ID CVE-2017-7308
Summary The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
References
Vulnerable Configurations
  • Linux Kernel 4.10.6
    cpe:2.3:o:linux:linux_kernel:4.10.6
CVSS
Base: 7.2 (as of 31-03-2017 - 09:36)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation. CVE-2017-7308. Local exploit for Linux platform. Tags: Local
file exploits/linux/local/41994.c
id EDB-ID:41994
last seen 2017-05-11
modified 2017-05-11
platform linux
port
published 2017-05-11
reporter Exploit-DB
source https://www.exploit-db.com/download/41994/
title Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation
type local
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-922.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2016-2188 Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2016-9604 It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown. CVE-2016-10200 Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-2647 / CVE-2017-6951 idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash). CVE-2017-2671 Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default. CVE-2017-5967 Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces. CVE-2017-5970 Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled. CVE-2017-7184 Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation. CVE-2017-7261 Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash). CVE-2017-7273 Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash). CVE-2017-7294 Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation. CVE-2017-7308 Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation. CVE-2017-7472 Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion). CVE-2017-7616 Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS. CVE-2017-7618 Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash). For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs. For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-14
    plugin id 99733
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99733
    title Debian DLA-922-1 : linux security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1247-1.NASL
    description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enabled scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacted with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215). - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bnc#1015703). - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bnc#1023762). - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bnc#1024938). - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bnc#1025235). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). The following non-security bugs were fixed : - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - hwrng: virtio - ensure reads happen after successful probe (bsc#954763 bsc#1032344). - kgr/module: make a taint flag module-specific (fate#313296). - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - module: move add_taint_module() to a header file (fate#313296). - netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149). - nfs: flush out dirty data on file fput() (bsc#1021762). - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895). - powerpc: Reject binutils 2.24 when building little endian (boo#1028895). - revert 'procfs: mark thread stack correctly in proc//maps' (bnc#1030901). - taint/module: Clean up global and module taint flags handling (fate#313296). - usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256). - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056). - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-05
    plugin id 100150
    published 2017-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100150
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0126.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0126 for details.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102064
    published 2017-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102064
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0126) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1278-1.NASL
    description This update for the Linux Kernel 3.12.60-52_60 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100206
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100206
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1278-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1299-1.NASL
    description This update for the Linux Kernel 3.12.55-52_45 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). - bsc#1030467: Updated Dirty COW fix. The former patch caused some apps to freeze in rare circumstances Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100212
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100212
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1299-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1360-1.NASL
    description The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features : - Improved support for Hyper-V - Support for the tcp_westwood TCP scheduling algorithm The following security bugs were fixed : - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bsc#1035877). - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type. (bsc#1029850). - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c. (bsc#1030593) - CVE-2016-9604: This fixes handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings (bsc#1035576) - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (bnc#1033336). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanaged the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bsc#1015703). - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377). - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bsc#1023762). - CVE-2017-5986: A race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178). - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992). - CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacts with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215). - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190) - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697) - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bsc#914939). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bsc#1003077). The following non-security bugs were fixed : - ACPI / APEI: Fix NMI notification handling (bsc#917630). - arch: Mass conversion of smp_mb__*() (bsc#1020795). - asm-generic: add __smp_xxx wrappers (bsc#1020795). - block: remove struct request buffer member (bsc#1020795). - block: submit_bio_wait() conversions (bsc#1020795). - bonding: Advertize vxlan offload features when supported (bsc#1009682). - bonding: handle more gso types (bsc#1009682). - bonding: use the correct ether type for alb (bsc#1028595). - btrfs: allow unlink to exceed subvolume quota (bsc#1015821). - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1015821). - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls (bsc#1018100). - btrfs: make file clone aware of fatal signals (bsc#1015787). - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1015821). - cancel the setfilesize transation when io error happen (bsc#1028648). - cgroup: remove stray references to css_id (bsc#1020795). - cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state (bnc#1023164). - dm: add era target (bsc#1020795). - dm: allow remove to be deferred (bsc#1020795). - dm bitset: only flush the current word if it has been dirtied (bsc#1020795). - dm btree: add dm_btree_find_lowest_key (bsc#1020795). - dm cache: actually resize cache (bsc#1020795). - dm cache: add block sizes and total cache blocks to status output (bsc#1020795). - dm cache: add cache block invalidation support (bsc#1020795). - dm cache: add passthrough mode (bsc#1020795). - dm cache: add policy name to status output (bsc#1020795). - dm cache: add remove_cblock method to policy interface (bsc#1020795). - dm cache: be much more aggressive about promoting writes to discarded blocks (bsc#1020795). - dm cache: cache shrinking support (bsc#1020795). - dm cache: do not add migration to completed list before unhooking bio (bsc#1020795). - dm cache: fix a lock-inversion (bsc#1020795). - dm cache: fix truncation bug when mapping I/O to more than 2TB fast device (bsc#1020795). - dm cache: fix writethrough mode quiescing in cache_map (bsc#1020795). - dm cache: improve efficiency of quiescing flag management (bsc#1020795). - dm cache: io destined for the cache device can now serve as tick bios (bsc#1020795). - dm cache: log error message if dm_kcopyd_copy() fails (bsc#1020795). - dm cache metadata: check the metadata version when reading the superblock (bsc#1020795). - dm cache metadata: return bool from __superblock_all_zeroes (bsc#1020795). - dm cache: move hook_info into common portion of per_bio_data structure (bsc#1020795). - dm cache: optimize commit_if_needed (bsc#1020795). - dm cache policy mq: a few small fixes (bsc#1020795). - dm cache policy mq: fix promotions to occur as expected (bsc#1020795). - dm cache policy mq: implement writeback_work() and mq_{set,clear}_dirty() (bsc#1020795). - dm cache policy mq: introduce three promotion threshold tunables (bsc#1020795). - dm cache policy mq: protect residency method with existing mutex (bsc#1020795). - dm cache policy mq: reduce memory requirements (bsc#1020795). - dm cache policy mq: use list_del_init instead of list_del + INIT_LIST_HEAD (bsc#1020795). - dm cache policy: remove return from void policy_remove_mapping (bsc#1020795). - dm cache: promotion optimisation for writes (bsc#1020795). - dm cache: resolve small nits and improve Documentation (bsc#1020795). - dm cache: return -EINVAL if the user specifies unknown cache policy (bsc#1020795). - dm cache: use cell_defer() boolean argument consistently (bsc#1020795). - dm: change sector_count member in clone_info from sector_t to unsigned (bsc#1020795). - dm crypt: add TCW IV mode for old CBC TCRYPT containers (bsc#1020795). - dm crypt: properly handle extra key string in initialization (bsc#1020795). - dm delay: use per-bio data instead of a mempool and slab cache (bsc#1020795). - dm: fix Kconfig indentation (bsc#1020795). - dm: fix Kconfig menu indentation (bsc#1020795). - dm: make dm_table_alloc_md_mempools static (bsc#1020795). - dm mpath: do not call pg_init when it is already running (bsc#1020795). - dm mpath: fix lock order inconsistency in multipath_ioctl (bsc#1020795). - dm mpath: print more useful warnings in multipath_message() (bsc#1020795). - dm mpath: push back requests instead of queueing (bsc#1020795). - dm mpath: really fix lockdep warning (bsc#1020795). - dm mpath: reduce memory pressure when requeuing (bsc#1020795). - dm mpath: remove