mappings, which allowed local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states 'there is no kernel bug here (bnc#959709 960561 ). - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel did not properly identify error conditions, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets (bnc#966437). - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor (bnc#966693). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572 986573). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362 986365 986377). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755 984764). - CVE-2015-6526: The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c in the Linux kernel on ppc64 platforms allowed local users to cause a denial of service (infinite loop) via a deep 64-bit userspace backtrace (bnc#942702). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). The following non-security bugs were fixed : - ALSA: hrtimer: Handle start/stop more properly (bsc#973378). - ALSA: pcm: Fix potential deadlock in OSS emulation (bsc#968018). - ALSA: rawmidi: Fix race at copying & updating the position (bsc#968018). - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018). - ALSA: seq: Fix double port list deletion (bsc#968018). - ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() (bsc#968018). - ALSA: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - ALSA: seq: Fix lockdep warnings due to double mutex locks (bsc#968018). - ALSA: seq: Fix race at closing in virmidi driver (bsc#968018). - ALSA: seq: Fix yet another races among ALSA timer accesses (bsc#968018). - ALSA: timer: Call notifier in the same spinlock (bsc#973378). - ALSA: timer: Code cleanup (bsc#968018). - ALSA: timer: Fix leftover link at closing (bsc#968018). - ALSA: timer: Fix link corruption due to double start or stop (bsc#968018). - ALSA: timer: Fix race between stop and interrupt (bsc#968018). - ALSA: timer: Fix wrong instance passed to slave callbacks (bsc#968018). - ALSA: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - ALSA: timer: Sync timer deletion at closing the system timer (bsc#973378). - ALSA: timer: Use mod_timer() for rearming the system timer (bsc#973378). - Bluetooth: vhci: Fix race at creating hci device (bsc#971799,bsc#966849). - Bluetooth: vhci: fix open_timeout vs. hdev race (bsc#971799,bsc#966849). - Bluetooth: vhci: purge unhandled skbs (bsc#971799,bsc#966849). - Btrfs: do not use src fd for printk (bsc#980348). - Refresh patches.drivers/ALSA-hrtimer-Handle-start-stop-more-prop erly. Fix the build error on 32bit architectures. - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469). - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position updates on /proc/xen/xenbus (bsc#970275). - Subject: [PATCH] USB: xhci: Add broken streams quirk for Frescologic device id 1009 (bnc#982706). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - backends: guarantee one time reads of shared ring contents (bsc#957988). - btrfs: do not go readonly on existing qgroup items (bsc#957052). - btrfs: remove error message from search ioctl for nonexistent tree. - drm/i915: Fix missing backlight update during panel disablement (bsc#941113 boo#901754). - enic: set netdev->vlan_features (bsc#966245). - ext4: fix races between buffered IO and collapse / insert range (bsc#972174). - ext4: fix races between page faults and hole punching (bsc#972174). - ext4: fix races of writeback with punch hole and zero range (bsc#972174). - ext4: move unlocked dio protection from ext4_alloc_file_blocks() (bsc#972174). - ipv4/fib: do not warn when primary address is missing if in_dev is dead (bsc#971360). - ipvs: count pre-established TCP states as active (bsc#970114). - net: core: Correct an over-stringent device loop detection (bsc#945219). - netback: do not use last request to determine minimum Tx credit (bsc#957988). - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY. - pciback: Save the number of MSI-X entries to be copied later. - pciback: guarantee one time reads of shared ring contents (bsc#957988). - series.conf: move cxgb3 patch to network drivers section - usb: quirk to stop runtime PM for Intel 7260 (bnc#984464). - x86: standardize mmap_rnd() usage (bnc#974308).
