ID CVE-2017-7541
Summary The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.
References
Vulnerable Configurations
  • Linux Kernel 4.12.2
    cpe:2.3:o:linux:linux_kernel:4.12.2
CVSS
Base: 7.2
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3629.NASL
    description Description of changes: [4.1.12-103.7.3.el7uek] - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Tim Tianyang Chen) [Orabug: 26943541] {CVE-2017-7541} [4.1.12-103.7.2.el7uek] - rebuild bumping release
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 103765
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103765
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3629)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930.NASL
    description From Red Hat Security Advisory 2017:2930 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 104001
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104001
    title Oracle Linux 7 : kernel (ELSA-2017-2930)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0174.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 105248
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105248
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-067.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel. - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-17
    plugin id 102205
    published 2017-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102205
    title Virtuozzo 7 : readykernel-patch (VZA-2017-067)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2920-1.NASL
    description The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306). - CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268). - CVE-2016-9604: The handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings, was fixed (bsc#1035576) - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593). - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bnc#1035877). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 104374
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104374
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2908-1.NASL
    description The SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents might have been disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (could happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) could overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). The following new features were implemented : - the r8152 network driver was updated to support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (fate#321482) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 104271
    published 2017-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104271
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2908-1) (KRACK) (Stack Clash)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-39B5FACDA0.NASL
    description The 4.11.12 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-02-01
    plugin id 101992
    published 2017-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101992
    title Fedora 25 : kernel (2017-39b5facda0)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3419-1.NASL
    description It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 103321
    published 2017-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103321
    title Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3419-1) (BlueBorne)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-891.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.79 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bnc#1049483). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). The following non-security bugs were fixed : - acpi / processor: Avoid reserving IO regions too early (bsc#1051478). - af_key: Add lock to key dump (bsc#1047653). - af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354). - alsa: fm801: Initialize chip after IRQ handler is registered (bsc#1031717). - alsa: hda - Fix endless loop of codec configure (bsc#1031717). - alsa: hda - set input_path bitmap to zero after moving it to new place (bsc#1031717). - b43: Add missing MODULE_FIRMWARE() (bsc#1037344). - bcache: force trigger gc (bsc#1038078). - bcache: only recovery I/O error for writethrough mode (bsc#1043652). - bdi: Fix use-after-free in wb_congested_put() (bsc#1040307). - blacklist 2400fd822f46 powerpc/asm: Mark cr0 as clobbered in mftb() - blacklist.conf : - blacklist.conf: 1151f838cb62 is high-risk and we're not aware of any systems that might need it in SP2. - blacklist.conf: 8b8642af15ed not a supported driver - blacklist.conf: 9eeacd3a2f17 not a bug fix (bnc#1050061) - blacklist.conf: add inapplicable commits for wifi (bsc#1031717) - blacklist.conf: add unapplicable/cosmetic iwlwifi fixes (bsc#1031717). - blacklist.conf: add unapplicable drm fixes (bsc#1031717). - blacklist.conf: Blacklist 4e201566402c ('genirq/msi: Drop artificial PCI dependency') (bsc#1051478) This commit just removes an include and does not fix a real issue. - blacklist.conf: blacklist 7b73305160f1, unneeded cleanup - blacklist.conf: Blacklist aa2369f11ff7 ('mm/gup.c: fix access_ok() argument type') (bsc#1051478) Fixes only a compile-warning. - blacklist.conf: Blacklist c133c7615751 ('x86/nmi: Fix timeout test in test_nmi_ipi()') It only fixes a self-test (bsc#1051478). - blacklist.conf: Blacklist c9525a3fab63 ('x86/watchdog: Fix Kconfig help text file path reference to lockup watchdog documentation') Updates only kconfig help-text (bsc#1051478). - blacklist.conf: Blacklist e80e7edc55ba ('PCI/MSI: Initialize MSI capability for all architectures') This only fixes machines not supported by our kernels. - blacklist.conf: build time cleanup our kernel compiles. No need to shut up warnings nobody looks at - blacklist.conf: cleanup, no bugs fixed - blacklist.conf: cxgb4 commit does not fit for SP2 - blacklist.conf: da0510c47519fe0999cffe316e1d370e29f952be # FRV not applicable to SLE - blacklist.conf: Do not need 55d728a40d36, we do it differently in SLE - blacklist.conf: kABI breakage This touches struct device. - blacklist.conf: lp8788 is not compiled - blacklist.conf: unneeded Fixing debug statements on BE systems for IrDA - blkfront: add uevent for size change (bnc#1036632). - block: Allow bdi re-registration (bsc#1040307). - block: Fix front merge check (bsc#1051239). - block: Make del_gendisk() safer for disks without queues (bsc#1040307). - block: Move bdi_unregister() to del_gendisk() (bsc#1040307). - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain (bsc#1031717). - btrfs: add cond_resched to btrfs_qgroup_trace_leaf_items (bsc#1028286). - btrfs: Add WARN_ON for qgroup reserved underflow (bsc#1031515). - btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - btrfs: fix lockup in find_free_extent with read-only block groups (bsc#1046682). - btrfs: incremental send, fix invalid path for link commands (bsc#1051479). - btrfs: incremental send, fix invalid path for unlink commands (bsc#1051479). - btrfs: resume qgroup rescan on rw remount (bsc#1047152). - btrfs: send, fix invalid path after renaming and linking file (bsc#1051479). - cpuidle: dt: Add missing 'of_node_put()' (bnc#1022476). - crypto: s5p-sss - fix incorrect usage of scatterlists api (bsc#1048317). - cx82310_eth: use skb_cow_head() to deal with cloned skbs (bsc# 1045154). - cxl: Unlock on error in probe (bsc#1034762, Pending SUSE Kernel Fixes). - dentry name snapshots (bsc#1049483). - dm: fix second blk_delay_queue() parameter to be in msec units not (bsc#1047670). - drivers: hv: Fix the bug in generating the guest ID (fate#320485). - drivers: hv: util: Fix a typo (fate#320485). - drivers: hv: vmbus: Get the current time from the current clocksource (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693). - drivers: hv: vmbus: Increase the time between retries in vmbus_post_msg() (fate#320485, bnc#1044112). - drivers: hv: vmbus: Move the code to signal end of message (fate#320485). - drivers: hv: vmbus: Move the definition of generate_guest_id() (fate#320485). - drivers: hv: vmbus: Move the definition of hv_x64_msr_hypercall_contents (fate#320485). - drivers: hv: vmbus: Restructure the clockevents code (fate#320485). - drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions (bsc#1031717). - drm/bochs: Implement nomodeset (bsc#1047096). - drm/i915/fbdev: Stop repeating tile configuration on stagnation (bsc#1031717). - drm/i915: Fix scaler init during CRTC HW state readout (bsc#1031717). - drm/virtio: do not leak bo on drm_gem_object_init failure (bsc#1047277). - drm/vmwgfx: Fix large topology crash (bsc#1048155). - drm/vmwgfx: Support topology greater than texture size (bsc#1048155). - drop patches; obsoleted by 'scsi: Add STARGET_CREATE_REMOVE state' - efi/libstub: Skip GOP with PIXEL_BLT_ONLY format (bnc#974215). - ext2: Do not clear SGID when inheriting ACLs (bsc#1030552). - ext4: avoid unnecessary stalls in ext4_evict_inode() (bsc#1049486). - ext4: Do not clear SGID when inheriting ACLs (bsc#1030552). - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors (bsc#1012829). - Fix kABI breakage by KVM CVE fix (bsc#1045922). - fs/fcntl: f_setown, avoid undefined behaviour (bnc#1006180). - gcov: add support for gcc version >= 6 (bsc#1051663). - gcov: support GCC 7.1 (bsc#1051663). - gfs2: fix flock panic issue (bsc#1012829). - hrtimer: Catch invalid clockids again (bsc#1047651). - hrtimer: Revert CLOCK_MONOTONIC_RAW support (bsc#1047651). - hv_utils: drop .getcrosststamp() support from PTP driver (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693). - hv_utils: fix TimeSync work on pre-TimeSync-v4 hosts (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693). - hv_util: switch to using timespec64 (fate#320485). - i2c: designware-baytrail: fix potential NULL pointer dereference on dev (bsc#1011913). - i40e: add hw struct local variable (bsc#1039915). - i40e: add private flag to control source pruning (bsc#1034075). - i40e: add VSI info to macaddr messages (bsc#1039915). - i40e: avoid looping to check whether we're in VLAN mode (bsc#1039915). - i40e: avoid O(n^2) loop when deleting all filters (bsc#1039915). - i40e: delete filter after adding its replacement when converting (bsc#1039915). - i40e: do not add broadcast filter for VFs (bsc#1039915). - i40e: do not allow i40e_vsi_(add|kill)_vlan to operate when VID<1 (bsc#1039915). - i40e: drop is_vf and is_netdev fields in struct i40e_mac_filter (bsc#1039915). - i40e: enable VSI broadcast promiscuous mode instead of adding broadcast filter (bsc#1039915). - i40e: factor out addition/deletion of VLAN per each MAC address (bsc#1039915). - i40e: fix MAC filters when removing VLANs (bsc#1039915). - i40e: fold the i40e_is_vsi_in_vlan check into i40e_put_mac_in_vlan (bsc#1039915). - i40e: implement __i40e_del_filter and use where applicable (bsc#1039915). - i40e: make use of __dev_uc_sync and __dev_mc_sync (bsc#1039915). - i40e: move all updates for VLAN mode into i40e_sync_vsi_filters (bsc#1039915). - i40e: move i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915). - i40e: no need to check is_vsi_in_vlan before calling i40e_del_mac_all_vlan (bsc#1039915). - i40e: properly cleanup on allocation failure in i40e_sync_vsi_filters (bsc#1039915). - i40e: recalculate vsi->active_filters from hash contents (bsc#1039915). - i40e: refactor i40e_put_mac_in_vlan to avoid changing f->vlan (bsc#1039915). - i40e: refactor i40e_update_filter_state to avoid passing aq_err (bsc#1039915). - i40e: refactor Rx filter handling (bsc#1039915). - i40e: Removal of workaround for simple MAC address filter deletion (bsc#1039915). - i40e: remove code to handle dev_addr specially (bsc#1039915). - i40e: removed unreachable code (bsc#1039915). - i40e: remove duplicate add/delete adminq command code for filters (bsc#1039915). - i40e: remove second check of VLAN_N_VID in i40e_vlan_rx_add_vid (bsc#1039915). - i40e: rename i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915). - i40e: restore workaround for removing default MAC filter (bsc#1039915). - i40e: set broadcast promiscuous mode for each active VLAN (bsc#1039915). - i40e: store MAC/VLAN filters in a hash with the MAC Address as key (bsc#1039915). - i40e: use (add|rm)_vlan_all_mac helper functions when changing PVID (bsc#1039915). - i40e: when adding or removing MAC filters, correctly handle VLANs (bsc#1039915). - i40e: When searching all MAC/VLAN filters, ignore removed filters (bsc#1039915). - i40e: write HENA for VFs (bsc#1039915). - iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value (bsc#1031717). - Input: gpio-keys - fix check for disabling unsupported keys (bsc#1031717). - introduce the walk_process_tree() helper (bnc#1022476). - ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (bsc#1041958). - ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (bsc#1041958). - iwlwifi: mvm: compare full command ID (FATE#321353, FATE#323335). - iwlwifi: mvm: reset the fw_dump_desc pointer after ASSERT (bsc#1031717). - iwlwifi: mvm: synchronize firmware DMA paging memory (FATE#321353, FATE#323335). - iwlwifi: mvm: unconditionally stop device after init (bsc#1031717). - iwlwifi: mvm: unmap the paging memory before freeing it (FATE#321353, FATE#323335). - iwlwifi: pcie: fix command completion name debug (bsc#1031717). - kABI-fix for 'x86/panic: replace smp_send_stop() with kdump friendly version in panic path' (bsc#1051478). - kABI: protect lwtunnel include in ip6_route.h (kabi). - kABI: protect struct iscsi_tpg_attrib (kabi). - kABI: protect struct tpm_chip (kabi). - kABI: protect struct xfrm_dst (kabi). - kABI: protect struct xfrm_dst (kabi). - kvm: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (bsc#1051478). - kvm: nVMX: Fix nested_vmx_check_msr_bitmap_controls (bsc#1051478). - kvm: nVMX: Fix nested VPID vmx exec control (bsc#1051478). - kvm: x86: avoid simultaneous queueing of both IRQ and SMI (bsc#1051478). - mac80211_hwsim: Replace bogus hrtimer clockid (bsc#1047651). - md: fix sleep in atomic (bsc#1040351). - mm: adaptive hash table scaling (bnc#1036303). - mm-adaptive-hash-table-scaling-v5 (bnc#1036303). - mm: call page_ext_init() after all struct pages are initialized (VM Debugging Functionality, bsc#1047048). - mm: drop HASH_ADAPT (bnc#1036303). - mm: fix classzone_idx underflow in shrink_zones() (VM Functionality, bsc#1042314). - mm: make PR_SET_THP_DISABLE immediately active (bnc#1048891). - More Git-commit header fixups No functional change intended. - mwifiex: do not update MCS set from hostapd (bsc#1031717). - net: account for current skb length when deciding about UFO (bsc#1041958). - net: ena: add hardware hints capability to the driver (bsc#1047121). - net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121). - net: ena: add missing unmap bars on device removal (bsc#1047121). - net: ena: add reset reason for each device FLR (bsc#1047121). - net: ena: add support for out of order rx buffers refill (bsc#1047121). - net: ena: allow the driver to work with small number of msix vectors (bsc#1047121). - net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121). - net: ena: change return value for unsupported features unsupported return value (bsc#1047121). - net: ena: change sizeof() argument to be the type pointer (bsc#1047121). - net: ena: disable admin msix while working in polling mode (bsc#1047121). - net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121). - net: ena: fix race condition between submit and completion admin command (bsc#1047121). - net: ena: fix rare uncompleted admin command false alarm (bsc#1047121). - net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121). - net: ena: separate skb allocation to dedicated function (bsc#1047121). - net: ena: update driver's rx drop statistics (bsc#1047121). - net: ena: update ena driver to version 1.1.7 (bsc#1047121). - net: ena: update ena driver to version 1.2.0 (bsc#1047121). - net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121). - net: ena: use napi_schedule_irqoff when possible (bsc#1047121). - net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() (bsc#1042286). - net/mlx5: Fix driver load error flow when firmware is stuck (git-fixes). - net: phy: Do not perform software reset for Generic PHY (bsc#1042286). - nfs: Cache aggressively when file is open for writing (bsc#1033587). - nfs: Do not flush caches for a getattr that races with writeback (bsc#1033587). - nfs: invalidate file size when taking a lock (git-fixes). - nfs: only invalidate dentrys that are clearly invalid (bsc#1047118). - ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552). - ocfs2: fix deadlock caused by recursive locking in xattr (bsc#1012829). - ocfs2: Make ocfs2_set_acl() static (bsc#1030552). - pci: Add Mellanox device IDs (bsc#1051478). - pci: Convert Mellanox broken INTx quirks to be for listed devices only (bsc#1051478). - pci: Correct PCI_STD_RESOURCE_END usage (bsc#1051478). - pci: dwc: dra7xx: Use RW1C for IRQSTATUS_MSI and IRQSTATUS_MAIN (bsc#1051478). - pci: dwc: Fix uninitialized variable in