ID CVE-2017-9076
Summary The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.
References
Vulnerable Configurations
  • Linux Kernel 4.11.1
    cpe:2.3:o:linux:linux_kernel:4.11.1
CVSS
Base: 7.2
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170801_KERNEL_ON_SL7_X.NASL
    description Security Fix(es) : - An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) - A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) - It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft- lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : - CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685
    last seen 2017-10-29
    modified 2017-08-22
    plugin id 102645
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102645
    title Scientific Linux Security Update : kernel on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2669.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation. (CVE-2017-7533, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : CVE-2017-8797 CVE-2015-8839 CVE-2016-9576 CVE-2016-7042 CVE-2016-7097 CVE-2016-8645 CVE-2016-9576 CVE-2016-9806 CVE-2016-10088 CVE-2017-2671 CVE-2017-5970 CVE-2017-6001 CVE-2017-6951 CVE-2017-7187 CVE-2017-7889 CVE-2017-8890 CVE-2017-9074 CVE-2017-8890 CVE-2017-9075 CVE-2017-8890 CVE-2017-9076 CVE-2017-8890 CVE-2017-9077 CVE-2016-9604 CVE-2016-9685 Documentation for these issues are available from the Technical Notes document linked to in the References section. Red Hat would like to thank Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), and Shixiong Zhao (The University of Hong Kong) for reporting CVE-2017-7533 and Marco Grassi for reporting CVE-2016-8645. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-9604 issue was discovered by David Howells (Red Hat); and the CVE-2016-9685 issue was discovered by Qian Cai (Red Hat).
    last seen 2017-10-29
    modified 2017-09-11
    plugin id 103046
    published 2017-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103046
    title RHEL 6 : MRG (RHSA-2017:2669)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3330-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100928
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100928
    title Ubuntu 16.04 LTS : linux-meta-snapdragon, linux-snapdragon vulnerabilities (USN-3330-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3328-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100926
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100926
    title Ubuntu 16.04 LTS : linux, linux-meta vulnerabilities (USN-3328-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3343-1.NASL
    description USN 3335-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code. (CVE-2017-0605) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101152
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101152
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3343-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3344-2.NASL
    description USN-3344-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. USN 3334-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101155
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101155
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3344-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3344-1.NASL
    description USN 3328-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101154
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101154
    title Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3344-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2077.NASL
    description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2017-10-29
    modified 2017-08-15
    plugin id 102151
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102151
    title RHEL 7 : kernel-rt (RHSA-2017:2077)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-047.NASL
    description According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - Improved isolation for neighbor table settings. (The fix added to the 042stab120.19 kernel was incomplete.) Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 100769
    published 2017-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100769
    title Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-047)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-6F06BE3FE9.NASL
    description Rebase to 4.11.3 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-06-01
    plugin id 100563
    published 2017-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100563
    title Fedora 25 : kernel (2017-6f06be3fe9)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-043.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-14
    plugin id 100599
    published 2017-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100599
    title Virtuozzo 7 : readykernel-patch (VZA-2017-043)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3345-1.NASL
    description USN 3324-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101156
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101156
    title Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3345-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-273B67D5EE.NASL
    description The 4.10.17 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-30
    plugin id 100435
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100435
    title Fedora 25 : kernel (2017-273b67d5ee)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3343-2.NASL
    description USN 3343-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. USN 3335-2 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code. (CVE-2017-0605) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-06-30
    plugin id 101153
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101153