extra nesting in map function (bsc#1020795). - dm mpath: remove map_io() (bsc#1020795). - dm mpath: remove process_queued_ios() (bsc#1020795). - dm mpath: requeue I/O during pg_init (bsc#1020795). - dm persistent data: cleanup dm-thin specific references in text (bsc#1020795). - dm snapshot: call destroy_work_on_stack() to pair with INIT_WORK_ONSTACK() (bsc#1020795). - dm snapshot: fix metadata corruption (bsc#1020795). - dm snapshot: prepare for switch to using dm-bufio (bsc#1020795). - dm snapshot: use dm-bufio (bsc#1020795). - dm snapshot: use dm-bufio prefetch (bsc#1020795). - dm snapshot: use GFP_KERNEL when initializing exceptions (bsc#1020795). - dm space map disk: optimise sm_disk_dec_block (bsc#1020795). - dm space map metadata: limit errors in sm_metadata_new_block (bsc#1020795). - dm: stop using bi_private (bsc#1020795). - dm table: add dm_table_run_md_queue_async (bsc#1020795). - dm table: print error on preresume failure (bsc#1020795). - dm table: remove unused buggy code that extends the targets array (bsc#1020795). - dm thin: add error_if_no_space feature (bsc#1020795). - dm thin: add mappings to end of prepared_* lists (bsc#1020795). - dm thin: add 'no_space_timeout' dm-thin-pool module param (bsc#1020795). - dm thin: add timeout to stop out-of-data-space mode holding IO forever (bsc#1020795). - dm thin: allow metadata commit if pool is in PM_OUT_OF_DATA_SPACE mode (bsc#1020795). - dm thin: allow metadata space larger than supported to go unused (bsc#1020795). - dm thin: cleanup and improve no space handling (bsc#1020795). - dm thin: eliminate the no_free_space flag (bsc#1020795). - dm thin: ensure user takes action to validate data and metadata consistency (bsc#1020795). - dm thin: factor out check_low_water_mark and use bools (bsc#1020795). - dm thin: fix deadlock in __requeue_bio_list (bsc#1020795). - dm thin: fix noflush suspend IO queueing (bsc#1020795). - dm thin: fix out of data space handling (bsc#1020795). - dm thin: fix pool feature parsing (bsc#1020795). - dm thin: fix rcu_read_lock being held in code that can sleep (bsc#1020795). - dm thin: handle metadata failures more consistently (bsc#1020795). - dm thin: irqsave must always be used with the pool->lock spinlock (bsc#1020795). - dm thin: log info when growing the data or metadata device (bsc#1020795). - dm thin: requeue bios to DM core if no_free_space and in read-only mode (bsc#1020795). - dm thin: return error from alloc_data_block if pool is not in write mode (bsc#1020795). - dm thin: simplify pool_is_congested (bsc#1020795). - dm thin: sort the per thin deferred bios using an rb_tree (bsc#1020795). - dm thin: synchronize the pool mode during suspend (bsc#1020795). - dm thin: use bool rather than unsigned for flags in structures (bsc#1020795). - dm thin: use INIT_WORK_ONSTACK in noflush_work to avoid ODEBUG warning (bsc#1020795). - dm thin: use per thin device deferred bio lists (bsc#1020795). - dm: use RCU_INIT_POINTER instead of rcu_assign_pointer in __unbind (bsc#1020795). - drm/i915: relax uncritical udelay_range() (bsc#1038261). - ether: add loopback type ETH_P_LOOPBACK (bsc#1028595). - ext4: fix bh leak on error paths in ext4_rename() and ext4_cross_rename() (bsc#1012985). - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - ext4: mark inode dirty after converting inline directory (bsc#1012985). - ftrace: Make ftrace_location_range() global (FATE#322421). - HID: usbhid: improve handling of Clear-Halt and reset (bsc#1031080). - hv: util: catch allocation errors - hv: utils: use memdup_user in hvt_op_write - hwrng: virtio - ensure reads happen after successful probe (bsc#954763 bsc#1032344). - i40e: avoid NULL pointer dereference (bsc#922853). - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx (bsc#985561). - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet (bsc#985561). - i40e/i40evf: Rewrite logic for 8 descriptor per packet check (bsc#985561). - i40e: Impose a lower limit on gso size (bsc#985561). - i40e: Limit TX descriptor count in cases where frag size is greater than 16K (bsc#985561). - iommu/vt-d: Flush old iommu caches for kdump when the device gets context mapped (bsc#1023824). - iommu/vt-d: Tylersburg isoch identity map check is done too late (bsc#1032125). - ipv6: make ECMP route replacement less greedy (bsc#930399). - kabi: hide changes in struct sk_buff (bsc#1009682). - KABI: Hide new include in arch/powerpc/kernel/process.c (fate#322421). - kABI: mask struct xfs_icdinode change (bsc#1024788). - kABI: protect struct inet6_dev (kabi). - kABI: protect struct iscsi_conn (bsc#103470). - kABI: protect struct xfs_buftarg and struct xfs_mount (bsc#1024508). - kABI: restore can_rx_register parameters (kabi). - kernel/watchdog: use nmi registers snapshot in hardlockup handler (bsc#940946, bsc#937444). - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662). - kgr/module: make a taint flag module-specific - kgr: remove unneeded kgr_needs_lazy_migration() s390x definition - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - livepatch: Allow architectures to specify an alternate ftrace location (FATE#322421). - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662). - md: avoid oops on unload if some process is in poll or select (bsc#1020795). - md: Convert use of typedef ctl_table to struct ctl_table (bsc#1020795). - md: ensure metadata is writen after raid level change (bsc#1020795). - md linear: fix a race between linear_add() and linear_congested() (bsc#1018446). - md: md_clear_badblocks should return an error code on failure (bsc#1020795). - md: refuse to change shape of array if it is active but read-only (bsc#1020795). - megaraid_sas: add missing curly braces in ioctl handler (bsc#1023207). - megaraid_sas: Fixup tgtid count in megasas_ld_list_query() (bsc#971933). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - mm, memcg: do not retry precharge charges (bnc#1022559). - mm/mempolicy.c: do not put mempolicy before using its nodemask (References: VM Performance, bnc#931620). - mm/page_alloc: fix nodes for reclaim in fast path (bnc#1031842). - module: move add_taint_module() to a header file - net: Add skb_gro_postpull_rcsum to udp and vxlan (bsc#1009682). - net: add skb_pop_rcv_encapsulation (bsc#1009682). - net: Call skb_checksum_init in IPv4 (bsc#1009682). - net: Call skb_checksum_init in IPv6 (bsc#1009682). - netfilter: allow logging fron non-init netns (bsc#970083). - net: Generalize checksum_init functions (bsc#1009682). - net: Preserve CHECKSUM_COMPLETE at validation (bsc#1009682). - NFS: do not try to cross a mountpount when there isn't one there (bsc#1028041). - NFS: Expedite unmount of NFS auto-mounts (bnc#1025802). - NFS: Fix a performance regression in readdir (bsc#857926). - NFS: flush out dirty data on file fput() (bsc#1021762). - ocfs2: do not write error flag to user structure we cannot copy from/to (bsc#1012985). - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895). - powerpc: Create a helper for getting the kernel toc value (FATE#322421). - powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971). - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141). - powerpc/fadump: Update fadump documentation (bsc#1032141). - powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel (FATE#322421). - powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI (FATE#322421). - powerpc/ftrace: Use $(CC_FLAGS_FTRACE) when disabling ftrace (FATE#322421). - powerpc/ftrace: Use generic ftrace_modify_all_code() (FATE#322421). - powerpc: introduce TIF_KGR_IN_PROGRESS thread flag (FATE#322421). - powerpc/kgraft: Add kgraft header (FATE#322421). - powerpc/kgraft: Add kgraft stack to struct thread_info (FATE#322421). - powerpc/kgraft: Add live patching support on ppc64le (FATE#322421). - powerpc/module: Create a special stub for ftrace_caller() (FATE#322421). - powerpc/module: Mark module stubs with a magic value (FATE#322421). - powerpc/module: Only try to generate the ftrace_caller() stub once (FATE#322421). - powerpc/modules: Never restore r2 for a mprofile-kernel style mcount() call (FATE#322421). - powerpc/prom: Increase minimum RMA size to 512MB (bsc#984530). - powerpc/pseries/cpuidle: Remove MAX_IDLE_STATE macro (bnc#1023164). - powerpc/pseries/cpuidle: Use cpuidle_register() for initialisation (bnc#1023164). - powerpc: Reject binutils 2.24 when building little endian (boo#1028895). - RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#982783,bsc#1020048). - raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang - remove mpath patches from dmcache backport, for bsc#1035738 - revert 'procfs: mark thread stack correctly in proc/PID/maps' (bnc#1030901). - Revert 'RDMA/core: Fix incorrect structure packing for booleans' (kabi). - rtnetlink: allow to register ops without ops->setup set (bsc#1021374). - s390/zcrypt: Introduce CEX6 toleration (FATE#321783, LTC#147506, bsc#1019514). - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting (bsc#1018419). - scsi_error: count medium access timeout only once per EH run (bsc#993832, bsc#1032345). - scsi: libiscsi: add lock around task lists to fix list corruption regression (bsc#1034700). - scsi: storvsc: fix SRB_STATUS_ABORTED handling - sfc: reduce severity of PIO buffer alloc failures (bsc#1019168). - svcrpc: fix gss-proxy NULL dereference in some error cases (bsc#1024309). - taint/module: Clean up global and module taint flags handling - tcp: abort orphan sockets stalling on zero window probes (bsc#1021913). - thp: fix MADV_DONTNEED vs. numa balancing race (bnc#1027974). - thp: reduce indentation level in change_huge_pmd() (bnc#1027974). - treewide: fix 'distingush' typo (bsc#1020795). - tree-wide: use reinit_completion instead of INIT_COMPLETION (bsc#1020795). - usb: dwc3: gadget: Fix incorrect DEPCMD and DGCMD status macros (bsc#1035699). - usb: host: xhci: print correct command ring address (bnc#1035699). - USB: serial: kl5kusb105: fix line-state error handling (bsc#1021256). - vfs: Do not exchange 'short' filenames unconditionally (bsc#1012985). - vfs: split generic splice code from i_mutex locking (bsc#1024788). - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065). - VSOCK: Detach QP check should filter out non matching QPs (bsc#1036752). - vxlan: cancel sock_work in vxlan_dellink() (bsc#1031567). - vxlan: Checksum fixes (bsc#1009682). - vxlan: GRO support at tunnel layer (bsc#1009682). - xen-blkfront: correct maximum segment accounting (bsc#1018263). - xen-blkfront: do not call talk_to_blkback when already connected to blkback. - xen-blkfront: free resources if xlvbd_alloc_gendisk fails. - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056). - xfs: do not allow di_size with high bit set (bsc#1024234). - xfs: do not assert fail on non-async buffers on ioacct decrement (bsc#1024508). - xfs: exclude never-released buffers from buftarg I/O accounting (bsc#1024508). - xfs: fix broken multi-fsb buffer logging (bsc#1024081). - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056). - xfs: Fix lock ordering in splice write (bsc#1024788). - xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888). - xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788). - xfs: pass total block res. as total xfs_bmapi_write() parameter (bsc#1029470). - xfs: replace global xfslogd wq with per-mount wq (bsc#1024508). - xfs: track and serialize in-flight async buffers against unmount (bsc#1024508). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-05