dw_handle_msi_irq() (bsc#1051478). - pci: Enable ECRC only if device supports it (bsc#1051478). - PCI / PM: Fix native PME handling during system suspend/resume (bsc#1051478). - pci: Support INTx masking on ConnectX-4 with firmware x.14.1100+ (bsc#1051478). - perf/x86: Fix spurious NMI with PEBS Load Latency event (bsc#1051478). - perf/x86/intel: Cure bogus unwind from PEBS entries (bsc#1051478). - perf/x86/intel: Fix PEBSv3 record drain (bsc#1051478). - platform/x86: ideapad-laptop: Add IdeaPad 310-15IKB to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add IdeaPad V310-15ISK to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add IdeaPad V510-15IKB to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add Lenovo Yoga 910-13IKB to no_hw_rfkill dmi list (bsc#1051022). - platform/x86: ideapad-laptop: Add several models to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add Y520-15IKBN to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add Y700 15-ACZ to no_hw_rfkill DMI list (bsc#1051022). - platform/x86: ideapad-laptop: Add Y720-15IKBN to no_hw_rfkill (bsc#1051022). - Pm / Hibernate: Fix scheduling while atomic during hibernation (bsc#1051059). - prctl: propagate has_child_subreaper flag to every descendant (bnc#1022476). - README.BRANCH: Add Oliver as openSUSE-42.2 branch co-maintainer - Refresh patches.kabi/Fix-kABI-breakage-by-KVM-CVE-fix.patch. Fix a stupid bug where the VCPU_REGS_TF shift was used as a mask. - reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - Revert 'ACPI / video: Add force_native quirk for HP Pavilion dv6' (bsc#1031717). - Revert 'Add 'shutdown' to 'struct class'.' (kabi). - Revert 'kvm: x86: fix emulation of RSM and IRET instructions' (kabi). - Revert 'mm/list_lru.c: fix list_lru_count_node() to be race free' (kabi). - Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914). - Revert 'tpm: Issue a TPM2_Shutdown for TPM2 devices.' (kabi). - rpm/kernel-binary.spec.in: find-debuginfo.sh should not touch build-id This needs rpm-4.14+ (bsc#964063). - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used (bnc#1022476). - sched/debug: Print the scheduler topology group mask (bnc#1022476). - sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1022476). - sched/fair: Fix O(nr_cgroups) in load balance path (bnc#1022476). - sched/fair: Use task_groups instead of leaf_cfs_rq_list to walk all cfs_rqs (bnc#1022476). - sched/topology: Add sched_group_capacity debugging (bnc#1022476). - sched/topology: Fix building of overlapping sched-groups (bnc#1022476). - sched/topology: Fix overlapping sched_group_capacity (bnc#1022476). - sched/topology: Move comment about asymmetric node setups (bnc#1022476). - sched/topology: Refactor function build_overlap_sched_groups() (bnc#1022476). - sched/topology: Remove FORCE_SD_OVERLAP (bnc#1022476). - sched/topology: Simplify build_overlap_sched_groups() (bnc#1022476). - sched/topology: Small cleanup (bnc#1022476). - sched/topology: Verify the first group matches the child domain (bnc#1022476). - scsi: Add STARGET_CREATE_REMOVE state to scsi_target_state (bsc#1013887). - scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221). - scsi: kABI fix for new state STARGET_CREATED_REMOVE (bsc#1013887). - scsi: storvsc: Workaround for virtual DVD SCSI version (fate#320485, bnc#1044636). - smsc75xx: use skb_cow_head() to deal with cloned skbs (bsc#1045154). - sr9700: use skb_cow_head() to deal with cloned skbs (bsc#1045154). - sysctl: do not print negative flag for proc_douintvec (bnc#1046985). - timers: Plug locking race vs. timer migration (bnc#1022476). - udf: Fix deadlock between writeback and udf_setsize() (bsc#1012829). - udf: Fix races with i_size changes during readpage (bsc#1012829). - x86/LDT: Print the real LDT base address (bsc#1051478). - x86/mce: Make timer handling more robust (bsc#1042422). - x86/panic: replace smp_send_stop() with kdump friendly version in panic path (bsc#1051478). - xen: allocate page for shared info page from low memory (bnc#1038616). - xen/balloon: do not online new memory initially (bnc#1028173). - xen: hold lock_device_hotplug throughout vcpu hotplug operations (bsc#1042422). - xen-netfront: Rework the fix for Rx stall during OOM and network stress (git-fixes). - xen/pvh*: Support > 32 VCPUs at domain restore (bnc#1045563). - xfrm: NULL dereference on allocation failure (bsc#1047343). - xfrm: Oops on error in pfkey_msg2xfrm_state() (bsc#1047653). - xfs: do not BUG() on mixed direct and mapped I/O (bsc#1050188). - xfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
    last seen 2018-09-01
    modified 2018-01-26
    plugin id 102333
    published 2017-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102333
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-891)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2930-1.NASL
    description Description of changes: - [3.10.0-693.5.2.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko at oracle.com) - Update x509.genkey [bug 24817676] [3.10.0-693.5.2.el7] - [mm] page_cgroup: Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - Revert: [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] [3.10.0-693.5.1.el7] - [netdrv] i40e: point wb_desc at the nvm_wb_desc during i40e_read_nvm_aq (Stefan Assmann) [1491972 1484232] - [netdrv] i40e: avoid NVM acquire deadlock during NVM update (Stefan Assmann) [1491972 1484232] - [mm] Fix Kernel bug during boot with memory cgroups enabled (Larry Woodman) [1491970 1483747] - [fs] nfsv4: Ensure we don't re-test revoked and freed stateids (Dave Wysochanski) [1491969 1459733] - [netdrv] bonding: commit link status change after propose (Jarod Wilson) [1491121 1469790] - [mm] page_alloc: ratelimit PFNs busy info message (Jonathan Toppins) [1491120 1383179] - [netdrv] cxgb4: avoid crash on PCI error recovery path (Gustavo Duarte) [1489872 1456990] - [scsi] Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan Milne) [1489814 1468727] - [net] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] tcp: fix 0 divide in __tcp_select_window() (Davide Caratti) [1488341 1487061] {CVE-2017-14106} - [net] sctp: Avoid out-of-bounds reads from address storage (Stefano Brivio) [1484356 1484355] {CVE-2017-7558} - [net] udp: consistently apply ufo or fragmentation (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: account for current skb length when deciding about UFO (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (Davide Caratti) [1481530 1481535] {CVE-2017-1000112} - [net] udp: avoid ufo handling on IP payload compression packets (Stefano Brivio) [1490263 1464161] - [pci] hv: Use vPCI protocol version 1.2 (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Add vPCI version protocol negotiation (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Use page allocation for hbus structure (Vitaly Kuznetsov) [1478256 1459202] - [pci] hv: Fix comment formatting and use proper integer fields (Vitaly Kuznetsov) [1478256 1459202] - [net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (Stefano Brivio) [1477007 1477010] {CVE-2017-7542} - [net] ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [1477007 1477010] {CVE-2017-7542} - [net] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Hannes Frederic Sowa) [1435672 1435670] {CVE-2017-7184} - [net] l2cap: prevent stack overflow on incoming bluetooth packet (Neil Horman) [1489788 1489789] {CVE-2017-1000251} [3.10.0-693.4.1.el7] - [fs] nfsv4: Add missing nfs_put_lock_context() (Benjamin Coddington) [1487271 1476826] - [fs] nfs: discard nfs_lockowner structure (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (Benjamin Coddington) [1487271 1476826] - [fs] nfsv4: add flock_owner to open context (Benjamin Coddington) [1487271 1476826] - [fs] nfs: remove l_pid field from nfs_lockowner (Benjamin Coddington) [1487271 1476826] - [x86] platform/uv/bau: Disable BAU on single hub configurations (Frank Ramsay) [1487159 1487160 1472455 1473353] - [x86] platform/uv/bau: Fix congested_response_us not taking effect (Frank Ramsay) [1487159 1472455] - [fs] cifs: Disable encryption capability for RHEL 7.4 kernel (Sachin Prabhu) [1485445 1485445] - [fs] sunrpc: Handle EADDRNOTAVAIL on connection failures (Dave Wysochanski) [1484269 1479043] - [fs] include/linux/printk.h: include pr_fmt in pr_debug_ratelimited (Sachin Prabhu) [1484267 1472823] - [fs] printk: pr_debug_ratelimited: check state first to reduce 'callbacks suppressed' messages (Sachin Prabhu) [1484267 1472823] - [net] packet: fix tp_reserve race in packet_set_ring (Stefano Brivio) [1481938 1481940] {CVE-2017-1000111} - [fs] proc: revert /proc//maps [stack:TID] annotation (Waiman Long) [1481724 1448534] - [net] ping: check minimum size on ICMP header length (Matteo Croce) [1481578 1481573] {CVE-2016-8399} - [ipc] mqueue: fix a use-after-free in sys_mq_notify() (Davide Caratti) [1476128 1476126] {CVE-2017-11176} - [netdrv] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Stanislaw Gruszka) [1474778 1474784] {CVE-2017-7541} [3.10.0-693.3.1.el7] - [block] blk-mq-tag: fix wakeup hang after tag resize (Ming Lei) [1487281 1472434]