    title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3343-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3342-1.NASL
    description USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101150
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101150
    title Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3342-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3342-2.NASL
    description USN-3342-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. USN-3333-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) It was discovered that a double-free vulnerability existed in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack in the Linux kernel was performing its over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101151
    published 2017-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101151
    title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3342-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3324-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100922
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100922
    title Ubuntu 17.04 : linux, linux-meta vulnerabilities (USN-3324-1) (Stack Clash)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-045.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 100601
    published 2017-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100601
    title Virtuozzo 7 : readykernel-patch (VZA-2017-045)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3334-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100932
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100932
    title Ubuntu 14.04 LTS : linux-lts-xenial, linux-meta-lts-xenial vulnerabilities (USN-3334-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3327-1.NASL
    description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100925
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100925
    title Ubuntu 16.10 : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3327-1) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842-1.NASL
    description The remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 102511
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102511
    title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3335-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-9940) It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code. (CVE-2017-0605) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7294) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100933
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100933
    title Ubuntu 14.04 LTS : linux, linux-meta vulnerabilities (USN-3335-1) (Stack Clash)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3886.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-7487 Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured. - CVE-2017-7645 Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service. - CVE-2017-7895 Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations do not properly handle payload bounds checking of WRITE requests. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space. - CVE-2017-8064 Arnd Bergmann found that the DVB-USB core misused the device logging system, resulting in a use-after-free vulnerability, with unknown security impact. - CVE-2017-8890 It was discovered that the net_csk_clone_lock() function allows a remote attacker to cause a double free leading to a denial of service or potentially have other impact. - CVE-2017-8924 Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected. - CVE-2017-8925 Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices. - CVE-2017-9074 Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. A local user or guest VM might be able to use this to leak sensitive information or to cause a denial of service (crash). - CVE-2017-9075 Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user. - CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075. - CVE-2017-9242 Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. A local user could use this for denial of service (memory corruption; crash) and possibly for privilege escalation. - CVE-2017-1000364 The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
    last seen 2017-10-29
    modified 2017-10-09
    plugin id 100877
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100877
    title Debian DSA-3886-1 : linux - security update (Stack Clash)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-042.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS. - The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set. - If the sctp module was loaded on the host, a privileged user inside a container could cause a kernel crash by triggering a NULL pointer dererefence in the sctp_endpoint_destroy() function with a specially crafted sequence of system calls. - A privileged user inside a container could cause a kernel crash by triggering a BUG_ON in the unregister_netdevice_many() function with a specially crafted sequence of system calls. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-07-14
    plugin id 100598
    published 2017-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100598