    plugin id 100320
    published 2017-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100320
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-8E7549FB91.NASL
    description The 4.10.10 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 99424
    published 2017-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99424
    title Fedora 24 : kernel (2017-8e7549fb91)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1287-1.NASL
    description This update for the Linux Kernel 3.12.60-52_63 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100210
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100210
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1287-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1301-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable new features : - Toleration of newer crypto hardware for z Systems - USB 2.0 Link power management for Haswell-ULT The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573). - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous pages, which allowed local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero (bsc#979021). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application (bnc#1027066) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AF_ALG socket an accept system call is processed, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c (bsc#1008374). The following non-security bugs were fixed : - NFSD: do not risk using duplicate owner/file/delegation ids (bsc#1029212). - RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#982783, bsc#1026260). - SUNRPC: Clean up the slot table allocation (bsc#1013862). - SUNRPC: Initalise the struct xprt upon allocation (bsc#1013862). - USB: cdc-acm: fix broken runtime suspend (bsc#1033771). - USB: cdc-acm: fix open and suspend race (bsc#1033771). - USB: cdc-acm: fix potential urb leak and PM imbalance in write (bsc#1033771). - USB: cdc-acm: fix runtime PM for control messages (bsc#1033771). - USB: cdc-acm: fix runtime PM imbalance at shutdown (bsc#1033771). - USB: cdc-acm: fix shutdown and suspend race (bsc#1033771). - USB: cdc-acm: fix write and resume race (bsc#1033771). - USB: cdc-acm: fix write and suspend race (bsc#1033771). - USB: hub: Fix crash after failure to read BOS descriptor - USB: serial: iuu_phoenix: fix NULL-deref at open (bsc#1033794). - USB: serial: kl5kusb105: fix line-state error handling (bsc#1021256). - USB: serial: mos7720: fix NULL-deref at open (bsc#1033816). - USB: serial: mos7720: fix parallel probe (bsc#1033816). - USB: serial: mos7720: fix parport use-after-free on probe errors (bsc#1033816). - USB: serial: mos7720: fix use-after-free on probe errors (bsc#1033816). - USB: serial: mos7840: fix NULL-deref at open (bsc#1034026). - USB: xhci-mem: use passed in GFP flags instead of GFP_KERNEL (bsc#1023014). - Update metadata for serial fixes (bsc#1013070) - Use PF_LESS_THROTTLE in loop device thread (bsc#1027101). - clocksource: Remove 'weak' from clocksource_default_clock() declaration (bnc#1013018). - dlm: backport 'fix lvb invalidation conditions' (bsc#1005651). - drm/mgag200: Add support for G200e rev 4 (bnc#995542, comment #81) - enic: set skb->hash type properly (bsc#911105). - ext4: fix mballoc breakage with 64k block size (bsc#1013018). - ext4: fix stack memory corruption with 64k block size (bsc#1013018). - ext4: reject inodes with negative size (bsc#1013018). - fuse: initialize fc->release before calling it (bsc#1013018). - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx (bsc#985561). - i40e/i40evf: Fix mixed size frags and linearization (bsc#985561). - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet (bsc#985561). - i40e/i40evf: Rewrite logic for 8 descriptor per packet check (bsc#985561). - i40e: Fix TSO with more than 8 frags per segment issue (bsc#985561). - i40e: Impose a lower limit on gso size (bsc#985561). - i40e: Limit TX descriptor count in cases where frag size is greater than 16K (bsc#985561). - i40e: avoid NULL pointer dereference (bsc#909486). - jbd: Fix oops in journal_remove_journal_head() (bsc#1017143). - jbd: do not wait (forever) for stale tid caused by wraparound (bsc#1020229). - kABI: mask struct xfs_icdinode change (bsc#1024788). - kabi: Protect xfs_mount and xfs_buftarg (bsc#1024508). - kabi: fix (bsc#1008893). - lockd: use init_utsname for id encoding (bsc#1033804). - lockd: use rpc client's cl_nodename for id encoding (bsc#1033804). - md linear: fix a race between linear_add() and linear_congested() (bsc#1018446). - md/linear: shutup lockdep warnning (bsc#1018446). - mm/mempolicy.c: do not put mempolicy before using its nodemask (bnc#931620). - ocfs2: do not write error flag to user structure we cannot copy from/to (bsc#1013018). - ocfs2: fix crash caused by stale lvb with fsdlm plugin (bsc#1013800). - ocfs2: fix error return code in ocfs2_info_handle_freefrag() (bsc#1013018). - ocfs2: null deref on allocation error (bsc#1013018). - pciback: only check PF if actually dealing with a VF (bsc#999245). - pciback: use pci_physfn() (bsc#999245). - posix-timers: Fix stack info leak in timer_create() (bnc#1013018). - powerpc,cpuidle: Dont toggle CPUIDLE_FLAG_IGNORE while setting smt_snooze_delay (bsc#1023163). - powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971). - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141). - powerpc/fadump: Update fadump documentation (bsc#1032141). - powerpc/nvram: Fix an incorrect partition merge (bsc#1016489). - powerpc/vdso64: Use double word compare on pointers (bsc#1016489). - rcu: Call out dangers of expedited RCU primitives (bsc#1008893). - rcu: Direct algorithmic SRCU implementation (bsc#1008893). - rcu: Flip ->completed only once per SRCU grace period (bsc#1008893). - rcu: Implement a variant of Peter's SRCU algorithm (bsc#1008893). - rcu: Increment upper bit only for srcu_read_lock() (bsc#1008893). - rcu: Remove fast check path from __synchronize_srcu() (bsc#1008893). - s390/kmsg: add missing kmsg descriptions (bnc#1025702). - s390/vmlogrdr: fix IUCV buffer allocation (bnc#1025702). - s390/zcrypt: Introduce CEX6 toleration - sched/core: Fix TASK_DEAD race in finish_task_switch() (bnc#1013018). - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems (bnc#1013018). - scsi: zfcp: do not trace pure benign residual HBA responses at default level (bnc#1025702). - scsi: zfcp: fix rport unblock race with LUN recovery (bnc#1025702). - scsi: zfcp: fix use-after-'free' in FC ingress path after TMF (bnc#1025702). - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send (bnc#1025702). - sfc: reduce severity of PIO buffer alloc failures (bsc#1019168). - tcp: abort orphan sockets stalling on zero window probes (bsc#1021913). - vfs: split generic splice code from i_mutex locking (bsc#1024788). - virtio_scsi: fix memory leak on full queue condition (bsc#1028880). - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065, bsc#1029770). - xen-blkfront: correct maximum segment accounting (bsc#1018263). - xen-blkfront: do not call talk_to_blkback when already connected to blkback. - xen-blkfront: free resources if xlvbd_alloc_gendisk fails. - xfs: Fix lock ordering in splice write (bsc#1024788). - xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788). - xfs: do not assert fail on non-async buffers on ioacct decrement (bsc#1024508). - xfs: exclude never-released buffers from buftarg I/O accounting (bsc#1024508). - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056). - xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888). - xfs: kill xfs_itruncate_start (bsc#1024788). - xfs: remove the i_new_size field in struct xfs_inode (bsc#1024788). - xfs: remove the i_size field in struct xfs_inode (bsc#1024788). - xfs: remove xfs_itruncate_data (bsc#1024788). - xfs: replace global xfslogd wq with per-mount wq (bsc#1024508). - xfs: split xfs_itruncate_finish (bsc#1024788). - xfs: split xfs_setattr (bsc#1024788). - xfs: track and serialize in-flight async buffers against unmount (bsc#1024508). - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 100214
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100214
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1300-1.NASL
    description This update for the Linux Kernel 3.12.60-52_54 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). - bsc#1030467: Updated Dirty COW fix. The former patch caused some apps to freeze in rare circumstances Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100213
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100213
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1300-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-562.NASL
    description The openSUSE Leap 42.1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2016-10318: A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel allowed a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service (bnc#1032435). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). The following non-security bugs were fixed : - ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1033518). - doc/README.SUSE: update links to KMP manual - ext4: do not perform data journaling when data is encrypted (bsc#1012876). - ext4: fix use-after-iput when fscrypt contexts are inconsistent (bsc#1012829). - ext4: mark inode dirty after converting inline directory (bsc#1012876). - ext4: reject inodes with negative size (bsc#1012876). - fs, seqfile: always allow oom killer (bsc#1012876). - ipv6: make ECMP route replacement less greedy (bsc#930399). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - mm: filemap: do not plant shadow entries without radix tree node (bsc#1012876). - netfilter: allow logging from non-init namespaces (bsc#970083). - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670 CVE#2017-7645). - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670 CVE#2017-7645). - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670 CVE#2017-7645).