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 104088
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104088
    title Oracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3405-2.NASL
    description USN-3405-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176) Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information. (CVE-2017-7495) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541) It was discovered that the Linux kernel did not honor the UEFI secure boot mode when performing a kexec operation. A local attacker could use this to bypass secure boot restrictions. (CVE-2015-7837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 102819
    published 2017-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102819
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3405-2)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171006_KERNEL_ON_SL6_X.NASL
    description Security Fix(es) : - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) Bug Fix(es) : - Previously, removal of a rport during ISCSI target scanning could cause a kernel panic. This was happening because addition of STARGET_REMOVE to the rport state introduced a race condition to the SCSI code. This update adds the STARGET_CREATED_REMOVE state as a possible state of the rport and appropriate handling of that state, thus fixing the bug. As a result, the kernel panic no longer occurs under the described circumstances. - Previously, GFS2 contained multiple bugs where the wrong inode was assigned to GFS2 cluster-wide locks (glocks), or the assigned inode was cleared incorrectly. Consequently, kernel panic could occur when using GFS2. With this update, GFS2 has been fixed, and the kernel no longer panics due to those bugs. - Previously, VMs with memory larger than 64GB running on Hyper-V with Windows Server hosts reported potential memory size of 4TB and more, but could not use more than 64GB. This was happening because the Memory Type Range Register (MTRR) for memory above 64GB was omitted. With this update, the /proc/mtrr file has been fixed to show correct base/size if they are more than 44 bit wide. As a result, the whole size of memory is now available as expected under the described circumstances.
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 103730
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103730
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3927.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service. - CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. - CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges. - CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation. - CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. - CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. - CVE-2017-10810 Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption). - CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. - CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact. - CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 102211
    published 2017-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102211
    title Debian DSA-3927-1 : linux - security update (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2863.NASL
    description From Red Hat Security Advisory 2017:2863 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) Bug Fix(es) : * Previously, removal of a rport during ISCSI target scanning could cause a kernel panic. This was happening because addition of STARGET_REMOVE to the rport state introduced a race condition to the SCSI code. This update adds the STARGET_CREATED_REMOVE state as a possible state of the rport and appropriate handling of that state, thus fixing the bug. As a result, the kernel panic no longer occurs under the described circumstances. (BZ# 1472127) * Previously, GFS2 contained multiple bugs where the wrong inode was assigned to GFS2 cluster-wide locks (glocks), or the assigned inode was cleared incorrectly. Consequently, kernel panic could occur when using GFS2. With this update, GFS2 has been fixed, and the kernel no longer panics due to those bugs. (BZ#1479397) * Previously, VMs with memory larger than 64GB running on Hyper-V with Windows Server hosts reported potential memory size of 4TB and more, but could not use more than 64GB. This was happening because the Memory Type Range Register (MTRR) for memory above 64GB was omitted. With this update, the /proc/mtrr file has been fixed to show correct base/size if they are more than 44 bit wide. As a result, the whole size of memory is now available as expected under the described circumstances. (BZ#1482855)
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 103729
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103729
    title Oracle Linux 6 : kernel (ELSA-2017-2863)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0035.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 109158
    published 2018-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109158
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-890.NASL
    description The openSUSE Leap 42.3 kernel was updated to 4.4.79 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bnc#1049483). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). The following non-security bugs were fixed : - ACPI / processor: Avoid reserving IO regions too early (bsc#1051478). - ALSA: fm801: Initialize chip after IRQ handler is registered (bsc#1031717). - Added sbitmap patch to blacklist.conf Add a patch 'sbitmap: fix wakeup hang after sbq resize' to the blacklist.conf file because it is not needed in SLE 12 SP2. - Btrfs: incremental send, fix invalid path for link commands (bsc#1051479). - Btrfs: incremental send, fix invalid path for unlink commands (bsc#1051479). - Btrfs: send, fix invalid path after renaming and linking file (bsc#1051479). - Delete patches.drivers/0004-iommu-amd-reduce-delay-waiting-for- command-buffer-space. Remove the patch because it caused problems for users. See bsc#1048348. - Drop patches; obsoleted by 'scsi: Add STARGET_CREATE_REMOVE state' - Fix kABI breakage by KVM CVE fix (bsc#1045922). - IB/rxe: Fix kernel panic from skb destructor (bsc#1049361). - KVM: nVMX: Fix nested VPID vmx exec control (bsc#1051478). - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (bsc#1051478). - KVM: x86: avoid simultaneous queueing of both IRQ and SMI (bsc#1051478). - NFS: Cache aggressively when file is open for writing (bsc#1033587). - NFS: Do not flush caches for a getattr that races with writeback (bsc#1033587). - NFS: invalidate file size when taking a lock (git-fixes). - PCI / PM: Fix native PME handling during system suspend/resume (bsc#1051478). - PCI: Add Mellanox device IDs (bsc#1051478). - PCI: Convert Mellanox broken INTx quirks to be for listed devices only (bsc#1051478). - PCI: Correct PCI_STD_RESOURCE_END usage (bsc#1051478). - PCI: Enable ECRC only if device supports it (bsc#1051478). - PCI: Support INTx masking on ConnectX-4 with firmware x.14.1100+ (bsc#1051478). - PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq() (bsc#1051478). - PCI: dwc: dra7xx: Use RW1C for IRQSTATUS_MSI and IRQSTATUS_MAIN (bsc#1051478). - PM / Hibernate: Fix scheduling while atomic during hibernation (bsc#1051059). - RDMA/qedr: Prevent memory overrun in verbs' user responses (bsc#1022604 FATE#321747). - README.BRANCH: Add Oliver as openSUSE-42.3 branch co-maintainer - Refresh patches.kabi/Fix-kABI-breakage-by-KVM-CVE-fix.patch. Fix a stupid bug where the VCPU_REGS_TF shift was used as a mask. - Revert 'Add 'shutdown' to 'struct class'.' (kabi). - Revert 'mm/list_lru.c: fix list_lru_count_node() to be race free' (kabi). - Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914). - Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914). - Revert 'tpm: Issue a TPM2_Shutdown for TPM2 devices.' (kabi). - Update patches.drivers/0011-hpsa-remove-abort-handler.patch (bsc#1022600 fate#321928 bsc#1016119). - Update patches.fixes/xfs-refactor-log-record-unpack-and-data-pr ocessing.patch (bsc#1043598, bsc#1036215). - apply mainline tags to some hyperv patches - arm64: kernel: restrict /dev/mem read() calls to linear region (bsc#1046651).