    title Virtuozzo 7 : readykernel-patch (VZA-2017-042)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2389-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2016-10277: Potential privilege escalation due to a missing bounds check in the lp driver. A kernel command-line adversary can overflow the parport_nr array to execute code (bsc#1039456). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bsc#1049882). - CVE-2017-7533: Bug in inotify code allowing privilege escalation (bsc#1049483). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bsc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-1000365: The Linux Kernel imposed a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354) - CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c (bnc#1032340) - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-1000380: sound/core/timer.c was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents could have bene disclosed when a read and an ioctl happen at the same time (bnc#1044125) - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431) - CVE-2017-1000363: A buffer overflow in kernel commandline handling of the 'lp' parameter could be used by local console attackers to bypass certain secure boot settings. (bnc#1039456) - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885) - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069) - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883) - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882) - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879) - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-12-28
    modified 2017-12-28
    plugin id 103110
    published 2017-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103110
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2389-1) (Stack Clash)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842.NASL
    description From Red Hat Security Advisory 2017:1842 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2018-01-05
    modified 2018-01-05
    plugin id 102281
    published 2017-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102281
    title Oracle Linux 7 : kernel (ELSA-2017-1842) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2525-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bsc#1029850). - CVE-2017-7184: The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size data after an XFRM_MSG_NEWAE update, which allowed local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573) - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213) - CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052) - CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440) - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579) - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bsc#1038879). - CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 1050677 ). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bsc#1033336) - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability. This requires a malicious PCI Card. (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bsc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary could have overflowed the parport_nr array in the following code (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-12-28
    modified 2017-12-28
    plugin id 103354
    published 2017-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103354
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3332-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100930
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100930
    title Ubuntu 16.04 LTS : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3332-1) (Stack Clash)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-6554692044.NASL
    description The 4.11.4 update contains a number of important fixes across the tree ---- This is a rebase to the 4.11 series of kernels. It includes all fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-06-15
    plugin id 100798
    published 2017-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100798
    title Fedora 24 : kernel (2017-6554692044)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-85744F8AA9.NASL
    description The 4.10.17 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-30
    plugin id 100491
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100491
    title Fedora 24 : kernel (2017-85744f8aa9)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3331-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100929
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100929
    title Ubuntu 16.04 LTS : linux-aws, linux-meta-aws vulnerabilities (USN-3331-1) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1853-1.NASL
    description The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-7346: The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate certain levels data, which allowed local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031796). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow. (bsc#1038982) - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling. (bsc#1038981) - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-9150: The do_check function in kernel/bpf/verifier.c in the Linux kernel did not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allowed local users to obtain sensitive address information via crafted bpf system calls (bnc#1040279). - CVE-2017-7618: crypto/ahash.c in the Linux kernel allowed attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (bnc#1033340). - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 101762
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101762
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1853-1) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2908-1.NASL
    description The SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents might have been disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (could happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) could overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). The following new features were implemented : - the r8152 network driver was updated to support Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (fate#321482) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-01-02
    modified 2018-01-02
    plugin id 104271
    published 2017-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104271