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100044
    published 2017-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100044
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-562)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-027.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 99201
    published 2017-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99201
    title Virtuozzo 7 : readykernel-patch (VZA-2017-027)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0111.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143545] (CVE-2017-7308) - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143545] (CVE-2017-7308) - net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143545] (CVE-2017-7308) - dccp/tcp: do not inherit mc_list from parent (Eric Dumazet) [Orabug: 26132091] (CVE-2017-8890)
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 100585
    published 2017-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100585
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0111)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-1308.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) * It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100430
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100430
    title CentOS 7 : kernel (CESA-2017:1308)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3580.NASL
    description Description of changes: kernel-uek [3.8.13-118.18.4.el7uek] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308} - net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143552] {CVE-2017-7308}
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100584
    published 2017-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100584
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3580)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1308-1.NASL
    description Description of changes: - [3.10.0-514.21.1.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko at oracle.com) - Update x509.genkey [bug 24817676] [3.10.0-514.21.1.el7] - [kernel] sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (Gustavo Duarte) [1441547 1423400] - [drivers] Set dev->device_rh to NULL after free (Prarit Bhargava) [1441544 1414064] - [security] keys: request_key() should reget expired keys rather than give EKEYEXPIRED (David Howells) [1441287 1408330] - [security] keys: Simplify KEYRING_SEARCH_{NO, DO}_STATE_CHECK flags (David Howells) [1441287 1408330] - [net] packet: fix overflow in check for tp_reserve (Hangbin Liu) [1441171 1441172] {CVE-2017-7308} - [net] packet: fix overflow in check for tp_frame_nr (Hangbin Liu) [1441171 1441172] {CVE-2017-7308} - [net] packet: fix overflow in check for priv area size (Hangbin Liu) [1441171 1441172] {CVE-2017-7308} - [powerpc] pseries: Use H_CLEAR_HPT to clear MMU hash table during kexec (Steve Best) [1439812 1423396] - [netdrv] fjes: Fix wrong netdevice feature flags (Yasuaki Ishimatsu) [1439802 1435603] - [kernel] mlx5e: Implement Fragmented Work Queue (WQ) (Don Dutile) [1439164 1368400] - [netdrv] mlx5e: Copy all L2 headers into inline segment (Don Dutile) [1439161 1383013] - [nvdimm] fix PHYS_PFN/PFN_PHYS mixup (Jeff Moyer) [1439160 1428115] - [s390] scsi: zfcp: fix rport unblock race with LUN recovery (Hendrik Brueckner) [1433413 1421750] - [fs] gfs2: Avoid alignment hole in struct lm_lockname (Robert S Peterson) [1432554 1425450] - [fs] gfs2: Add missing rcu locking for glock lookup (Robert S Peterson) [1432554 1425450] - [fs] ext4: fix fencepost in s_first_meta_bg validation (Lukas Czerner) [1430969 1332503] {CVE-2016-10208} - [fs] ext4: sanity check the block and cluster size at mount time (Lukas Czerner) [1430969 1332503] {CVE-2016-10208} - [fs] ext4: validate s_first_meta_bg at mount time (Lukas Czerner) [1430969 1332503] {CVE-2016-10208} - [net] sctp: deny peeloff operation on asocs with threads sleeping on it (Hangbin Liu) [1429496 1429497] {CVE-2017-5986 CVE-2017-6353} - [net] sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Hangbin Liu) [1429496 1429497] {CVE-2017-5986 CVE-2017-6353} - [x86] perf/x86/intel/rapl: Make package handling more robust (Jiri Olsa) [1443902 1418688] - [x86] perf/x86/intel/rapl: Convert to hotplug state machine (Jiri Olsa) [1443902 1418688] - [x86] perf/x86: Set pmu->module in Intel PMU modules (Jiri Olsa) [1443902 1418688] - [kernel] sched/core, x86/topology: Fix NUMA in package topology bug (Jiri Olsa) [1441645 1369832] - [kernel] sched: Allow hotplug notifiers to be setup early (Jiri Olsa) [1441645 1369832] - [x86] x86/smpboot: Make logical package management more robust (Prarit Bhargava) [1441643 1414054] - [x86] x86/cpu: Deal with broken firmware (VMWare/XEN) (Prarit Bhargava) [1441643 1414054] - [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738] - [x86] revert 'perf/uncore: Disable uncore on kdump kernel' (Prarit Bhargava) [1426633 1373738] - [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738] - [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738] - [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738] - [block] fix use-after-free in seq file (Denys Vlasenko) [1418550 1418551] {CVE-2016-7910} - [crypto] algif_hash - Only export and import on sockets with data (Herbert Xu) [1394101 1387632] {CVE-2016-8646} - [char] hwrng: core - sleep interruptible in read (Amit Shah) [1443503 1376397] - [char] hwrng: core - correct error check of kthread_run call (Amit Shah) [1443503 1376397] - [char] hwrng: core - Move hwrng_init call into set_current_rng (Amit Shah) [1443503 1376397] - [char] hwrng: core - Drop current rng in set_current_rng (Amit Shah) [1443503 1376397] - [char] hwrng: core - Do not register device opportunistically (Amit Shah) [1443503 1376397] - [char] hwrng: core - Fix current_rng init/cleanup race yet again (Amit Shah) [1443503 1376397] - [char] hwrng: core - Use struct completion for cleanup_done (Amit Shah) [1443503 1376397] - [char] hwrng: don't init list element we're about to add to list (Amit Shah) [1443503 1376397] - [char] hwrng: don't double-check old_rng (Amit Shah) [1443503 1376397] - [char] hwrng: fix unregister race (Amit Shah) [1443503 1376397] - [char] hwrng: use reference counts on each struct hwrng (Amit Shah) [1443503 1376397] - [char] hwrng: move some code out mutex_lock for avoiding underlying deadlock (Amit Shah) [1443503 1376397] - [char] hwrng: place mutex around read functions and buffers (Amit Shah) [1443503 1376397] - [char] virtio-rng: skip reading when we start to remove the device (Amit Shah) [1443503 1376397] - [char] virtio-rng: fix stuck of hot-unplugging busy device (Amit Shah) [1443503 1376397] - [infiniband] ib/mlx5: Resolve soft lock on massive reg MRs (Don Dutile) [1444347 1417285] [3.10.0-514.20.1.el7] - [powerpc] fadump: Fix the race in crash_fadump() (Steve Best) [1439810 1420077] - [kernel] locking/mutex: Explicitly mark task as running after wakeup (Gustavo Duarte) [1439803 1423397] - [netdrv] ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths (Ken Cox) [1438421 1383524] - [fs] nfsv4.0: always send mode in SETATTR after EXCLUSIVE4 (Benjamin Coddington) [1437967 1415780] - [net] fix creation adjacent device symlinks (Adrian Reber) [1436646 1412898] - [net] prevent of emerging cross-namespace symlinks (Adrian Reber) [1436646 1412898] - [netdrv] macvlan: unregister net device when netdev_upper_dev_link() fails (Adrian Reber) [1436646 1412898] - [scsi] vmw_pvscsi: return SUCCESS for successful command aborts (Ewan Milne) [1435764 1394172] - [infiniband] ib/uverbs: Fix race between uverbs_close and remove_one (Don Dutile) [1435187 1417284] - [fs] gfs2: Prevent BUG from occurring when normal Withdraws occur (Robert S Peterson) [1433882 1404005] - [fs] jbd2: fix incorrect unlock on j_list_lock (Lukas Czerner) [1433881 1403346] - [fs] xfs: don't wrap ID in xfs_dq_get_next_id (Eric Sandeen) [1433415 1418182] - [net] tcp/dccp: avoid starving bh on connect (Paolo Abeni) [1433320 1401419] - [fs] xfs: fix up xfs_swap_extent_forks inline extent handling (Eric Sandeen) [1432154 1412945] - [x86] kvm: vmx: handle PML full VMEXIT that occurs during event delivery (Radim Krcmar) [1431666 1421296] - [virt] kvm: vmx: ensure VMCS is current while enabling PML (Radim Krcmar) [1431666 1421296] - [net] ip_tunnel: Create percpu gro_cell (Jiri Benc) [1431197 1424076] - [x86] kvm: x86: do not save guest-unsupported XSAVE state (Radim Krcmar) [1431150 1401767] - [scsi] mpt3sas: Force request partial completion alignment (Tomas Henzl) [1430809 1418286] [3.10.0-514.19.1.el7] - [fs] gfs2: Wake up io waiters whenever a flush is done (Robert S Peterson) [1437126 1404301] - [fs] gfs2: Made logd daemon take into account log demand (Robert S Peterson) [1437126 1404301] - [fs] gfs2: Limit number of transaction blocks requested for truncates (Robert S Peterson) [1437126 1404301] - [net] ipv6: addrconf: fix dev refcont leak when DAD failed (Hangbin Liu) [1436588 1416105] [3.10.0-514.18.1.el7] - [net] ipv6: don't increase size when refragmenting forwarded ipv6 skbs (Florian Westphal) [1434589 1430571] - [net] bridge: drop netfilter fake rtable unconditionally (Florian Westphal) [1434589 1430571] - [net] ipv6: avoid write to a possibly cloned skb (Florian Westphal) [1434589 1430571] - [net] netfilter: bridge: honor frag_max_size when refragmenting (Florian Westphal) [1434589 1430571] - [net] bridge: Add br_netif_receive_skb remove netif_receive_skb_sk (Ivan Vecera) [1434589 1352289] [3.10.0-514.17.1.el7] - [netdrv] i40e: Be much more verbose about what we can and cannot offload (Stefan Assmann) [1433273 1383521] - [kernel] watchdog: prevent false hardlockup on overloaded system (Don Zickus) [1433267 1399881] - [net] dccp/tcp: fix routing redirect race (Eric Garver) [1433265 1387485]
    last seen 2017-10-29
    modified 2017-05-30
    plugin id 100506
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100506
    title Oracle Linux 7 : kernel (ELSA-2017-1308-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3256-2.NASL
    description USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel for each of the respective prior Ubuntu LTS releases. Andrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel did not properly validate certain block-size data. A local attacker could use this to cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 99198
    published 2017-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99198