++ kernel-source.spec (revision 3)%define patchversion 4.4.79Version: 4.4.79Release: .g4dc78e3 - arm64: mm: remove page_mapping check in __sync_icache_dcache (bsc#1040347). - blacklist 2400fd822f46 powerpc/asm: Mark cr0 as clobbered in mftb() - blacklist.conf: 9eeacd3a2f17 not a bug fix (bnc#1050061) - blacklist.conf: Blacklist 4e201566402c ('genirq/msi: Drop artificial PCI dependency') (bsc#1051478) This commit just removes an include and does not fix a real issue. - blacklist.conf: Blacklist aa2369f11ff7 ('mm/gup.c: fix access_ok() argument type') (bsc#1051478) Fixes only a compile-warning. - blacklist.conf: Blacklist c133c7615751 ('x86/nmi: Fix timeout test in test_nmi_ipi()') It only fixes a self-test (bsc#1051478). - blacklist.conf: Blacklist c9525a3fab63 ('x86/watchdog: Fix Kconfig help text file path reference to lockup watchdog documentation') Updates only kconfig help-text (bsc#1051478). - blacklist.conf: Blacklist e80e7edc55ba ('PCI/MSI: Initialize MSI capability for all architectures') This only fixes machines not supported by our kernels. - blacklist.conf: Do not need 55d728a40d36, we do it differently in SLE - blacklist.conf: add inapplicable commits for wifi (bsc#1031717) - blacklist.conf: blacklist 7b73305160f1, unneeded cleanup - blacklist.conf: da0510c47519fe0999cffe316e1d370e29f952be # FRV not applicable to SLE - blkfront: add uevent for size change (bnc#1036632). - block: Fix front merge check (bsc#1051239). - brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain (bsc#1031717). - btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - btrfs: add cond_resched to btrfs_qgroup_trace_leaf_items (bsc#1028286). - btrfs: fix lockup in find_free_extent with read-only block groups (bsc#1046682). - cpuidle: dt: Add missing 'of_node_put()' (bnc#1022476). - cxgb4: fix BUG() on interrupt deallocating path of ULD (bsc#1005778). - cxgb4: fix a NULL dereference (bsc#1005778). - cxgb4: fix memory leak in init_one() (bsc#1005778). - dentry name snapshots (bsc#1049483). - device-dax: fix sysfs attribute deadlock (bsc#1048919). - drm/i915: Fix scaler init during CRTC HW state readout (bsc#1031717). - drm/vmwgfx: Fix large topology crash (bsc#1048155). - drm/vmwgfx: Support topology greater than texture size (bsc#1048155). - efi/libstub: Skip GOP with PIXEL_BLT_ONLY format (bnc#974215). - ext2: Do not clear SGID when inheriting ACLs (bsc#1030552). - ext4: Do not clear SGID when inheriting ACLs (bsc#1030552). - ext4: avoid unnecessary stalls in ext4_evict_inode() (bsc#1049486). - ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors (bsc#1012829). - gcov: add support for gcc version >= 6 (bsc#1051663). - gcov: support GCC 7.1 (bsc#1051663). - gfs2: fix flock panic issue (bsc#1012829). - hv: print extra debug in kvp_on_msg in error paths (bnc#1039153). - hv_netvsc: Exclude non-TCP port numbers from vRSS hashing (bsc#1048421). - hv_netvsc: Fix the queue index computation in forwarding case (bsc#1048421). - i2c: designware-baytrail: fix potential NULL pointer dereference on dev (bsc#1011913). - introduce the walk_process_tree() helper (bnc#1022476). - iommu/amd: Fix interrupt remapping when disable guest_mode (bsc#1051471). - iwlwifi: mvm: reset the fw_dump_desc pointer after ASSERT (bsc#1031717). - iwlwifi: mvm: unconditionally stop device after init (bsc#1031717). - iwlwifi: pcie: fix command completion name debug (bsc#1031717). - kABI-fix for 'x86/panic: replace smp_send_stop() with kdump friendly version in panic path' (bsc#1051478). - kABI: protect lwtunnel include in ip6_route.h (kabi). - kABI: protect struct iscsi_tpg_attrib (kabi). - kABI: protect struct tpm_chip (kabi). - kABI: protect struct xfrm_dst (kabi). - kvm: nVMX: Fix nested_vmx_check_msr_bitmap_controls (bsc#1051478). - libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1048919). - libnvdimm, region: fix flush hint detection crash (bsc#1048919). - libnvdimm: fix badblock range handling of ARS range (bsc#1051048). - lightnvm: fix 'warning: ‘ret’ may be used uninitialized' (FATE#319466). - md-cluster: Fix a memleak in an error handling path (bsc#1049289). - mm: make PR_SET_THP_DISABLE immediately active (bnc#1048891). - mwifiex: do not update MCS set from hostapd (bsc#1031717). - net/ena: switch to pci_alloc_irq_vectors (bsc#1047121). - net: ena: add hardware hints capability to the driver (bsc#1047121). - net: ena: add hardware hints capability to the driver (bsc#1047121). - net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121). - net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121). - net: ena: add missing unmap bars on device removal (bsc#1047121). - net: ena: add missing unmap bars on device removal (bsc#1047121). - net: ena: add reset reason for each device FLR (bsc#1047121). - net: ena: add reset reason for each device FLR (bsc#1047121). - net: ena: add support for out of order rx buffers refill (bsc#1047121). - net: ena: add support for out of order rx buffers refill (bsc#1047121). - net: ena: allow the driver to work with small number of msix vectors (bsc#1047121). - net: ena: allow the driver to work with small number of msix vectors (bsc#1047121). - net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121). - net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121). - net: ena: change return value for unsupported features unsupported return value (bsc#1047121). - net: ena: change return value for unsupported features unsupported return value (bsc#1047121). - net: ena: change sizeof() argument to be the type pointer (bsc#1047121). - net: ena: change sizeof() argument to be the type pointer (bsc#1047121). - net: ena: disable admin msix while working in polling mode (bsc#1047121). - net: ena: disable admin msix while working in polling mode (bsc#1047121). - net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121). - net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121). - net: ena: fix race condition between submit and completion admin command (bsc#1047121). - net: ena: fix race condition between submit and completion admin command (bsc#1047121). - net: ena: fix rare uncompleted admin command false alarm (bsc#1047121). - net: ena: fix rare uncompleted admin command false alarm (bsc#1047121). - net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121). - net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121). - net: ena: separate skb allocation to dedicated function (bsc#1047121). - net: ena: separate skb allocation to dedicated function (bsc#1047121). - net: ena: update driver's rx drop statistics (bsc#1047121). - net: ena: update driver's rx drop statistics (bsc#1047121). - net: ena: update ena driver to version 1.1.7 (bsc#1047121). - net: ena: update ena driver to version 1.1.7 (bsc#1047121). - net: ena: update ena driver to version 1.2.0 (bsc#1047121). - net: ena: update ena driver to version 1.2.0 (bsc#1047121). - net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121). - net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121). - net: ena: use napi_schedule_irqoff when possible (bsc#1047121). - net: ena: use napi_schedule_irqoff when possible (bsc#1047121). - net: hns: Bugfix for Tx timeout handling in hns driver (bsc#1048451). - net: phy: Do not perform software reset for Generic PHY (bsc#1042286). - nvme: also provide a UUID in the WWID sysfs attribute (bsc#1048146). - nvme: wwid_show: strip trailing 0-bytes (bsc#1048146). - nvmet: identify controller: improve standard compliance (bsc#1048146). - ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552). - ocfs2: Make ocfs2_set_acl() static (bsc#1030552). - ocfs2: fix deadlock caused by recursive locking in xattr (bsc#1012829). - perf/x86/intel: Cure bogus unwind from PEBS entries (bsc#1051478). - perf/x86/intel: Fix PEBSv3 record drain (bsc#1051478). - perf/x86: Fix spurious NMI with PEBS Load Latency event (bsc#1051478). - platform/x86: ideapad-laptop: Add IdeaPad 310-15IKB to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add IdeaPad V310-15ISK to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add IdeaPad V510-15IKB to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add Lenovo Yoga 910-13IKB to no_hw_rfkill dmi list (bsc#1051022). - platform/x86: ideapad-laptop: Add