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2908-1) (KRACK) (Stack Clash)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-846.NASL
    description Module reference leak due to improper shut down of callback channel on umount : The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a 'module reference and kernel daemon' leak. (CVE-2017-9059) Incorrect overwrite check in __ip6_append_data() : The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. (CVE-2017-9242) Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c : The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-8890) net: tcp_v6_syn_recv_sock function mishandles inheritance : The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9077) net: IPv6 DCCP implementation mishandles inheritance The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9076) net: sctp_v6_create_accept_sk function mishandles inheritance : The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2017-9075) net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option : The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074)
    last seen 2017-10-29
    modified 2017-06-23
    plugin id 100999
    published 2017-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100999
    title Amazon Linux AMI : kernel (ALAS-2017-846)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2920-1.NASL
    description The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306). - CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268). - CVE-2016-9604: The handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings, was fixed (bsc#1035576) - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line (bnc#1039456). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125). - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507). - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593). - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the 'dead' type (bnc#1029850). - CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405). - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bnc#1035877). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-01-02
    modified 2018-01-02
    plugin id 104374
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104374
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-1842.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2018-01-05
    modified 2018-01-05
    plugin id 102734
    published 2017-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102734
    title CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1842.NASL
    description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) * A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important) * It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and Low impact security issues : * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685 Documentation for these issues is available from the Release Notes document linked from the References section. Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat). Additional Changes : For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen 2018-01-05
    modified 2018-01-05
    plugin id 102143
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102143
    title RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-666.NASL
    description The openSUSE Leap 42.2 kernel was updated to 4.4.70 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885). - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069). - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883). - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882). - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879). - CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544). - CVE-2017-9150: The do_check function in kernel/bpf/verifier.c in the Linux kernel did not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allowed local users to obtain sensitive address information via crafted bpf system calls (bnc#1040279). - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670) The following non-security bugs were fixed : - 9p: fix a potential acl leak (4.4.68 stable queue). - acpi / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal (bsc#1031717). - acpi / scan: Drop support for force_remove (bnc#1029607). - ahci: disable correct irq for dummy ports (bsc#1040125). - alsa: hda - Fix deadlock of controller device lock at unbinding (4.4.68 stable queue). - arm: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode (4.4.68 stable queue). - arm: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build (4.4.68 stable queue). - asoc: rt5640: use msleep() for long delays (bsc#1031717). - asoc: sti: Fix error handling if of_clk_get() fails (bsc#1031717). - blacklist 61e8a0d5a027 powerpc/pci: Fix endian bug in fixed PHB numbering (bsc#989311) - block: get rid of blk_integrity_revalidate() (4.4.68 stable queue). - bna: avoid writing uninitialized data into hw registers (bsc#966321 FATE#320156). - bnxt_en: allocate enough space for ->ntp_fltr_bmap (bsc#1020412 FATE#321671). - bpf, arm64: fix jit branch offset related to ldimm64 (4.4.68 stable queue). - brcmfmac: Ensure pointer correctly set if skb data location changes (4.4.68 stable queue). - brcmfmac: Make skb header writable before use (4.4.68 stable queue). - brcmfmac: restore stopping netdev queue when bus clogs up (bsc#1031717). - btrfs: add a flags field to btrfs_fs_info (bsc#1012452). - btrfs: add ASSERT for block group's memory leak (bsc#1012452). - btrfs: add btrfs_trans_handle->fs_info pointer (bsc#1012452). - btrfs: add bytes_readonly to the spaceinfo at once (bsc#1012452). - btrfs: add check to sysfs handler of label (bsc#1012452). - btrfs: add dynamic debug support (bsc#1012452). - btrfs: add error handling