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : linux-hwe, linux-lts-trusty, linux-lts-xenial vulnerability (USN-3256-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2525-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bsc#1029850). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bsc#1038879). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 1050677 ). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336) - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability. This requires a malicious PCI Card. (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary could have overflowed the parport_nr array in the following code (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). The following non-security bugs were fixed : - acpi: Disable APEI error injection if securelevel is set (bsc#972891, bsc#1023051). - blkback/blktap: do not leak stack data via response ring (bsc#1042863 XSA-216). - btrfs: cleanup code of btrfs_balance_delayed_items() (bsc#1034838). - btrfs: do not run delayed nodes again after all nodes flush (bsc#1034838). - btrfs: remove btrfs_end_transaction_dmeta() (bsc#1034838). - btrfs: remove residual code in delayed inode async helper (bsc#1034838). - btrfs: use flags instead of the bool variants in delayed node (bsc#1034838). - cifs: cifs_get_root shouldn't use path with tree name, alternate fix (bsc#963655, bsc#979681, bsc#1027406). - dentry name snapshots (bsc#1049483). - firmware: fix directory creation rule matching with make 3.80 (bsc#1012422). - firmware: fix directory creation rule matching with make 3.82 (bsc#1012422). - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562) (bsc#948562). - hv: do not lose pending heartbeat vmbus packets (bnc#1006919, bnc#1053760). - jbd: do not wait (forever) for stale tid caused by wraparound (bsc#1020229). - jbd: Fix oops in journal_remove_journal_head() (bsc#1017143). - kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422) - keys: Disallow keyrings beginning with '.' to be joined as session keyrings (bnc#1035576). - nfs: Avoid getting confused by confused server (bsc#1045416). - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670). - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670). - nfsd: do not risk using duplicate owner/file/delegation ids (bsc#1029212). - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670). - nfs: Make nfs_readdir revalidate less often (bsc#1048232). - pciback: check PF instead of VF for PCI_COMMAND_MEMORY (bsc#957990). - pciback: only check PF if actually dealing with a VF (bsc#999245). - pciback: Save the number of MSI-X entries to be copied later (bsc#957988). - Remove superfluous make flags (bsc#1012422) - Return short read or 0 at end of a raw device, not EIO (bsc#1039594). - Revert 'fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681) - scsi: lpfc: avoid double free of resource identifiers (bsc#989896). - scsi: virtio_scsi: fix memory leak on full queue condition (bsc#1028880). - sunrpc: Clean up the slot table allocation (bsc#1013862). - sunrpc: Initalise the struct xprt upon allocation (bsc#1013862). - usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256). - usb: wusbcore: fix NULL-deref at probe (bsc#1045487). - Use make --output-sync feature when available (bsc#1012422). - Use PF_LESS_THROTTLE in loop device thread (bsc#1027101). - xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-20
    plugin id 103354
    published 2017-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103354
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3609.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102773
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102773
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-26C9ECD7A4.NASL
    description The 4.10.10 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 99423
    published 2017-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99423
    title Fedora 25 : kernel (2017-26c9ecd7a4)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-1308.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) * It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-18
    plugin id 101474
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101474
    title Virtuozzo 7 : kernel / kernel-abi-whitelists / kernel-debug / etc (VZLSA-2017-1308)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1285-1.NASL
    description This update for the Linux Kernel 3.12.60-52_49 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). - bsc#1030467: Updated Dirty COW fix. The former patch caused some apps to freeze in rare circumstances Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100209
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100209
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1285-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3637.NASL
    description Description of changes: [2.6.39-400.297.12.el6uek] - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075} - saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831} - saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831} - saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831} - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489}
    last seen 2017-11-06
    modified 2017-11-06
    plugin id 104371
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104371
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3637)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1183-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features : - Improved support for Hyper-V - Support for Matrox G200eH3 - Support for tcp_westwood The following security bugs were fixed : - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415). - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190). - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189). - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066). - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722). - CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enables scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697). - CVE-2017-6347: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel had incorrect expectations about skb data layout, which allowed local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission (bnc#1027179). - CVE-2016-9191: The cgroup offline implementation in the Linux kernel mishandled certain drain operations, which allowed local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application (bnc#1008842). - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel improperly emulated the VMXON instruction, which allowed KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (bnc#1022785). - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024). The following non-security bugs were fixed : - ACPI, ioapic: Clear on-stack resource before using it (bsc#1028819). - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC (bsc#1028819). - ACPI: Remove platform devices from a bus on removal (bsc#1028819). - HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL (bsc#1022340). - NFS: do not try to cross a mountpount when there isn't one there (bsc#1028041). - NFS: flush out dirty data on file fput() (bsc#1021762). - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal (bug#1028217). - PCI: hv: Use device serial number as PCI domain (bug#1028217). - RAID1: a new I/O barrier implementation to remove resync window (bsc#998106,bsc#1020048,bsc#982783). - RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#998106,bsc#1020048,bsc#982783). - Revert 'RDMA/core: Fix incorrect structure packing for booleans' (kabi). - Revert 'give up on gcc ilog2() constant optimizations' (kabi). - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown flow' (bsc#1028017). - Revert 'net: introduce device min_header_len' (kabi). - Revert 'nfit, libnvdimm: fix interleave set cookie calculation' (kabi). - Revert 'target: Fix NULL dereference during LUN lookup + active I/O shutdown' (kabi). - acpi, nfit: fix acpi_nfit_flush_probe() crash (bsc#1031717). - acpi, nfit: fix extended status translations for ACPI DSMs (bsc#1031717). - arm64: Use full path in KBUILD_IMAGE definition (bsc#1010032). - arm64: hugetlb: fix the wrong address for several functions (bsc#1032681). - arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags (bsc#1032681). - arm64: hugetlb: remove the wrong pmd check in find_num_contig() (bsc#1032681). - arm: Use full path in KBUILD_IMAGE definition (bsc#1010032). - bnx2x: allow adding VLANs while interface is down (bsc#1027273). - bonding: fix 802.3ad aggregator reselection (bsc#1029514). - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1019614). - btrfs: allow unlink to exceed subvolume quota (bsc#1019614). - btrfs: backref: Fix soft lockup in __merge_refs function (bsc#1017641). - btrfs: incremental send, do not delay rename when parent inode is new (bsc#1028325). - btrfs: incremental send, do not issue invalid rmdir operations (bsc#1028325). - btrfs: qgroup: Move half of the qgroup accounting time out of commit trans (bsc#1017461). - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1019614). - btrfs: send, fix failure to rename top level inode due to name collision (bsc#1028325). - btrfs: serialize subvolume mounts with potentially mismatching rw flags (bsc#951844 bsc#1024015) - cgroup/pids: remove spurious suspicious RCU usage warning (bnc#1031831). - crypto: algif_hash - avoid zero-sized array (bnc#1007962). - cxgb4vf: do not offload Rx checksums for IPv6 fragments (bsc#1026692). - device-dax: fix private mapping restriction, permit read-only (bsc#1031717). - drm/i915: Add intel_uncore_suspend / resume functions (bsc#1011913). - drm/i915: Fix crash after S3 resume with DP MST mode change (bsc#1029634). - drm/i915: Listen for PMIC bus access notifications (bsc#1011913). - drm/i915: Only enable hotplug interrupts if the display interrupts are enabled (bsc#1031717). - drm/mgag200: Added support for the new device G200eH3 (bsc#1007959) - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986). - futex: Add missing error handling to FUTEX_REQUEUE_PI (bsc#969755). - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI (bsc#969755). - hv: export current Hyper-V clocksource (bsc#1031206). - hv: util: do not forget to init host_ts.lock (bsc#1031206). - hv: vmbus: Prevent sending data on a rescinded channel (bug#1028217). - hv_utils: implement Hyper-V PTP source (bsc#1031206). - i2c-designware: increase timeout (bsc#1011913). - i2c: designware-baytrail: Acquire P-Unit access on bus acquire (bsc#1011913). - i2c: designware-baytrail: Call pmic_bus_access_notifier_chain (bsc#1011913). - i2c: designware-baytrail: Fix race when resetting the semaphore (bsc#1011913). - i2c: designware-baytrail: Only check iosf_mbi_available() for shared hosts (bsc#1011913). - i2c: designware: Disable pm for PMIC i2c-bus even if there is no _SEM method (bsc#1011913). - i2c: designware: Never suspend i2c-busses used for accessing the system PMIC (bsc#1011913). - i2c: designware: Rename accessor_flags to flags (bsc#1011913). - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off (bsc#1031208). - kABI: protect struct iscsi_conn (kabi). - kABI: protect struct se_node_acl (kabi). - kABI: restore can_rx_register parameters (kabi). - kgr/module: make a taint flag module-specific - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662). - kgr: remove all arch-specific kgraft header files - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415). - l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415). - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415). - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - l2tp: lock socket before checking flags in connect() (bsc#1028415). - libnvdimm, pfn: fix memmap reservation size versus 4K alignment (bsc#1031717). - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662). - md/raid1: Refactor raid1_make_request (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: add rcu protection to rdev in fix_read_error (References: bsc#998106,bsc#1020048,bsc#982783). - md/raid1: fix a use-after-free bug (bsc#998106,bsc#1020048,bsc#982783). - md/raid1: handle flush request correctly (bsc#998106,bsc#1020048,bsc#982783). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - mm/memblock.c: fix memblock_next_valid_pfn() (bnc#1031200). - mm/page_alloc: Remove useless parameter of __free_pages_boot_core (bnc#1027195). - mm: fix set pageblock migratetype in deferred struct page init (bnc#1027195). - mm: page_alloc: skip over regions of invalid pfns where possible (bnc#1031200). - module: move add_taint_module() to a header file - net/ena: change condition for host attribute configuration (bsc#1026509). - net/ena: change driver's default timeouts (bsc#1026509). - net/ena: fix NULL dereference when removing the driver after device reset failed (bsc#1026509). - net/ena: fix RSS default hash configuration (bsc#1026509). - net/ena: fix ethtool RSS flow configuration (bsc#1026509). - net/ena: fix potential access to freed memory during device reset (bsc#1026509). - net/ena: fix queues number calculation (bsc#1026509). - net/ena: reduce the severity of ena printouts (bsc#1026509). - net/ena: refactor ena_get_stats64 to be atomic context safe (bsc#1026509). - net/ena: remove ntuple filter support from device feature list (bsc#1026509). - net/ena: update driver version to 1.1.2 (bsc#1026509). - net/ena: use READ_ONCE to access completion descriptors (bsc#1026509). - net/mlx4_core: Avoid command timeouts during VF driver device shutdown (bsc#1028017). - net/mlx4_core: Avoid delays during VF driver device shutdown (bsc#1028017). - net/mlx4_core: Fix racy CQ (Completion Queue) free (bsc#1028017). - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions (bsc#1028017). - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs (bsc#1028017). - net/mlx4_en: Fix bad WQE issue (bsc#1028017). - net: ena: Fix error return code in ena_device_init() (bsc#1026509). - net: ena: Remove unnecessary pci_set_drvdata() (bsc#1026509). - net: ena: change the return type of ena_set_push_mode() to be void (bsc#1026509). - net: ena: remove superfluous check in ena_remove() (bsc#1026509). - net: ena: use setup_timer() and mod_timer() (bsc#1026509). - netfilter: allow logging from non-init namespaces (bsc#970083). - nvme: Do not suspend admin queue that wasn't created (bsc#1026505). - nvme: Suspend all queues before deletion (bsc#1026505). - ping: implement proper locking (bsc#1031003). - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895). - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data (bsc#1026462). - s390/kmsg: add missing kmsg descriptions (bnc#1025683). - s390/mm: fix zone calculation in arch_add_memory() (bnc#1025683). - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting (bsc#1018419). - scsi: do not print 'reservation conflict' for TEST UNIT READY (bsc#1027054). - scsi_dh_alua: Do not modify the interval value for retries (bsc#1012910). - softirq: Let ksoftirqd do its job (bsc#1019618). - x86, mm: fix gup_pte_range() vs DAX mappings (bsc#1026405). - x86/apic/uv: Silence a shift wrapping warning (bsc#1023866). - x86/ioapic: Change prototype of acpi_ioapic_add() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix IOAPIC failing to request resource (bsc#1027153, bsc#1027616). - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix lost IOAPIC resource after hot-removal and hotadd (bsc#1027153, bsc#1027616). - x86/ioapic: Fix setup_res() failing to get resource (bsc#1027153, bsc#1027616). - x86/ioapic: Ignore root bridges without a companion ACPI device (bsc#1027153, bsc#1027616). - x86/ioapic: Simplify ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Support hot-removal of IOAPICs present during boot (bsc#1027153, bsc#1027616). - x86/ioapic: fix kABI (hide added include) (bsc#1027153, bsc#1027616). - x86/mce: Do not print MCEs when mcelog is active (bsc#1013994). - x86/mce: Fix copy/paste error in exception table entries - x86/mm/gup: Simplify get_user_pages() PTE bit handling (bsc#1026405). - x86/platform/UV: Add Support for UV4 Hubless NMIs (bsc#1023866). - x86/platform/UV: Add Support for UV4 Hubless systems (bsc#1023866). - x86/platform/UV: Add basic CPU NMI health check (bsc#1023866). - x86/platform/UV: Clean up the NMI code to match current coding style (bsc#1023866). - x86/platform/UV: Clean up the UV APIC code (bsc#1023866). - x86/platform/UV: Ensure uv_system_init is called when necessary (bsc#1023866). - x86/platform/UV: Fix 2 socket config problem (bsc#1023866). - x86/platform/UV: Fix panic with missing UVsystab support (bsc#1023866). - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be NMI source (bsc#1023866). - x86/platform/UV: Verify NMI action is valid, default is standard (bsc#1023866). - x86/platform/intel/iosf_mbi: Add a PMIC bus access notifier (bsc#1011913). - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit access (bsc#1011913). - x86/platform: Remove warning message for duplicate NMI handlers (bsc#1029220). - x86/ras/therm_throt: Do not log a fake MCE for thermal events (bsc#1028027). - xen-blkfront: correct maximum segment accounting (bsc#1018263). - xen-blkfront: do not call talk_to_blkback when already connected to blkback. - xen-blkfront: free resources if xlvbd_alloc_gendisk fails. - xen/blkfront: Fix crash if backend does not follow the right states. - xen/netback: set default upper limit of tx/rx queues to 8 (bnc#1019163). - xen/netfront: set default upper limit of tx/rx queues to 8 (bnc#1019163). - xen: Use machine addresses in /sys/kernel/vmcoreinfo when PV (bsc#1014136) - xfs: do not take the IOLOCK exclusive for direct I/O page invalidation (bsc#1015609). - xgene_enet: remove bogus forward declarations (bsc#1032673). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 100023
    published 2017-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100023
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1281-1.NASL
    description This update the for Linux Kernel 3.12.61-52.69 fixes one issue. The following security bug was fixed : - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1025013). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100207
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100207
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1281-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-828.NASL
    description Infinite recursion in ahash.c by triggering EBUSY on a full queue : A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.(CVE-2017-7618) Time subsystem allows local users to discover real PID values : The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.(CVE-2017-5967) Stack-based buffer overflow in sg_ioctl function : The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. (CVE-2017-7187) Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c : Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in mm/mempolicy.c; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616) Race condition in Link Layer Control : A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system. (CVE-2017-2671) Overflow in check for priv area size : It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-7308)
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100106
    published 2017-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100106
    title Amazon Linux AMI : kernel (ALAS-2017-828)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170525_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) - Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) - A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) - A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) - It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986, Moderate)
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100458
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100458
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3595.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102059
    published 2017-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102059
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3595) (Stack Clash)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1298.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-514.21.1 source tree, which provides a number of bug fixes over the previous version. (BZ#1440803)
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100456
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100456
    title RHEL 7 : kernel-rt (RHSA-2017:1298)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842-1.NASL
    description The remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102511
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102511
    title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3256-1.NASL
    description Andrey Konovalov discovered that the AF_PACKET implementation in the Linux kernel did not properly validate certain block-size data. A local attacker could use this to cause a denial of service (system crash). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 99197
    published 2017-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99197
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-ti-omap4 vulnerability (USN-3256-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3579.NASL
    description Description of changes: kernel-uek [4.1.12-94.3.6.el7uek] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308} - net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143545] {CVE-2017-7308}
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100583
    published 2017-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100583
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3579)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1308.NASL
    description From Red Hat Security Advisory 2017:1308 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) * It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100507
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100507
    title Oracle Linux 7 : kernel (ELSA-2017-1308)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0112.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143552] (CVE-2017-7308) - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143552] (CVE-2017-7308) - net/packet: fix overflow in check for priv area size (Andrey Konovalov) [Orabug: 26143552] (CVE-2017-7308) - dccp/tcp: do not inherit mc_list from parent (Eric Dumazet) [Orabug: 26108571] (CVE-2017-8890)
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 100586
    published 2017-06-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100586
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0112)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3658.NASL
    description Description of changes: [2.6.39-400.298.1.el6uek] - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] - xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] - RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671} - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889} - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] - more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190} - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190} - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075} - saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831} - saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831} - saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831} - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489} - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176} - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542} - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111} - mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] - xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355] - fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253} - Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796428] {CVE-2017-1000251} - xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645562] {CVE-2017-12134} - fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26638926] {CVE-2017-1000365} {CVE-2017-1000365} - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586050] {CVE-2016-10200} - xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586024] {CVE-2016-9685} - KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604} - ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202] {CVE-2017-9242} - selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] - RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426] - HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273} - udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167} - btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710} - Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710} - net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686} - xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445] - PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513] - PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513] - ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465} - mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326145] {CVE-2017-1000364} - nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024] {CVE-2017-7645} - dm mpath: allow ioctls to trigger pg init (Mikulas Patocka) [Orabug: 25645229] - xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall) [Orabug: 25795530] - lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin) [Orabug: 25955028]