Y520-15IKBN to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add Y700 15-ACZ to no_hw_rfkill DMI list (bsc#1051022). - platform/x86: ideapad-laptop: Add Y720-15IKBN to no_hw_rfkill (bsc#1051022). - platform/x86: ideapad-laptop: Add several models to no_hw_rfkill (bsc#1051022). - powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used (bsc#1049231). - powerpc: Add POWER9 architected mode to cputable (bsc#1048916, fate#321439). - powerpc: Support POWER9 in architected mode (bsc#1048916, fate#321439). - prctl: propagate has_child_subreaper flag to every descendant (bnc#1022476). - qed: Add missing static/local dcbx info (bsc#1019695). - qed: Correct print in iscsi error-flow (bsc#1019695). - reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - reorder upstream commit d0c2c9973ecd net: use core MTU range checking in virt drivers - rpm/kernel-binary.spec.in: find-debuginfo.sh should not touch build-id This needs rpm-4.14+ (bsc#964063). - s390/crash: Remove unused KEXEC_NOTE_BYTES (bsc#1049706). - s390/kdump: remove code to create ELF notes in the crashed system (bsc#1049706). - sched/core: Allow __sched_setscheduler() in interrupts when PI is not used (bnc#1022476). - sched/debug: Print the scheduler topology group mask (bnc#1022476). - sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1022476). - sched/fair: Fix O(nr_cgroups) in load balance path (bnc#1022476). - sched/fair: Use task_groups instead of leaf_cfs_rq_list to walk all cfs_rqs (bnc#1022476). - sched/topology: Add sched_group_capacity debugging (bnc#1022476). - sched/topology: Fix building of overlapping sched-groups (bnc#1022476). - sched/topology: Fix overlapping sched_group_capacity (bnc#1022476). - sched/topology: Move comment about asymmetric node setups (bnc#1022476). - sched/topology: Refactor function build_overlap_sched_groups() (bnc#1022476). - sched/topology: Remove FORCE_SD_OVERLAP (bnc#1022476). - sched/topology: Simplify build_overlap_sched_groups() (bnc#1022476). - sched/topology: Small cleanup (bnc#1022476). - sched/topology: Verify the first group matches the child domain (bnc#1022476). - scsi: Add STARGET_CREATE_REMOVE state to scsi_target_state (bsc#1013887). - scsi: aacraid: Do not copy uninitialized stack memory to userspace (bsc#1048912). - scsi: aacraid: fix leak of data from stack back to userspace (bsc#1048912). - scsi: kABI fix for new state STARGET_CREATED_REMOVE (bsc#1013887). - scsi: lpfc: Add MDS Diagnostic support (bsc#1037838). - scsi: lpfc: Add auto EQ delay logic (bsc#1042257). - scsi: lpfc: Added recovery logic for running out of NVMET IO context resources (bsc#1037838). - scsi: lpfc: Adding additional stats counters for nvme (bsc#1037838). - scsi: lpfc: Cleanup entry_repost settings on SLI4 queues (bsc#1037838). - scsi: lpfc: Driver responds LS_RJT to Beacon Off ELS - Linux (bsc#1044623). - scsi: lpfc: Fix NMI watchdog assertions when running nvmet IOPS tests (bsc#1037838). - scsi: lpfc: Fix NVME I+T not registering NVME as a supported FC4 type (bsc#1037838). - scsi: lpfc: Fix NVMEI driver not decrementing counter causing bad rport state (bsc#1037838). - scsi: lpfc: Fix NVMEI's handling of NVMET's PRLI response attributes (bsc#1037838). - scsi: lpfc: Fix SLI3 drivers attempting NVME ELS commands (bsc#1044623). - scsi: lpfc: Fix crash after firmware flash when IO is running (bsc#1044623). - scsi: lpfc: Fix crash doing IO with resets (bsc#1044623). - scsi: lpfc: Fix crash in lpfc_sli_ringtxcmpl_put when nvmet gets an abort request (bsc#1044623). - scsi: lpfc: Fix debugfs root inode 'lpfc' not getting deleted on driver unload (bsc#1037838). - scsi: lpfc: Fix defects reported by Coverity Scan (bsc#1042257). - scsi: lpfc: Fix nvme io stoppage after link bounce (bsc#1045404). - scsi: lpfc: Fix nvmet RQ resource needs for large block writes (bsc#1037838). - scsi: lpfc: Fix system crash when port is reset (bsc#1037838). - scsi: lpfc: Fix system panic when express lane enabled (bsc#1044623). - scsi: lpfc: Fix used-RPI accounting problem (bsc#1037838). - scsi: lpfc: Reduce time spent in IRQ for received NVME commands (bsc#1044623). - scsi: lpfc: Separate NVMET RQ buffer posting from IO resources SGL/iocbq/context (bsc#1037838). - scsi: lpfc: Separate NVMET data buffer pool fir ELS/CT (bsc#1037838). - scsi: lpfc: Vport creation is failing with 'Link Down' error (bsc#1044623). - scsi: lpfc: fix refcount error on node list (bsc#1045404). - scsi: lpfc: update to revision to 11.4.0.1 (bsc#1044623). - scsi: lpfc: update version to 11.2.0.14 (bsc#1037838). - scsi: qedf: Fix a return value in case of error in 'qedf_alloc_global_queues' (bsc#1048912). - scsi: qedi: Remove WARN_ON for untracked cleanup (bsc#1044443). - scsi: qedi: Remove WARN_ON from clear task context (bsc#1044443). - sfc: Add ethtool -m support for QSFP modules (bsc#1049619). - string.h: add memcpy_and_pad() (bsc#1048146). - timers: Plug locking race vs. timer migration (bnc#1022476). - udf: Fix deadlock between writeback and udf_setsize() (bsc#1012829). - udf: Fix races with i_size changes during readpage (bsc#1012829). - x86/LDT: Print the real LDT base address (bsc#1051478). - x86/mce: Make timer handling more robust (bsc#1042422). - x86/panic: replace smp_send_stop() with kdump friendly version in panic path (bsc#1051478). - x86/platform/uv/BAU: Disable BAU on single hub configurations (bsc#1050320). - x86/platform/uv/BAU: Fix congested_response_us not taking effect (bsc#1050322). - xen/pvh*: Support > 32 VCPUs at domain restore (bnc#1045563). - xen: hold lock_device_hotplug throughout vcpu hotplug operations (bsc#1042422). - xfs: Do not clear SGID when inheriting ACLs (bsc#1030552). - xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598). - xfs: detect and trim torn writes during log recovery (bsc#1036215). - xfs: do not BUG() on mixed direct and mapped I/O (bsc#1050188). - xfs: refactor and open code log record crc check (bsc#1036215). - xfs: refactor log record start detection into a new helper (bsc#1036215). - xfs: return start block of first bad log record during recovery (bsc#1036215). - xfs: support a crc verification only log record pass (bsc#1036215). - xgene: Do not fail probe, if there is no clk resource for SGMII interfaces (bsc#1048501).
    last seen 2018-09-01
    modified 2018-01-26
    plugin id 102332
    published 2017-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102332
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-890)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3422-1.NASL
    description It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251) It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044) Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200) Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097) Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650) Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084) It was discovered that an information leak existed in __get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178) CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191) It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754) Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970) Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214) It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346) It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6951) Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7187) Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-06
    plugin id 103326
    published 2017-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103326
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3945.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2014-9940 A use-after-free flaw in the voltage and current regulator driver could allow a local user to cause a denial of service or potentially escalate privileges. - CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service. - CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. - CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges. - CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation. - CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. - CVE-2017-7889 Tommi Rantala and Brad Spengler reported that the mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, allowing a local attacker with access to /dev/mem to obtain sensitive information or potentially execute arbitrary code. - CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. - CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. - CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a userspace close of a Netlink socket to cause a denial of service or potentially cause other impact. - CVE-2017-1000363 Roee Hay reported that the lp driver does not properly bounds-check passed arguments, allowing a local attacker with write access to the kernel command line arguments to execute arbitrary code. - CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 102550