for extent buffer in print tree (bsc#1012452). - btrfs: add missing bytes_readonly attribute file in sysfs (bsc#1012452). - btrfs: add missing check for writeback errors on fsync (bsc#1012452). - btrfs: add more validation checks for superblock (bsc#1012452). - btrfs: Add ratelimit to btrfs printing (bsc#1012452). - btrfs: add read-only check to sysfs handler of features (bsc#1012452). - btrfs: add semaphore to synchronize direct IO writes with fsync (bsc#1012452). - btrfs: add tracepoint for adding block groups (bsc#1012452). - btrfs: add tracepoints for flush events (bsc#1012452). - btrfs: add validadtion checks for chunk loading (bsc#1012452). - btrfs: add write protection to SET_FEATURES ioctl (bsc#1012452). - btrfs: allow balancing to dup with multi-device (bsc#1012452). - btrfs: always reserve metadata for delalloc extents (bsc#1012452). - btrfs: always use trans->block_rsv for orphans (bsc#1012452). - btrfs: avoid blocking open_ctree from cleaner_kthread (bsc#1012452). - btrfs: avoid deadlocks during reservations in btrfs_truncate_block (bsc#1012452). - btrfs: avoid overflowing f_bfree (bsc#1012452). - btrfs: btrfs_abort_transaction, drop root parameter (bsc#1012452). - btrfs: __btrfs_buffered_write: Pass valid file offset when releasing delalloc space (bsc#1012452). - btrfs: btrfs_check_super_valid: Allow 4096 as stripesize (bsc#1012452). - btrfs: btrfs_debug should consume fs_info when DEBUG is not defined (bsc#1012452). - btrfs: btrfs_relocate_chunk pass extent_root to btrfs_end_transaction (bsc#1012452). - btrfs: build fixup for qgroup_account_snapshot (bsc#1012452). - btrfs: change BUG_ON()'s to ASSERT()'s in backref_cache_cleanup() (bsc#1012452). - btrfs: change delayed reservation fallback behavior (bsc#1012452). - btrfs: change how we calculate the global block rsv (bsc#1012452). - btrfs: check btree node's nritems (bsc#1012452). - btrfs: check if extent buffer is aligned to sectorsize (bsc#1012452). - btrfs: check inconsistence between chunk and block group (bsc#1012452). - btrfs: clarify do_chunk_alloc()'s return value (bsc#1012452). - btrfs: clean the old superblocks before freeing the device (bsc#1012452). - btrfs: clean up and optimize __check_raid_min_device() (bsc#1012452). - btrfs: cleanup assigning next active device with a check (bsc#1012452). - btrfs: cleanup BUG_ON in merge_bio (bsc#1012452). - btrfs: Cleanup compress_file_range() (bsc#1012452). - btrfs: cleanup error handling in extent_write_cached_pages (bsc#1012452). - btrfs: clear uptodate flags of pages in sys_array eb (bsc#1012452). - btrfs: clone: use vmalloc only as fallback for nodesize bufer (bsc#1012452). - btrfs: convert nodesize macros to static inlines (bsc#1012452). - btrfs: convert printk(KERN_* to use pr_* calls (bsc#1012452). - btrfs: convert pr_* to btrfs_* where possible (bsc#1012452). - btrfs: convert send's verbose_printk to btrfs_debug (bsc#1012452). - btrfs: copy_to_sk drop unused root parameter (bsc#1012452). - btrfs: create a helper function to read the disk super (bsc#1012452). - btrfs: create example debugfs file only in debugging build (bsc#1012452). - btrfs: create helper btrfs_find_device_by_user_input() (bsc#1012452). - btrfs: create helper function __check_raid_min_devices() (bsc#1012452). - btrfs: detect corruption when non-root leaf has zero item (bsc#1012452). - btrfs: divide btrfs_update_reserved_bytes() into two functions (bsc#1012452). - btrfs: do not background blkdev_put() (bsc#1012452). - btrfs: do not bother kicking async if there's nothing to reclaim (bsc#1012452). - btrfs: do not BUG_ON() in btrfs_orphan_add (bsc#1012452). - btrfs: do not create empty block group if we have allocated data (bsc#1012452). - btrfs: do not decrease bytes_may_use when replaying extents (bsc#1012452). - btrfs: do not do nocow check unless we have to (bsc#1012452). - btrfs: do not do unnecessary delalloc flushes when relocating (bsc#1012452). - btrfs: do not force mounts to wait for cleaner_kthread to delete one or more subvolumes (bsc#1012452). - btrfs: do not wait for unrelated IO to finish before relocation (bsc#1012452). - btrfs: do not WARN() in btrfs_transaction_abort() for IO errors (bsc#1035866). - btrfs: end transaction if we abort when creating uuid root (bsc#1012452). - btrfs: enhance btrfs_find_device_by_user_input() to check device path (bsc#1012452). - btrfs: error out if generic_bin_search get invalid arguments (bsc#1012452). - btrfs: expand cow_file_range() to support in-band dedup and subpage-blocksize (bsc#1012452). - btrfs: extend btrfs_set_extent_delalloc and its friends to support in-band dedupe and subpage size patchset (bsc#1012452). - btrfs: fill relocation block rsv after allocation (bsc#1012452). - btrfs: fix an integer overflow check (bsc#1012452). - btrfs: fix a possible umount deadlock (bsc#1012452). - btrfs: fix btrfs_no_printk stub helper (bsc#1012452). - btrfs: Fix BUG_ON condition in scrub_setup_recheck_block() (bsc#1012452). - btrfs: fix BUG_ON in btrfs_mark_buffer_dirty (bsc#1012452). - btrfs: fix BUG_ON in btrfs_submit_compressed_write (bsc#1012452). - btrfs: fix callers of btrfs_block_rsv_migrate (bsc#1012452). - btrfs: fix check_direct_IO() for non-iovec iterators (bsc#1012452). - btrfs: fix check_shared for fiemap ioctl (bsc#1037177). - btrfs: fix crash when tracepoint arguments are freed by wq callbacks (bsc#1012452). - btrfs: fix data loss after truncate when using the no-holes feature (bsc#1036214). - btrfs: fix deadlock in delayed_ref_async_start (bsc#1012452). - btrfs: fix delalloc reservation amount tracepoint (bsc#1012452). - btrfs: fix disk_i_size update bug when fallocate() fails (bsc#1012452). - btrfs: fix divide error upon chunk's stripe_len (bsc#1012452). - btrfs: fix double free of fs root (bsc#1012452). - btrfs: fix eb memory leak due to readpage failure (bsc#1012452). - btrfs: fix em leak in find_first_block_group (bsc#1012452). - btrfs: fix emptiness check for dirtied extent buffers at check_leaf() (bsc#1012452). - btrfs: fix error handling in map_private_extent_buffer (bsc#1012452). - btrfs: fix error return code in btrfs_init_test_fs() (bsc#1012452). - btrfs: fix free space calculation in dump_space_info() (bsc#1012452). - btrfs: fix fsfreeze hang caused by delayed iputs deal (bsc#1012452). - btrfs: fix fspath error deallocation (bsc#1012452). - btrfs: fix int32 overflow in shrink_delalloc() (bsc#1012452). - btrfs: Fix integer overflow when calculating bytes_per_bitmap (bsc#1012452). - btrfs: fix invalid dereference in btrfs_retry_endio (bsc#1040395). - btrfs: fix lock dep warning, move scratch dev out of device_list_mutex and uuid_mutex (bsc#1012452). - btrfs: fix lock dep warning move scratch super outside of chunk_mutex (bsc#1012452). - btrfs: fix __MAX_CSUM_ITEMS (bsc#1012452). - btrfs: fix memory leak during RAID 5/6 device replacement (bsc#1012452). - btrfs: fix memory leak of block group cache (bsc#1012452). - btrfs: fix memory leak of reloc_root (bsc#1012452). - btrfs: fix mixed block count of available space (bsc#1012452). - btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket() (bsc#1012452). - btrfs: fix panic in balance due to EIO (bsc#1012452). - btrfs: fix race between block group relocation and nocow writes (bsc#1012452). - btrfs: fix race between device replace and block group removal (bsc#1012452). - btrfs: fix race between device replace and chunk allocation (bsc#1012452). - btrfs: fix race between device replace and discard (bsc#1012452). - btrfs: fix race between device replace and read repair (bsc#1012452). - btrfs: fix race between fsync and direct IO writes for prealloc extents (bsc#1012452). - btrfs: fix race between readahead and device replace/removal (bsc#1012452). - btrfs: fix race setting block group back to RW mode during device replace (bsc#1012452). - btrfs: fix race setting block group readonly during device replace (bsc#1012452). - btrfs: fix read_node_slot to return errors (bsc#1012452). - btrfs: fix release reserved extents trace points (bsc#1012452). - btrfs: fix segmentation fault when doing dio read (bsc#1040425). - btrfs: Fix slab accounting flags (bsc#1012452). - btrfs: fix unexpected return value of fiemap (bsc#1012452). - btrfs: fix unprotected assignment of the left cursor for device replace (bsc#1012452). - btrfs: fix WARNING in btrfs_select_ref_head() (bsc#1012452). - btrfs: flush_space: treat return value of do_chunk_alloc properly (bsc#1012452). - btrfs: Force stripesize to the value of sectorsize (bsc#1012452). - btrfs: free sys_array eb as soon as possible (bsc#1012452). - btrfs: GFP_NOFS does not GFP_HIGHMEM (bsc#1012452). - btrfs: Handle uninitialised inode eviction (bsc#1012452). - btrfs: hide test-only member under ifdef (bsc#1012452). - btrfs: improve check_node to avoid reading corrupted nodes (bsc#1012452). - btrfs: introduce BTRFS_MAX_ITEM_SIZE (bsc#1012452). - btrfs: introduce device delete by devid (bsc#1012452). - btrfs: introduce raid-type to error-code table, for minimum device constraint (bsc#1012452). - btrfs: introduce ticketed enospc infrastructure (bsc#1012452). - btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress (bsc#1012452). - btrfs: ioctl: reorder exclusive op check in RM_DEV (bsc#1012452). - btrfs: kill BUG_ON in do_relocation (bsc#1012452). - btrfs: kill BUG_ON in run_delayed_tree_ref (bsc#1012452). - btrfs: kill BUG_ON()'s in btrfs_mark_extent_written (bsc#1012452). - btrfs: kill invalid ASSERT() in process_all_refs() (bsc#1012452). - btrfs: kill the start argument to read_extent_buffer_pages (bsc#1012452). - btrfs: kill unused writepage_io_hook callback (bsc#1012452). - btrfs: make find_workspace always succeed (bsc#1012452). - btrfs: make find_workspace warn if there are no workspaces (bsc#1012452). - btrfs: make mapping->writeback_index point to the last written page (bsc#1012452). - btrfs: make state preallocation more speculative in __set_extent_bit (bsc#1012452). - btrfs: make sure device is synced before return (bsc#1012452). - btrfs: make use of btrfs_find_device_by_user_input() (bsc#1012452). - btrfs: make use of btrfs_scratch_superblocks() in btrfs_rm_device() (bsc#1012452). - btrfs: memset to avoid stale content in btree leaf (bsc#1012452). - btrfs: memset to avoid stale content in btree node block (bsc#1012452). - btrfs: move error handling code together in ctree.h (bsc#1012452). - btrfs: optimize check for stale device (bsc#1012452). - btrfs: parent_start initialization cleanup (bsc#1012452). - btrfs: pass correct args to btrfs_async_run_delayed_refs() (bsc#1012452). - btrfs: pass number of devices to btrfs_check_raid_min_devices (bsc#1012452). - btrfs: pass the right error code to the btrfs_std_error (bsc#1012452). - btrfs: preallocate compression workspaces (bsc#1012452). - btrfs: Ratelimit 'no csum found' info message (bsc#1012452). - btrfs: refactor btrfs_dev_replace_start for reuse (bsc#1012452). - btrfs: Refactor btrfs_lock_cluster() to kill compiler warning (bsc#1012452). - btrfs: remove BUG() in raid56 (bsc#1012452). - btrfs: remove BUG_ON in start_transaction (bsc#1012452). - btrfs: remove BUG_ON()'s in btrfs_map_block (bsc#1012452). - btrfs: remove build fixup for qgroup_account_snapshot (bsc#1012452). - btrfs: remove save_error_info() (bsc#1012452). - btrfs: remove unnecessary btrfs_mark_buffer_dirty in split_leaf (bsc#1012452). - btrfs: remove unused function btrfs_assert() (bsc#1012452). - btrfs: rename and document compression workspace members (bsc#1012452). - btrfs: rename btrfs_find_device_by_user_input (bsc#1012452). - btrfs: rename