    last seen 2019-02-21
    modified 2017-10-02
    plugin id 93104
    published 2016-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93104
    title openSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2633-1.NASL
    description This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004419). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986377). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94285
    published 2016-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94285
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2633-1) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3017-3.NASL
    description USN-3017-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS. Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91879
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91879
    title Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-3017-3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3020-1.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91883
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91883
    title Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3020-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3338-2.NASL
    description USN-3338-1 fixed vulnerabilities in the Linux kernel. However, the fix for CVE-2017-1000364 introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 101149
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101149
    title Ubuntu 12.04 LTS : linux regression (USN-3338-2) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2105-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2014-9904: The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel did not properly check for an integer overflow, which allowed local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811). - CVE-2015-7833: The usbvision driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998). - CVE-2015-8551: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8552: The PCI backend driver in Xen, when running on an x86 system and using Linux as the driver domain, allowed local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka 'Linux pciback missing sanity checks (bnc#957990). - CVE-2015-8845: The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms did not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allowed local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application (bnc#975533). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bnc#979867). - CVE-2016-1583: The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (bsc#983143). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bsc#978401). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bsc#979213). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bsc#986365). - CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel did not initialize a certain structure member, which allowed remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message (bnc#983213). - CVE-2016-5828: The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel on powerpc platforms mishandled transactional state, which allowed local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction an exec system call (bsc#986569). - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93299
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93299
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2105-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-532.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). The following non-security bugs were fixed : - acpi, nfit: fix acpi_nfit_flush_probe() crash (bsc#1031717). - acpi, nfit: fix extended status translations for ACPI DSMs (bsc#1031717). - arm64: hugetlb: fix the wrong address for several functions (bsc#1032681). - arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags (bsc#1032681). - arm64: hugetlb: remove the wrong pmd check in find_num_contig() (bsc#1032681). - arm64: Use full path in KBUILD_IMAGE definition (bsc#1010032). - arm: Use full path in KBUILD_IMAGE definition (bsc#1010032). - blacklist.conf: 73667e31a153 x86/hyperv: Hide unused label - blacklist.conf: Add ed10858 ('scsi: smartpqi: fix time handling') to blacklist - blacklist.conf: blacklist 9770404a which was subsequently reverted - blacklist.conf: Blacklist f2fs fix - blacklist.conf: Blacklist unneeded commit, because of a partial backport. - blacklist.conf: Split SP2 and SP3 entries to