    published 2017-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102550
    title Debian DSA-3945-1 : linux - security update (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3419-2.NASL
    description USN-3419-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 103322
    published 2017-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103322
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3419-2) (BlueBorne)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2286-1.NASL
    description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 bnc#1050677). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 102838
    published 2017-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102838
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-069.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-17
    plugin id 102207
    published 2017-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102207
    title Virtuozzo 7 : readykernel-patch (VZA-2017-069)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1159.NASL
    description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.(CVE-2017-11176) - The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/ cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.(CVE-2017-7541) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.(CVE-2017-11473) - net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.(CVE-2017-11600) - It was discovered that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.(CVE-2016-9604) - A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree.(CVE-2017-12762) - The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.(CVE-2017-1000365) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-10
    plugin id 102997
    published 2017-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102997
    title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1159)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-544EEF948F.NASL
    description The 4.11.12 update contains a number of important fixes across the tree. ---- The 4.11.11 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 101994
    published 2017-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101994
    title Fedora 24 : kernel (2017-544eef948f)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2869-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). - CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bnc#1053919). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051). - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 104253
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104253
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2869-1) (KRACK)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-068.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel. - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-17
    plugin id 102206
    published 2017-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102206
    title Virtuozzo 7 : readykernel-patch (VZA-2017-068)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0028.NASL
    description An update of [linux] packages for PhotonOS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111877
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111877
    title Photon OS 1.0: Linux PHSA-2017-0028
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2918.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) * A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. (CVE-2017-14340, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat). Bug Fix(es) : * kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ#1489085)
    last seen 2018-09-09
    modified 2018-09-07
    plugin id 104090
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104090
    title RHEL 6 : MRG (RHSA-2017:2918)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3659.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 105247
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105247
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0167.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811] - xfs: use dedicated log worker wq to avoid deadlock with cil wq (Brian Foster) [Orabug: 27013241] - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988633] (CVE-2017-14489) - nvme: honor RTD3 Entry Latency for shutdowns (Martin K. Petersen) - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27013220] (CVE-2017-7542) - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 27013227] (CVE-2017-1000112) - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 26943884] - tcp: fix tcp_mark_head_lost to check skb len before fragmenting (Neal Cardwell) [Orabug: 26923675] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899775] (CVE-2017-10661) - kvm: nVMX: Don't allow L2 to access the hardware CR8 (Jim Mattson) (CVE-2017-12154) (CVE-2017-12154) - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx (Tim Tianyang Chen) [Orabug: 26880590] (CVE-2017-7541) - crypto: ahash - Fix EINPROGRESS notification callback (Herbert Xu) [Orabug: 26916575] (CVE-2017-7618) - ovl: use O_LARGEFILE in ovl_copy_up (David Howells) [Orabug: 25953280] - rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880508] (CVE-2017-7482) (CVE-2017-7482) - tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813385] (CVE-2017-14106)
    last seen 2018-09-02
    modified 2018-08-03
    plugin id 104453
    published 2017-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104453
    title OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0167)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4071.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2018-09-02
    modified 2018-08-03
    plugin id 109156
    published 2018-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109156
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2863.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) Bug Fix(es) : * Previously, removal of a rport during ISCSI target scanning could cause a kernel panic. This was happening because addition of STARGET_REMOVE to the rport state introduced a race condition to the SCSI code. This update adds the STARGET_CREATED_REMOVE state as a possible state of the rport and appropriate handling of that state, thus fixing the bug. As a result, the kernel panic no longer occurs under the described circumstances. (BZ# 1472127) * Previously, GFS2 contained multiple bugs where the wrong inode was assigned to GFS2 cluster-wide locks (glocks), or the assigned inode was cleared incorrectly. Consequently, kernel panic could occur when using GFS2. With this update, GFS2 has been fixed, and the kernel no longer panics due to those bugs. (BZ#1479397) * Previously, VMs with memory larger than 64GB running on Hyper-V with Windows Server hosts reported potential memory size of 4TB and more, but could not use more than 64GB. This was happening because the Memory Type Range Register (MTRR) for memory above 64GB was omitted. With this update, the /proc/mtrr file has been fixed to show correct base/size if they are more than 44 bit wide. As a result, the whole size of memory is now available as expected under the described circumstances. (BZ#1482855)
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 103707
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103707
    title CentOS 6 : kernel (CESA-2017:2863)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2863.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) Bug Fix(es) : * Previously, removal of a rport during ISCSI target scanning could cause a kernel panic. This was happening because addition of STARGET_REMOVE to the rport state introduced a race condition to the SCSI code. This update adds the STARGET_CREATED_REMOVE state as a possible state of the rport and appropriate handling of that state, thus fixing the bug. As a result, the kernel panic no longer occurs under the described circumstances. (BZ# 1472127) * Previously, GFS2 contained multiple bugs where the wrong inode was assigned to GFS2 cluster-wide locks (glocks), or the assigned inode was cleared incorrectly. Consequently, kernel panic could occur when using GFS2. With this update, GFS2 has been fixed, and the kernel no longer panics due to those bugs. (BZ#1479397) * Previously, VMs with memory larger than 64GB running on Hyper-V with Windows Server hosts reported potential memory size of 4TB and more, but could not use more than 64GB. This was happening because the Memory Type Range Register (MTRR) for memory above 64GB was omitted. With this update, the /proc/mtrr file has been fixed to show correct base/size if they are more than 44 bit wide. As a result, the whole size of memory is now available as expected under the described circumstances. (BZ#1482855)