btrfs_std_error to btrfs_handle_fs_error (bsc#1012452). - btrfs: rename __check_raid_min_devices (bsc#1012452). - btrfs: rename flags for vol args v2 (bsc#1012452). - btrfs: reorg btrfs_close_one_device() (bsc#1012452). - btrfs: Replace -ENOENT by -ERANGE in btrfs_get_acl() (bsc#1012452). - btrfs: reuse existing variable in scrub_stripe, reduce stack usage (bsc#1012452). - btrfs: s_bdev is not null after missing replace (bsc#1012452). - btrfs: scrub: Set bbio to NULL before calling btrfs_map_block (bsc#1012452). - btrfs: send: silence an integer overflow warning (bsc#1012452). - btrfs: send: use temporary variable to store allocation size (bsc#1012452). - btrfs: send: use vmalloc only as fallback for clone_roots (bsc#1012452). - btrfs: send: use vmalloc only as fallback for clone_sources_tmp (bsc#1012452). - btrfs: send: use vmalloc only as fallback for read_buf (bsc#1012452). - btrfs: send: use vmalloc only as fallback for send_buf (bsc#1012452). - btrfs: Simplify conditions about compress while mapping btrfs flags to inode flags (bsc#1012452). - btrfs: sink gfp parameter to clear_extent_bits (bsc#1012452). - btrfs: sink gfp parameter to clear_extent_dirty (bsc#1012452). - btrfs: sink gfp parameter to clear_record_extent_bits (bsc#1012452). - btrfs: sink gfp parameter to convert_extent_bit (bsc#1012452). - btrfs: sink gfp parameter to set_extent_bits (bsc#1012452). - btrfs: sink gfp parameter to set_extent_defrag (bsc#1012452). - btrfs: sink gfp parameter to set_extent_delalloc (bsc#1012452). - btrfs: sink gfp parameter to set_extent_new (bsc#1012452). - btrfs: sink gfp parameter to set_record_extent_bits (bsc#1012452). - btrfs: skip commit transaction if we do not have enough pinned bytes (bsc#1037186). - btrfs: subpage-blocksize: Rate limit scrub error message (bsc#1012452). - btrfs: switch to common message helpers in open_ctree, adjust messages (bsc#1012452). - btrfs: sysfs: protect reading label by lock (bsc#1012452). - btrfs: trace pinned extents (bsc#1012452). - btrfs: track transid for delayed ref flushing (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, document subvol flags (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, move balance flags (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, move BTRFS_LABEL_SIZE (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, move feature flags (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, move struct btrfs_ioctl_defrag_range_args (bsc#1012452). - btrfs: uapi/linux/btrfs.h migration, qgroup limit flags (bsc#1012452). - btrfs: uapi/linux/btrfs_tree.h migration, item types and defines (bsc#1012452). - btrfs: uapi/linux/btrfs_tree.h, use __u8 and __u64 (bsc#1012452). - btrfs: unsplit printed strings (bsc#1012452). - btrfs: untangle gotos a bit in __clear_extent_bit (bsc#1012452). - btrfs: untangle gotos a bit in convert_extent_bit (bsc#1012452). - btrfs: untangle gotos a bit in __set_extent_bit (bsc#1012452). - btrfs: update btrfs_space_info's bytes_may_use timely (bsc#1012452). - btrfs: Use correct format specifier (bsc#1012452). - btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster() (bsc#1012452). - btrfs: use dynamic allocation for root item in create_subvol (bsc#1012452). - btrfs: use existing device constraints table btrfs_raid_array (bsc#1012452). - btrfs: use FLUSH_LIMIT for relocation in reserve_metadata_bytes (bsc#1012452). - btrfs: use fs_info directly (bsc#1012452). - btrfs: use new error message helper in qgroup_account_snapshot (bsc#1012452). - btrfs: use root when checking need_async_flush (bsc#1012452). - btrfs: use the correct struct for BTRFS_IOC_LOGICAL_INO (bsc#1012452). - btrfs: Use __u64 in exported linux/btrfs.h (bsc#1012452). - btrfs: warn_on for unaccounted spaces (bsc#1012452). - ceph: check i_nlink while converting a file handle to dentry (bsc#1039864). - ceph: Check that the new inode size is within limits in ceph_fallocate() (bsc#1037969). - ceph: Correctly return NXIO errors from ceph_llseek (git-fixes). - ceph: fix file open flags on ppc64 (bsc#1022266). - ceph: fix memory leak in __ceph_setxattr() (bsc#1036763). - cifs: backport prepath matching fix (bsc#799133). - clk: Make x86/ conditional on CONFIG_COMMON_CLK (4.4.68 stable queue). - cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores (4.4.68 stable queue). - crypto: algif_aead - Require setkey before accept(2) (bsc#1031717). - crypto: sha-mb - Fix load failure (bsc#1037384). - dell-laptop: Adds support for keyboard backlight timeout AC settings (bsc#1013561). - Disable CONFIG_POWER_SUPPLY_DEBUG in debug kernel (bsc#1031500). - dmaengine: dw: fix typo in Kconfig (bsc#1031717). - dm: fix dm_target_io leak if clone_bio() returns an error (bsc#1040125). - dm-mpath: fix race window in do_end_io() (bsc#1011044). - dm round robin: do not use this_cpu_ptr() without having preemption disabled (bsc#1040125). - dm verity fec: fix block calculation (bsc#1040125). - dm verity fec: fix bufio leaks (bsc#1040125). - dm verity fec: limit error correction recursion (bsc#1040125). - drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments (bsc#1031717). - drivers/tty: 8250: only call fintek_8250_probe when doing port I/O (bsc#1031717). - drm/i915: Disable tv output on i9x5gm (bsc#1039700). - drm/i915: Do not touch NULL sg on i915_gem_object_get_pages_gtt() error (bsc#1031717). - drm/i915: Fix mismatched INIT power domain disabling during suspend (bsc#1031717). - drm/i915: Nuke debug messages from the pipe update critical section (bsc#1031717). - drm/i915: Program iboost settings for HDMI/DVI on SKL (bsc#1031717). - drm/i915: relax uncritical udelay_range() (bsc#1031717). - drm/i915: relax uncritical udelay_range() settings (bsc#1031717). - drm/i915: Use pagecache write to prepopulate shmemfs from