ease merging - blacklist: Fix blacklisting of 0c313cb20732 - block: copy NOMERGE flag from bio to request (bsc#1030070). - bonding: fix 802.3ad aggregator reselection (bsc#1029514). - btrfs: add transaction space reservation tracepoints (bsc#1012452). - btrfs: allow unlink to exceed subvolume quota (bsc#1019614). - btrfs: avoid uninitialized variable warning (bsc#1012452). - btrfs: __btrfs_buffered_write: Reserve/release extents aligned to block size (bsc#1012452). - btrfs: btrfs_ioctl_clone: Truncate complete page after performing clone operation (bsc#1012452). - btrfs: btrfs_page_mkwrite: Reserve space in sectorsized units (bsc#1012452). - btrfs: btrfs_submit_direct_hook: Handle map_length < bio vector length (bsc#1012452). - btrfs: change how we update the global block rsv (bsc#1012452). - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1019614). - btrfs: check reserved when deciding to background flush (bsc#1012452). - btrfs: Clean pte corresponding to page straddling i_size (bsc#1012452). - btrfs: Compute and look up csums based on sectorsized blocks (bsc#1012452). - btrfs: csum_tree_block: return proper errno value (bsc#1012452). - btrfs: device add and remove: use GFP_KERNEL (bsc#1012452). - btrfs: Direct I/O read: Work on sectorsized blocks (bsc#1012452). - btrfs: do not write corrupted metadata blocks to disk (bsc#1012452). - btrfs: extent same: use GFP_KERNEL for page array allocations (bsc#1012452). - btrfs: fallback to vmalloc in btrfs_compare_tree (bsc#1012452). - btrfs: fallocate: use GFP_KERNEL (bsc#1012452). - btrfs: fallocate: Work with sectorsized blocks (bsc#1012452). - btrfs: Fix block size returned to user space (bsc#1012452). - btrfs: fix build warning (bsc#1012452). - btrfs: fix delalloc accounting after copy_from_user faults (bsc#1012452). - btrfs: fix extent_same allowing destination offset beyond i_size (bsc#1012452). - btrfs: fix handling of faults from btrfs_copy_from_user (bsc#1012452). - btrfs: fix invalid reference in replace_path (bsc#1012452). - btrfs: fix listxattrs not listing all xattrs packed in the same item (bsc#1012452). - btrfs: fix lockdep deadlock warning due to dev_replace (bsc#1012452). - btrfs: fix truncate_space_check (bsc#1012452). - btrfs: Improve FL_KEEP_SIZE handling in fallocate (bsc#1012452). - btrfs: let callers of btrfs_alloc_root pass gfp flags (bsc#1012452). - btrfs: Limit inline extents to root->sectorsize (bsc#1012452). - btrfs: make sure we stay inside the bvec during __btrfs_lookup_bio_sums (bsc#1012452). - btrfs: Output more info for enospc_debug mount option (bsc#1012452). - btrfs: Print Warning only if ENOSPC_DEBUG is enabled (bsc#1012452). - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1019614). - btrfs: reada: add all reachable mirrors into reada device list (bsc#1012452). - btrfs: reada: Add missed segment checking in reada_find_zone (bsc#1012452). - btrfs: reada: Avoid many times of empty loop (bsc#1012452). - btrfs: reada: avoid undone reada extents in btrfs_reada_wait (bsc#1012452). - btrfs: reada: bypass adding extent when all zone failed (bsc#1012452). - btrfs: reada: Fix a debug code typo (bsc#1012452). - btrfs: reada: Fix in-segment calculation for reada (bsc#1012452). - btrfs: reada: ignore creating reada_extent for a non-existent device (bsc#1012452). - btrfs: reada: Jump into cleanup in direct way for __readahead_hook() (bsc#1012452). - btrfs: reada: limit max works count (bsc#1012452). - btrfs: reada: Move is_need_to_readahead contition earlier (bsc#1012452). - btrfs: reada: move reada_extent_put to place after __readahead_hook() (bsc#1012452). - btrfs: reada: Pass reada_extent into __readahead_hook directly (bsc#1012452). - btrfs: reada: reduce additional fs_info->reada_lock in reada_find_zone (bsc#1012452). - btrfs: reada: Remove level argument in severial functions (bsc#1012452). - btrfs: reada: simplify dev->reada_in_flight processing (bsc#1012452). - btrfs: reada: Use fs_info instead of root in __readahead_hook's argument (bsc#1012452). - btrfs: reada: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: readdir: use GFP_KERNEL (bsc#1012452). - btrfs: remove redundant error check (bsc#1012452). - btrfs: Reset IO error counters before start of device replacing (bsc#1012452). - btrfs: scrub: use GFP_KERNEL on the submission path (bsc#1012452). - btrfs: Search for all ordered extents that could span across a page (bsc#1012452). - btrfs: send: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: switch to kcalloc in btrfs_cmp_data_prepare (bsc#1012452). - btrfs: Use (eb->start, seq) as search key for tree modification log (bsc#1012452). - btrfs: use proper type for failrec in extent_state (bsc#1012452). - ceph: fix recursively call between ceph_set_acl and __ceph_setattr (bsc#1034902). - cgroup/pids: remove spurious suspicious RCU usage warning (bnc#1031831). - cxgb4: Add control net_device for configuring PCIe VF (bsc#1021424). - cxgb4: Add llseek operation for flash debugfs entry (bsc#1021424). - cxgb4: add new routine to get adapter info (bsc#1021424). - cxgb4: Add PCI device ID for new adapter (bsc#1021424). - cxgb4: Add port description for new cards (bsc#1021424). - cxgb4: Add support to enable logging of firmware mailbox commands (bsc#1021424). - cxgb4: Check for firmware errors in the mailbox command loop (bsc#1021424). - cxgb4: correct device ID of T6 adapter (bsc#1021424). - cxgb4/cxgb4vf: Add set VF mac address support (bsc#1021424). - cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter (bsc#1021424). - cxgb4/cxgb4vf: Assign netdev->dev_port with port ID (bsc#1021424). - cxgb4/cxgb4vf: Display 25G and 100G link speed (bsc#1021424). - cxgb4/cxgb4vf: Remove deprecated module parameters (bsc#1021424). - cxgb4: DCB message handler needs to use correct portid to netdev mapping (bsc#1021424). - cxgb4: Decode link down reason code obtained from firmware (bsc#1021424). - cxgb4: Do not assume FW_PORT_CMD reply is always port info msg (bsc#1021424). - cxgb4: do not call napi_hash_del() (bsc#1021424). - cxgb4: Do not sleep when mbox cmd is issued from interrupt context (bsc#1021424). - cxgb4: Enable SR-IOV configuration via PCI sysfs interface (bsc#1021424). - cxgb4: Fix issue while re-registering VF mgmt netdev (bsc#1021424). - cxgb4: MU requested by Chelsio (bsc#1021424). - cxgb4: Properly decode port module type (bsc#1021424). - cxgb4: Refactor t4_port_init function (bsc#1021424). - cxgb4: Reset dcb state machine and tx queue prio only if dcb is enabled (bsc#1021424). - cxgb4: Support compressed error vector for T6 (bsc#1021424). - cxgb4: Synchronize access to mailbox (bsc#1021424). - cxgb4: update latest firmware version supported (bsc#1021424). - device-dax: fix private mapping restriction, permit read-only (bsc#1031717). - drivers: hv: util: do not forget to init host_ts.lock (bsc#1031206). - drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() (fate#320485, bsc#1023287, bsc#1028217). - drm/i915: Fix crash after S3 resume with DP MST mode change (bsc#1029634). - drm/i915: Introduce Kabypoint PCH for Kabylake H/DT (bsc#1032581). - drm/i915: Only enable hotplug interrupts if the display interrupts are enabled (bsc#1031717). - ext4: fix use-after-iput when fscrypt contexts are inconsistent (bsc#1012829). - hid: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL (bsc#1022340). - hv: export current Hyper-V clocksource (bsc#1031206). - hv_utils: implement Hyper-V PTP source (bsc#1031206). - ibmvnic: Allocate number of rx/tx buffers agreed on by firmware (fate#322021, bsc#1031512). - ibmvnic: Call napi_disable instead of napi_enable in failure path (fate#322021, bsc#1031512). - ibmvnic: Correct ibmvnic handling of device open/close (fate#322021, bsc#1031512). - ibmvnic: Fix endian errors in error reporting output (fate#322021, bsc#1031512). - ibmvnic: Fix endian error when requesting device capabilities (fate#322021, bsc#1031512). - ibmvnic: Fix initial MTU settings (bsc#1031512). - ibmvnic: Fix overflowing firmware/hardware TX queue (fate#322021, bsc#1031512). - ibmvnic: Free tx/rx scrq pointer array when releasing sub-crqs (fate#322021, bsc#1031512). - ibmvnic: Handle processing of CRQ messages in a tasklet (fate#322021, bsc#1031512). - ibmvnic: Initialize completion variables before starting work (fate#322021, bsc#1031512). - ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs (fate#322021, bsc#1031512). - ibmvnic: Move ibmvnic adapter intialization to its own routine (fate#322021, bsc#1031512). - ibmvnic: Move login and queue negotiation into ibmvnic_open (fate#322021, bsc#1031512). - ibmvnic: Move login to its own routine (fate#322021, bsc#1031512). - ibmvnic: Use common counter for capabilities checks (fate#322021, bsc#1031512). - ibmvnic: use max_mtu instead of req_mtu for MTU range check (bsc#1031512). - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off (bsc#1031208). - iscsi-target: Return error if unable to add network portal (bsc#1032803). - kABI: restore ttm_ref_object_add parameters (kabi). - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662). - kvm: svm: add support for RDTSCP (bsc#1033117). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - libcxgb: add library module for Chelsio drivers (bsc#1021424). - libnvdimm, pfn: fix memmap reservation size versus 4K alignment (bsc#1031717). - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662). - md: handle read-only member devices better (bsc#1033281). - mem-hotplug: fix node spanned pages when we have a movable node (bnc#1034671). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - mm/memblock.c: fix memblock_next_valid_pfn() (bnc#1031200). - mm: page_alloc: skip over regions of invalid pfns where possible (bnc#1031200). - netfilter: allow logging from non-init namespaces (bsc#970083). - net: ibmvnic: Remove unused net_stats member from struct ibmvnic_adapter (fate#322021, bsc#1031512). - nfs: flush out dirty data on file fput() (bsc#1021762). - nvme: Delete created IO queues on reset (bsc#1031717). - overlayfs: compat, fix incorrect dentry use in ovl_rename2 (bsc#1032400). - overlayfs: compat, use correct dentry to detect compat mode in ovl_compat_is_whiteout (bsc#1032400). - ping: implement proper locking (bsc#1031003). - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141). - powerpc/fadump: Update fadump documentation (bsc#1032141). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' (bsc#1017461 bsc#1033885). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' This reverts commit f69c1d0f6254c73529a48fd2f87815d047ad7288. - Revert 'Revert 'btrfs: qgroup: Move half of the qgroup accounting time' This reverts commit 8567943ca56d937acfc417947cba917de653b09c. - sbp-target: Fix second argument of percpu_ida_alloc() (bsc#1032803). - scsi: cxgb4i: libcxgbi: cxgb4: add T6 iSCSI completion feature (bsc#1021424). - scsi_error: count medium access timeout only once per EH run (bsc#993832, bsc#1032345). - scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION (bsc#1034419). - scsi: ipr: Driver version 2.6.4 (bsc#1031555, fate#321595). - scsi: ipr: Error path locking fixes (bsc#1031555, fate#321595). - scsi: ipr: Fix abort path race condition (bsc#1031555, fate#321595). - scsi: ipr: Fix missed EH wakeup (bsc#1031555, fate#321595). - scsi: ipr: Fix SATA EH hang (bsc#1031555, fate#321595). - scsi: ipr: Remove redundant initialization (bsc#1031555, fate#321595). - scsi_transport_fc: do not call queue_work under lock (bsc#1013887). - scsi_transport_fc: fixup race condition in fc_rport_final_delete() (bsc#1013887). - scsi_transport_fc: return -EBUSY for deleted vport (bsc#1013887). - sysfs: be careful of error returns from ops->show() (bsc#1028883). - thp: fix MADV_DONTNEED vs. numa balancing race (bnc#1027974). - thp: reduce indentation level in change_huge_pmd() (bnc#1027974). - tpm: fix checks for policy digest existence in tpm2_seal_trusted() (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix RC value check in tpm2_seal_trusted (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix: set continueSession attribute for the unseal operation (bsc#1034048, Pending fixes 2017-04-10). - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065). - x86/CPU/AMD: Fix Zen SMT topology (bsc#1027512). - x86/ioapic: Change prototype of acpi_ioapic_add() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix IOAPIC failing to request resource (bsc#1027153, bsc#1027616). - x86/ioapic: fix kABI (hide added include) (bsc#1027153, bsc#1027616). - x86/ioapic: Fix lost IOAPIC resource after hot-removal and hotadd (bsc#1027153, bsc#1027616). - x86/ioapic: Fix setup_res() failing to get resource (bsc#1027153, bsc#1027616). - x86/ioapic: Ignore root bridges without a companion ACPI device (bsc#1027153, bsc#1027616). - x86/ioapic: Simplify ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Support hot-removal of IOAPICs present during boot (bsc#1027153, bsc#1027616). - x86/mce: Fix copy/paste error in exception table entries (fate#319858). - x86/platform/uv: Fix calculation of Global Physical Address (bsc#1031147). - x86/ras/therm_throt: Do not log a fake MCE for thermal events (bsc#1028027). - xen: Use machine addresses in /sys/kernel/vmcoreinfo when PV (bsc#1014136) - xgene_enet: remove bogus forward declarations (bsc#1032673).