    last seen 2018-09-02
    modified 2018-07-27
    plugin id 103687
    published 2017-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103687
    title RHEL 6 : kernel (RHSA-2017:2863)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3405-1.NASL
    description It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176) Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information. (CVE-2017-7495) It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541) It was discovered that the Linux kernel did not honor the UEFI secure boot mode when performing a kexec operation. A local attacker could use this to bypass secure boot restrictions. (CVE-2015-7837). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 102818
    published 2017-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102818
    title Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3405-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3635.NASL
    description Description of changes: [4.1.12-103.9.2.el7uek] - Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811] [4.1.12-103.9.1.el7uek] - xfs: use dedicated log worker wq to avoid deadlock with cil wq (Brian Foster) [Orabug: 27013241] - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988633] {CVE-2017-14489} - nvme: honor RTD3 Entry Latency for shutdowns (Martin K. Petersen) [Orabug: 26999097] - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27013220] {CVE-2017-7542} - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 27013227] {CVE-2017-1000112} - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 26943884] [4.1.12-103.8.1.el7uek] - tcp: fix tcp_mark_head_lost to check skb len before fragmenting (Neal Cardwell) [Orabug: 26923675] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899775] {CVE-2017-10661} - kvm: nVMX: Don't allow L2 to access the hardware CR8 (Jim Mattson) {CVE-2017-12154} {CVE-2017-12154} - brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Tim Tianyang Chen) [Orabug: 26880590] {CVE-2017-7541} - crypto: ahash - Fix EINPROGRESS notification callback (Herbert Xu) [Orabug: 26916575] {CVE-2017-7618} - ovl: use O_LARGEFILE in ovl_copy_up() (David Howells) [Orabug: 25953280] - rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880508] {CVE-2017-7482} {CVE-2017-7482} - tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813385] {CVE-2017-14106}
    last seen 2018-09-02
    modified 2018-08-03
    plugin id 104369
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104369
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3635)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-076.NASL
    description According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. - Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use after free) which may lead to memory corruption or other unspecified other impact. - The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 102922
    published 2017-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102922
    title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2018-10-18
    modified 2018-10-17
    plugin id 104003
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104003
    title RHEL 7 : kernel (RHSA-2017:2930)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171019_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) - A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user- space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) - A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 104008
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104008
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2931.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Bug Fix(es) : * The kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ# 1489084)
    last seen 2018-09-09
    modified 2018-09-07
    plugin id 104004
    published 2017-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104004
    title RHEL 7 : kernel-rt (RHSA-2017:2931)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2930.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important) * A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important) * An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important) * A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399, Moderate) * Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate) * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate) * The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate) * A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate) Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat). Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/node/3212921.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 104106
    published 2017-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104106
    title CentOS 7 : kernel (CESA-2017:2930)
redhat via4
advisories
  • bugzilla
    id 1473198
    title CVE-2017-7541 kernel: Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx()
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863021
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863005
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863029
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863015
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863019
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863023
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863007
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-firmware is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863009
        • comment kernel-firmware is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842026
      • AND
        • comment kernel-headers is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863013
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863017
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863011
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment perf is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863027
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:2.6.32-696.13.2.el6
          oval oval:com.redhat.rhsa:tst:20172863025
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111530020
    rhsa
    id RHSA-2017:2863
    released 2017-10-05
    severity Moderate
    title RHSA-2017:2863: kernel security and bug fix update (Moderate)
  • rhsa
    id RHSA-2017:2918
  • rhsa
    id RHSA-2017:2930
  • rhsa
    id RHSA-2017:2931
rpms
  • kernel-0:2.6.32-696.13.2.el6
  • kernel-abi-whitelists-0:2.6.32-696.13.2.el6
  • kernel-bootwrapper-0:2.6.32-696.13.2.el6
  • kernel-debug-0:2.6.32-696.13.2.el6
  • kernel-debug-devel-0:2.6.32-696.13.2.el6
  • kernel-devel-0:2.6.32-696.13.2.el6
  • kernel-doc-0:2.6.32-696.13.2.el6
  • kernel-firmware-0:2.6.32-696.13.2.el6
  • kernel-headers-0:2.6.32-696.13.2.el6
  • kernel-kdump-0:2.6.32-696.13.2.el6
  • kernel-kdump-devel-0:2.6.32-696.13.2.el6
  • perf-0:2.6.32-696.13.2.el6
  • python-perf-0:2.6.32-696.13.2.el6
  • kernel-0:3.10.0-693.5.2.el7
  • kernel-abi-whitelists-0:3.10.0-693.5.2.el7
  • kernel-bootwrapper-0:3.10.0-693.5.2.el7
  • kernel-debug-0:3.10.0-693.5.2.el7
  • kernel-debug-devel-0:3.10.0-693.5.2.el7
  • kernel-devel-0:3.10.0-693.5.2.el7
  • kernel-doc-0:3.10.0-693.5.2.el7
  • kernel-headers-0:3.10.0-693.5.2.el7
  • kernel-kdump-0:3.10.0-693.5.2.el7
  • kernel-kdump-devel-0:3.10.0-693.5.2.el7
  • kernel-tools-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-devel-0:3.10.0-693.5.2.el7
  • perf-0:3.10.0-693.5.2.el7
  • python-perf-0:3.10.0-693.5.2.el7
  • kernel-rt-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-doc-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.5.2.rt56.626.el7
refmap via4
bid 99955
confirm
debian
  • DSA-3927
  • DSA-3945
sectrack 1038981
Last major update 25-07-2017 - 00:29
Published 25-07-2017 - 00:29
Last modified 07-12-2017 - 21:29
Back to Top