    last seen 2017-12-13
    modified 2017-12-12
    plugin id 105145
    published 2017-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105145
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1308.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) * It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Additional Changes : This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100457
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100457
    title RHEL 7 : kernel (RHSA-2017:1308)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1291-1.NASL
    description This update for the Linux Kernel 3.12.60-52_57 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100211
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100211
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1291-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL82224417.NASL
    description The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls. (CVE-2017-7308)
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100005
    published 2017-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100005
    title F5 Networks BIG-IP : Linux kernel vulnerability (K82224417)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1297.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2017-7308, Important) * Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads. (CVE-2016-10208, Moderate) * A flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation. (CVE-2016-7910, Moderate) * A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. (CVE-2016-8646, Moderate) Red Hat would like to thank Igor Redko (Virtuozzo kernel team) for reporting CVE-2016-8646. Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-514 source tree, which provides a number of bug fixes over the previous version. (BZ#1440807)
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 100455
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100455
    title RHEL 6 : kernel-rt (RHSA-2017:1297)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0145.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102774
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102774
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1302-1.NASL
    description This update for the Linux Kernel 3.12.61-52_66 fixes several issues. The following security bugs were fixed : - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bsc#1030575, bsc#1031660). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-09-08
    plugin id 100215
    published 2017-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100215
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1302-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-532.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.62 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement (bnc#986362). - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (bnc#986365). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003). - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579). - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440). - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052). - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213). - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (bnc#1032006). The following non-security bugs were fixed : - acpi, nfit: fix acpi_nfit_flush_probe() crash (bsc#1031717). - acpi, nfit: fix extended status translations for ACPI DSMs (bsc#1031717). - arm64: hugetlb: fix the wrong address for several functions (bsc#1032681). - arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags (bsc#1032681). - arm64: hugetlb: remove the wrong pmd check in find_num_contig() (bsc#1032681). - arm64: Use full path in KBUILD_IMAGE definition (bsc#1010032). - arm: Use full path in KBUILD_IMAGE definition (bsc#1010032). - blacklist.conf: 73667e31a153 x86/hyperv: Hide unused label - blacklist.conf: Add ed10858 ('scsi: smartpqi: fix time handling') to blacklist - blacklist.conf: blacklist 9770404a which was subsequently reverted - blacklist.conf: Blacklist f2fs fix - blacklist.conf: Blacklist unneeded commit, because of a partial backport. - blacklist.conf: Split SP2 and SP3 entries to ease merging - blacklist: Fix blacklisting of 0c313cb20732 - block: copy NOMERGE flag from bio to request (bsc#1030070). - bonding: fix 802.3ad aggregator reselection (bsc#1029514). - btrfs: add transaction space reservation tracepoints (bsc#1012452). - btrfs: allow unlink to exceed subvolume quota (bsc#1019614). - btrfs: avoid uninitialized variable warning (bsc#1012452). - btrfs: __btrfs_buffered_write: Reserve/release extents aligned to block size (bsc#1012452). - btrfs: btrfs_ioctl_clone: Truncate complete page after performing clone operation (bsc#1012452). - btrfs: btrfs_page_mkwrite: Reserve space in sectorsized units (bsc#1012452). - btrfs: btrfs_submit_direct_hook: Handle map_length < bio vector length (bsc#1012452). - btrfs: change how we update the global block rsv (bsc#1012452). - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1019614). - btrfs: check reserved when deciding to background flush (bsc#1012452). - btrfs: Clean pte corresponding to page straddling i_size (bsc#1012452). - btrfs: Compute and look up csums based on sectorsized blocks (bsc#1012452). - btrfs: csum_tree_block: return proper errno value (bsc#1012452). - btrfs: device add and remove: use GFP_KERNEL (bsc#1012452). - btrfs: Direct I/O read: Work on sectorsized blocks (bsc#1012452). - btrfs: do not write corrupted metadata blocks to disk (bsc#1012452). - btrfs: extent same: use GFP_KERNEL for page array allocations (bsc#1012452). - btrfs: fallback to vmalloc in btrfs_compare_tree (bsc#1012452). - btrfs: fallocate: use GFP_KERNEL (bsc#1012452). - btrfs: fallocate: Work with sectorsized blocks (bsc#1012452). - btrfs: Fix block size returned to user space (bsc#1012452). - btrfs: fix build warning (bsc#1012452). - btrfs: fix delalloc accounting after copy_from_user faults (bsc#1012452). - btrfs: fix extent_same allowing destination offset beyond i_size (bsc#1012452). - btrfs: fix handling of faults from btrfs_copy_from_user (bsc#1012452). - btrfs: fix invalid reference in replace_path (bsc#1012452). - btrfs: fix listxattrs not listing all xattrs packed in the same item (bsc#1012452). - btrfs: fix lockdep deadlock warning due to dev_replace (bsc#1012452). - btrfs: fix truncate_space_check (bsc#1012452). - btrfs: Improve FL_KEEP_SIZE handling in fallocate (bsc#1012452). - btrfs: let callers of btrfs_alloc_root pass gfp flags (bsc#1012452). - btrfs: Limit inline extents to root->sectorsize (bsc#1012452). - btrfs: make sure we stay inside the bvec during __btrfs_lookup_bio_sums (bsc#1012452). - btrfs: Output more info for enospc_debug mount option (bsc#1012452). - btrfs: Print Warning only if ENOSPC_DEBUG is enabled (bsc#1012452). - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1019614). - btrfs: reada: add all reachable mirrors into reada device list (bsc#1012452). - btrfs: reada: Add missed segment checking in reada_find_zone (bsc#1012452). - btrfs: reada: Avoid many times of empty loop (bsc#1012452). - btrfs: reada: avoid undone reada extents in btrfs_reada_wait (bsc#1012452). - btrfs: reada: bypass adding extent when all zone failed (bsc#1012452). - btrfs: reada: Fix a debug code typo (bsc#1012452). - btrfs: reada: Fix in-segment calculation for reada (bsc#1012452). - btrfs: reada: ignore creating reada_extent for a non-existent device (bsc#1012452). - btrfs: reada: Jump into cleanup in direct way for __readahead_hook() (bsc#1012452). - btrfs: reada: limit max works count (bsc#1012452). - btrfs: reada: Move is_need_to_readahead contition earlier (bsc#1012452). - btrfs: reada: move reada_extent_put to place after __readahead_hook() (bsc#1012452). - btrfs: reada: Pass reada_extent into __readahead_hook directly (bsc#1012452). - btrfs: reada: reduce additional fs_info->reada_lock in reada_find_zone (bsc#1012452). - btrfs: reada: Remove level argument in severial functions (bsc#1012452). - btrfs: reada: simplify dev->reada_in_flight processing (bsc#1012452). - btrfs: reada: Use fs_info instead of root in __readahead_hook's argument (bsc#1012452). - btrfs: reada: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: readdir: use GFP_KERNEL (bsc#1012452). - btrfs: remove redundant error check (bsc#1012452). - btrfs: Reset IO error counters before start of device replacing (bsc#1012452). - btrfs: scrub: use GFP_KERNEL on the submission path (bsc#1012452). - btrfs: Search for all ordered extents that could span across a page (bsc#1012452). - btrfs: send: use GFP_KERNEL everywhere (bsc#1012452). - btrfs: switch to kcalloc in btrfs_cmp_data_prepare (bsc#1012452). - btrfs: Use (eb->start, seq) as search key for tree modification log (bsc#1012452). - btrfs: use proper type for failrec in extent_state (bsc#1012452). - ceph: fix recursively call between ceph_set_acl and __ceph_setattr (bsc#1034902). - cgroup/pids: remove spurious suspicious RCU usage warning (bnc#1031831). - cxgb4: Add control net_device for configuring PCIe VF (bsc#1021424). - cxgb4: Add llseek operation for flash debugfs entry (bsc#1021424). - cxgb4: add new routine to get adapter info (bsc#1021424). - cxgb4: Add PCI device ID for new adapter (bsc#1021424). - cxgb4: Add port description for new cards (bsc#1021424). - cxgb4: Add support to enable logging of firmware mailbox commands (bsc#1021424). - cxgb4: Check for firmware errors in the mailbox command loop (bsc#1021424). - cxgb4: correct device ID of T6 adapter (bsc#1021424). - cxgb4/cxgb4vf: Add set VF mac address support (bsc#1021424). - cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter (bsc#1021424). - cxgb4/cxgb4vf: Assign netdev->dev_port with port ID (bsc#1021424). - cxgb4/cxgb4vf: Display 25G and 100G link speed (bsc#1021424). - cxgb4/cxgb4vf: Remove deprecated module parameters (bsc#1021424). - cxgb4: DCB message handler needs to use correct portid to netdev mapping (bsc#1021424). - cxgb4: Decode link down reason code obtained from firmware (bsc#1021424). - cxgb4: Do not assume FW_PORT_CMD reply is always port info msg (bsc#1021424). - cxgb4: do not call napi_hash_del() (bsc#1021424). - cxgb4: Do not sleep when mbox cmd is issued from interrupt context (bsc#1021424). - cxgb4: Enable SR-IOV configuration via PCI sysfs interface (bsc#1021424). - cxgb4: Fix issue while re-registering VF mgmt netdev (bsc#1021424). - cxgb4: MU requested by Chelsio (bsc#1021424). - cxgb4: Properly decode port module type (bsc#1021424). - cxgb4: Refactor t4_port_init function (bsc#1021424). - cxgb4: Reset dcb state machine and tx queue prio only if dcb is enabled (bsc#1021424). - cxgb4: Support compressed error vector for T6 (bsc#1021424). - cxgb4: Synchronize access to mailbox (bsc#1021424). - cxgb4: update latest firmware version supported (bsc#1021424). - device-dax: fix private mapping restriction, permit read-only (bsc#1031717). - drivers: hv: util: do not forget to init host_ts.lock (bsc#1031206). - drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg() (fate#320485, bsc#1023287, bsc#1028217). - drm/i915: Fix crash after S3 resume with DP MST mode change (bsc#1029634). - drm/i915: Introduce Kabypoint PCH for Kabylake H/DT (bsc#1032581). - drm/i915: Only enable hotplug interrupts if the display interrupts are enabled (bsc#1031717). - ext4: fix use-after-iput when fscrypt contexts are inconsistent (bsc#1012829). - hid: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL (bsc#1022340). - hv: export current Hyper-V clocksource (bsc#1031206). - hv_utils: implement Hyper-V PTP source (bsc#1031206). - ibmvnic: Allocate number of rx/tx buffers agreed on by firmware (fate#322021, bsc#1031512). - ibmvnic: Call napi_disable instead of napi_enable in failure path (fate#322021, bsc#1031512). - ibmvnic: Correct ibmvnic handling of device open/close (fate#322021, bsc#1031512). - ibmvnic: Fix endian errors in error reporting output (fate#322021, bsc#1031512). - ibmvnic: Fix endian error when requesting device capabilities (fate#322021, bsc#1031512). - ibmvnic: Fix initial MTU settings (bsc#1031512). - ibmvnic: Fix overflowing firmware/hardware TX queue (fate#322021, bsc#1031512). - ibmvnic: Free tx/rx scrq pointer array when releasing sub-crqs (fate#322021, bsc#1031512). - ibmvnic: Handle processing of CRQ messages in a tasklet (fate#322021, bsc#1031512). - ibmvnic: Initialize completion variables before starting work (fate#322021, bsc#1031512). - ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs (fate#322021, bsc#1031512). - ibmvnic: Move ibmvnic adapter intialization to its own routine (fate#322021, bsc#1031512). - ibmvnic: Move login and queue negotiation into ibmvnic_open (fate#322021, bsc#1031512). - ibmvnic: Move login to its own routine (fate#322021, bsc#1031512). - ibmvnic: Use common counter for capabilities checks (fate#322021, bsc#1031512). - ibmvnic: use max_mtu instead of req_mtu for MTU range check (bsc#1031512). - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off (bsc#1031208). - iscsi-target: Return error if unable to add network portal (bsc#1032803). - kABI: restore ttm_ref_object_add parameters (kabi). - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662). - kvm: svm: add support for RDTSCP (bsc#1033117). - l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415). - libcxgb: add library module for Chelsio drivers (bsc#1021424). - libnvdimm, pfn: fix memmap reservation size versus 4K alignment (bsc#1031717). - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662). - md: handle read-only member devices better (bsc#1033281). - mem-hotplug: fix node spanned pages when we have a movable node (bnc#1034671). - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118). - mm/memblock.c: fix memblock_next_valid_pfn() (bnc#1031200). - mm: page_alloc: skip over regions of invalid pfns where possible (bnc#1031200). - netfilter: allow logging from non-init namespaces (bsc#970083). - net: ibmvnic: Remove unused net_stats member from struct ibmvnic_adapter (fate#322021, bsc#1031512). - nfs: flush out dirty data on file fput() (bsc#1021762). - nvme: Delete created IO queues on reset (bsc#1031717). - overlayfs: compat, fix incorrect dentry use in ovl_rename2 (bsc#1032400). - overlayfs: compat, use correct dentry to detect compat mode in ovl_compat_is_whiteout (bsc#1032400). - ping: implement proper locking (bsc#1031003). - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM (bsc#1032141). - powerpc/fadump: Update fadump documentation (bsc#1032141). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' (bsc#1017461 bsc#1033885). - Revert 'btrfs: qgroup: Move half of the qgroup accounting time out of' This reverts commit f69c1d0f6254c73529a48fd2f87815d047ad7288. - Revert 'Revert 'btrfs: qgroup: Move half of the qgroup accounting time' This reverts commit 8567943ca56d937acfc417947cba917de653b09c. - sbp-target: Fix second argument of percpu_ida_alloc() (bsc#1032803). - scsi: cxgb4i: libcxgbi: cxgb4: add T6 iSCSI completion feature (bsc#1021424). - scsi_error: count medium access timeout only once per EH run (bsc#993832, bsc#1032345). - scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION (bsc#1034419). - scsi: ipr: Driver version 2.6.4 (bsc#1031555, fate#321595). - scsi: ipr: Error path locking fixes (bsc#1031555, fate#321595). - scsi: ipr: Fix abort path race condition (bsc#1031555, fate#321595). - scsi: ipr: Fix missed EH wakeup (bsc#1031555, fate#321595). - scsi: ipr: Fix SATA EH hang (bsc#1031555, fate#321595). - scsi: ipr: Remove redundant initialization (bsc#1031555, fate#321595). - scsi_transport_fc: do not call queue_work under lock (bsc#1013887). - scsi_transport_fc: fixup race condition in fc_rport_final_delete() (bsc#1013887). - scsi_transport_fc: return -EBUSY for deleted vport (bsc#1013887). - sysfs: be careful of error returns from ops->show() (bsc#1028883). - thp: fix MADV_DONTNEED vs. numa balancing race (bnc#1027974). - thp: reduce indentation level in change_huge_pmd() (bnc#1027974). - tpm: fix checks for policy digest existence in tpm2_seal_trusted() (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix RC value check in tpm2_seal_trusted (bsc#1034048, Pending fixes 2017-04-10). - tpm: fix: set continueSession attribute for the unseal operation (bsc#1034048, Pending fixes 2017-04-10). - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065). - x86/CPU/AMD: Fix Zen SMT topology (bsc#1027512). - x86/ioapic: Change prototype of acpi_ioapic_add() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Fix IOAPIC failing to request resource (bsc#1027153, bsc#1027616). - x86/ioapic: fix kABI (hide added include) (bsc#1027153, bsc#1027616). - x86/ioapic: Fix lost IOAPIC resource after hot-removal and hotadd (bsc#1027153, bsc#1027616). - x86/ioapic: Fix setup_res() failing to get resource (bsc#1027153, bsc#1027616). - x86/ioapic: Ignore root bridges without a companion ACPI device (bsc#1027153, bsc#1027616). - x86/ioapic: Simplify ioapic_setup_resources() (bsc#1027153, bsc#1027616). - x86/ioapic: Support hot-removal of IOAPICs present during boot (bsc#1027153, bsc#1027616). - x86/mce: Fix copy/paste error in exception table entries (fate#319858). - x86/platform/uv: Fix calculation of Global Physical Address (bsc#1031147). - x86/ras/therm_throt: Do not log a fake MCE for thermal events (bsc#1028027). - xen: Use machine addresses in /sys/kernel/vmcoreinfo when PV (bsc#1014136) - xgene_enet: remove bogus forward declarations (bsc#1032673).
    last seen 2017-10-29
    modified 2017-07-11
    plugin id 99927
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99927
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-532)
redhat via4
advisories
  • bugzilla
    id 1440803
    title kernel-rt: update to the RHEL7.3.z batch#5 source tree [rhel-7.3.z]
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel-rt is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298015
        • comment kernel-rt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727006
      • AND
        • comment kernel-rt-debug is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298023
        • comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727014
      • AND
        • comment kernel-rt-debug-devel is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298011
        • comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727016
      • AND
        • comment kernel-rt-debug-kvm is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298007
        • comment kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411008
      • AND
        • comment kernel-rt-devel is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298009
        • comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727012
      • AND
        • comment kernel-rt-doc is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298005
        • comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727022
      • AND
        • comment kernel-rt-kvm is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298017
        • comment kernel-rt-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411024
      • AND
        • comment kernel-rt-trace is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298013
        • comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727008
      • AND
        • comment kernel-rt-trace-devel is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298019
        • comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727010
      • AND
        • comment kernel-rt-trace-kvm is earlier than 0:3.10.0-514.21.1.rt56.438.el7
          oval oval:com.redhat.rhsa:tst:20171298021
        • comment kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411014
    rhsa
    id RHSA-2017:1298
    released 2017-05-25
    severity Important
    title RHSA-2017:1298: kernel-rt security and bug fix update (Important)
  • bugzilla
    id 1437404
    title CVE-2017-7308 kernel: net/packet: overflow in check for priv area size
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308009
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308027
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308017
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308011
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308013
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308021
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308023
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308015
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308029
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308031
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308033
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308025
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-514.21.1.el7
          oval oval:com.redhat.rhsa:tst:20171308019
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111849018
    rhsa
    id RHSA-2017:1308
    released 2017-05-25
    severity Important
    title RHSA-2017:1308: kernel security, bug fix, and enhancement update (Important)
rpms
  • kernel-rt-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-debug-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-debug-devel-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-debug-kvm-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-devel-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-doc-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-kvm-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-trace-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-trace-devel-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-rt-trace-kvm-0:3.10.0-514.21.1.rt56.438.el7
  • kernel-0:3.10.0-514.21.1.el7
  • kernel-abi-whitelists-0:3.10.0-514.21.1.el7
  • kernel-bootwrapper-0:3.10.0-514.21.1.el7
  • kernel-debug-0:3.10.0-514.21.1.el7
  • kernel-debug-devel-0:3.10.0-514.21.1.el7
  • kernel-devel-0:3.10.0-514.21.1.el7
  • kernel-doc-0:3.10.0-514.21.1.el7
  • kernel-headers-0:3.10.0-514.21.1.el7
  • kernel-kdump-0:3.10.0-514.21.1.el7
  • kernel-kdump-devel-0:3.10.0-514.21.1.el7
  • kernel-tools-0:3.10.0-514.21.1.el7
  • kernel-tools-libs-0:3.10.0-514.21.1.el7
  • kernel-tools-libs-devel-0:3.10.0-514.21.1.el7
  • perf-0:3.10.0-514.21.1.el7
  • python-perf-0:3.10.0-514.21.1.el7
refmap via4
bid 97234
confirm
misc https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Last major update 11-05-2017 - 21:29
Published 29-03-2017 - 16:59
Last modified 15-08-2017 - 21:29
Back to Top