    last seen 2019-02-21
    modified 2018-05-18
    plugin id 99927
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99927
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-532)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3016-1.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91873
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91873
    title Ubuntu 16.04 LTS : linux vulnerabilities (USN-3016-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-1847.NASL
    description From Red Hat Security Advisory 2016:1847 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Bug Fix(es) : * In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947) * Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040) * Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302) * Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972) Enhancement(s) : * With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774) * With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352) * The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161) Additional Changes : Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 93501
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93501
    title Oracle Linux 7 : kernel (ELSA-2016-1847)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3016-2.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91874
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91874
    title Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3016-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1710-1.NASL
    description The SUSE Linux Enterprise 12 GA kernel was updated to receive one critical security fix. Security issue fixed : - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93172
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93172
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1710-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3016-4.NASL
    description USN-3016-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91876
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91876
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3016-4)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-1C409313F4.NASL
    description Rebase to latest upstream 4.6 release, 4.6.3. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92232
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92232
    title Fedora 24 : kernel (2016-1c409313f4)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1875.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. The kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1366538) Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93556
    published 2016-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93556
    title RHEL 7 : kernel-rt (RHSA-2016:1875)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2636-1.NASL
    description This update for the Linux Kernel 3.12.51-52_31 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004419). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986377). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94286
    published 2016-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94286
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2636-1) (Dirty COW)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-63EE0999E4.NASL
    description The 4.4.14 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 92442
    published 2016-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92442
    title Fedora 22 : kernel (2016-63ee0999e4)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2659-1.NASL
    description This update for the Linux Kernel 3.12.55-52_45 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004419). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986377). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94326
    published 2016-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94326
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2659-1) (Dirty COW)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160915_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) - A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) - An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Bug Fix(es) : - In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. - Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. - Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. - Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. Enhancement(s) : - With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. - With this update, the Nonvolatile Memory Express (NVMe) and the multi- queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. - The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 93557
    published 2016-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93557
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2655-1.NASL
    description This update for the Linux Kernel 3.12.55-52_42 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004419). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986377). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94323
    published 2016-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94323
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2655-1) (Dirty COW)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3016-3.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91875
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91875
    title Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3016-3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3017-1.NASL
    description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges. (CVE-2016-4997) Kangjie Lu discovered an information leak in the core USB implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4482) Kangjie Lu discovered an information leak in the timer handling implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578) Kangjie Lu discovered an information leak in the X.25 Call Request handling in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4580) It was discovered that an information leak exists in the Rock Ridge implementation in the Linux kernel. A local attacker who is able to mount a malicious iso9660 file system image could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2016-4913) Baozeng Ding discovered that the Transparent Inter-process Communication (TIPC) implementation in the Linux kernel did not verify socket existence before use in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4951) Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-4998). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91877
    published 2016-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91877
    title Ubuntu 15.10 : linux vulnerabilities (USN-3017-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1883.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2.5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. The kernel-rt packages have been upgraded to version 3.10.0-327.rt56.197, which provides a number of bug fixes over the previous version. (BZ#1366059) Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93504
    published 2016-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93504
    title RHEL 6 : MRG (RHSA-2016:1883)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99163
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99163
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2632-1.NASL
    description This update for the Linux Kernel 3.12.51-52_34 fixes several issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bsc#986362). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 94284
    published 2016-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94284
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2632-1) (Dirty COW)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1709-1.NASL
    description The SUSE Linux Enterprise 12 kernel was updated to receive critical security and bugfixes. Security issue fixed : - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93171
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93171
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1709-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-3619.NASL
    description Description of changes: kernel-uek [4.1.12-61.1.10.el7uek] - netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998} - netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998} [4.1.12-61.1.9.el7uek] - xen-blkback: don't get ref for each queue (Bob Liu) [Orabug: 24616917] - NVMe: Fix obtaining command result (Keith Busch) [Orabug: 24655742] [4.1.12-61.1.8.el7uek] - Revert 'ixgbe: make a workaround to tx hang issue under dom' (Brian Maly) [Orabug: 24618738] [4.1.12-61.1.7.el7uek] - x86/xen: Add x86_platform.is_untracked_pat_range quirk to ignore ISA regions. (Konrad Rzeszutek Wilk) [Orabug: 24566046]
    last seen 2019-02-21
    modified 2018-04-30
    plugin id 93678
    published 2016-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93678
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3619)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1847.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important) * A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important) * An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate) Bug Fix(es) : * In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947) * Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040) * Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302) * Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972) Enhancement(s) : * With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774) * With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352) * The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161) Additional Changes : Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93555
    published 2016-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93555
    title RHEL 7 : kernel (RHSA-2016:1847)
packetstorm via4
redhat via4
advisories
  • rhsa
    id RHSA-2016:1847
  • rhsa
    id RHSA-2016:1875
  • rhsa
    id RHSA-2016:1883
rpms
  • kernel-0:3.10.0-327.36.1.el7
  • kernel-abi-whitelists-0:3.10.0-327.36.1.el7
  • kernel-bootwrapper-0:3.10.0-327.36.1.el7
  • kernel-debug-0:3.10.0-327.36.1.el7
  • kernel-debug-devel-0:3.10.0-327.36.1.el7
  • kernel-devel-0:3.10.0-327.36.1.el7
  • kernel-doc-0:3.10.0-327.36.1.el7
  • kernel-headers-0:3.10.0-327.36.1.el7
  • kernel-kdump-0:3.10.0-327.36.1.el7
  • kernel-kdump-devel-0:3.10.0-327.36.1.el7
  • kernel-tools-0:3.10.0-327.36.1.el7
  • kernel-tools-libs-0:3.10.0-327.36.1.el7
  • kernel-tools-libs-devel-0:3.10.0-327.36.1.el7
  • perf-0:3.10.0-327.36.1.el7
  • python-perf-0:3.10.0-327.36.1.el7
  • kernel-rt-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-kvm-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-doc-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-kvm-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-kvm-0:3.10.0-327.36.1.rt56.237.el7
refmap via4
bid 91451
confirm
debian DSA-3607
exploit-db
  • 40435
  • 40489
misc https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
mlist
  • [oss-security] 20160624 Linux CVE-2016-4997 (local privilege escalation) and CVE-2016-4998 (out of bounds memory access)
  • [oss-security] 20160929 CVE request - Linux kernel through 4.6.2 allows escalade privileges via IP6T_SO_SET_REPLACE compat setsockopt call
sectrack 1036171
suse
  • SUSE-SU-2016:1709
  • SUSE-SU-2016:1710
  • SUSE-SU-2016:1937
  • SUSE-SU-2016:1985
  • SUSE-SU-2016:2018
  • SUSE-SU-2016:2105
  • SUSE-SU-2016:2174
  • SUSE-SU-2016:2177
  • SUSE-SU-2016:2178
  • SUSE-SU-2016:2179
  • SUSE-SU-2016:2180
  • SUSE-SU-2016:2181
  • openSUSE-SU-2016:2184
ubuntu
  • USN-3016-1
  • USN-3016-2
  • USN-3016-3
  • USN-3016-4
  • USN-3017-1
  • USN-3017-2
  • USN-3017-3
  • USN-3018-1
  • USN-3018-2
  • USN-3019-1
  • USN-3020-1
Last major update 02-12-2016 - 22:27
Published 03-07-2016 - 17:59
Last modified 04-01-2018 - 21:30
Back to Top