pwrite-ioctl (bsc#1040463). - drm/ttm: fix use-after-free races in vm fault handling (4.4.68 stable queue). - e1000e: Do not return uninitialized stats (bug#1034635). - enic: set skb->hash type properly (bsc#922871 fate#318754). - f2fs: fix bad prefetchw of NULL page (bsc#1012829). - f2fs: sanity check segment count (4.4.68 stable queue). - fnic: Return 'DID_IMM_RETRY' if rport is not ready (bsc#1035920). - fs/block_dev: always invalidate cleancache in invalidate_bdev() (git-fixes). - fs: fix data invalidation in the cleancache during direct IO (git-fixes). - fs/xattr.c: zero out memory copied to userspace in getxattr (git-fixes). - ftrace: Make ftrace_location_range() global (FATE#322421). - ibmvnic: Add set_link_state routine for setting adapter link state (fate#322021, bsc#1031512). - ibmvnic: Allocate zero-filled memory for sub crqs (fate#322021, bsc#1031512). - ibmvnic: Check for driver reset first in ibmvnic_xmit (fate#322021, bsc#1038297). - ibmvnic: Cleanup failure path in ibmvnic_open (fate#322021, bsc#1031512). - ibmvnic: Clean up tx pools when closing (fate#322021, bsc#1038297). - ibmvnic: Continue skb processing after skb completion error (fate#322021, bsc#1038297). - ibmvnic: Correct crq and resource releasing (fate#322021, bsc#1031512). - ibmvnic: Create init and release routines for the bounce buffer (fate#322021, bsc#1031512). - ibmvnic: Create init and release routines for the rx pool (fate#322021, bsc#1031512). - ibmvnic: Create init and release routines for the tx pool (fate#322021, bsc#1031512). - ibmvnic: Create init/release routines for stats token (fate#322021, bsc#1031512). - ibmvnic: Delete napi's when releasing driver resources (fate#322021, bsc#1038297). - ibmvnic: Disable irq prior to close (fate#322021, bsc#1031512). - ibmvnic: Do not disable IRQ after scheduling tasklet (fate#322021, bsc#1031512). - ibmvnic: Fix ibmvnic_change_mac_addr struct format (fate#322021, bsc#1031512). - ibmvnic: fix missing unlock on error in __ibmvnic_reset() (fate#322021, bsc#1038297, Fixes: ed651a10875f). - ibmvnic: Fixup atomic API usage (fate#322021, bsc#1031512). - ibmvnic: Free skb's in cases of failure in transmit (fate#322021, bsc#1031512). - ibmvnic: Insert header on VLAN tagged received frame (fate#322021, bsc#1031512). - ibmvnic: Merge the two release_sub_crq_queue routines (fate#322021, bsc#1031512). - ibmvnic: Move initialization of sub crqs to ibmvnic_init (fate#322021, bsc#1031512). - ibmvnic: Move initialization of the stats token to ibmvnic_open (fate#322021, bsc#1031512). - ibmvnic: Move queue restarting in ibmvnic_tx_complete (fate#322021, bsc#1038297). - ibmvnic: Move resource initialization to its own routine (fate#322021, bsc#1038297). - ibmvnic: Only retrieve error info if present (fate#322021, bsc#1031512). - ibmvnic: Record SKB RX queue during poll (fate#322021, bsc#1038297). - ibmvnic: Remove debugfs support (fate#322021, bsc#1031512). - ibmvnic: Remove inflight list (fate#322021, bsc#1031512). - ibmvnic: Remove unused bouce buffer (fate#322021, bsc#1031512). - ibmvnic: Replace is_closed with state field (fate#322021, bsc#1038297). - ibmvnic: Report errors when failing to release sub-crqs (fate#322021, bsc#1031512). - ibmvnic: Set real number of rx queues (fate#322021, bsc#1031512). - ibmvnic: Split initialization of scrqs to its own routine (fate#322021, bsc#1031512). - ibmvnic: Unmap longer term buffer before free (fate#322021, bsc#1031512). - ibmvnic: Updated reset handling (fate#322021, bsc#1038297). - ibmvnic: Update main crq initialization and release (fate#322021, bsc#1031512). - ibmvnic: Validate napi exist before disabling them (fate#322021, bsc#1031512). - ibmvnic: Wait for any pending scrqs entries at driver close (fate#322021, bsc#1038297). - ibmvnic: Whitespace correction in release_rx_pools (fate#322021, bsc#1038297). - iio: hid-sensor: Store restore poll and hysteresis on S3 (bsc#1031717). - iio: Workaround for kABI breakage by 4.4.67 iio hid-sensor changes (stable-4.4.67). - infiniband: avoid dereferencing uninitialized dst on error path (git-fixes). - iommu/arm-smmu: Disable stalling faults for all endpoints (bsc#1038843). - iommu/dma: Respect IOMMU aperture when allocating (bsc#1038842). - iommu/exynos: Block SYSMMU while invalidating FLPD cache (bsc#1038848). - iommu: Handle default domain attach failure (bsc#1038846). - iommu/vt-d: Do not over-free page table directories (bsc#1038847). - ipv4, ipv6: ensure raw socket message is big enough to hold an IP header (4.4.68 stable queue). - ipv6: initialize route null entry in addrconf_init() (4.4.68 stable queue). - ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf (4.4.68 stable queue). - isa: Call isa_bus_init before dependent ISA bus drivers register (bsc#1031717). - iw_cxgb4: Guard against null cm_id in dump_ep/qp (bsc#1026570). - KABI: Hide new include in arch/powerpc/kernel/process.c (fate#322421). - kABI: move and hide new cxgbi device owner field (bsc#1018885). - kABI: protect cgroup include in kernel/kthread (kabi). - kABI: protect struct mnt_namespace (kabi). - kABI: protect struct snd_fw_async_midi_port (kabi). - kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed (4.4.68 stable queue). - kvm: better MWAIT emulation for guests (bsc#1031142). - kvm: nVMX: do not leak PML full vmexit to L1 (4.4.68 stable queue). - kvm: nVMX: initialize PML fields in vmcs02 (4.4.68 stable queue). - leds: ktd2692: avoid harmless maybe-uninitialized warning (4.4.68 stable queue). - libata-scsi: Fixup ata_gen_passthru_sense() (bsc#1040125). - lib/mpi: mpi_read_raw_data(): fix nbits calculation (bsc#1003581). - lib/mpi: mpi_read_raw_data(): purge redundant clearing of nbits (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): do not include leading zero SGEs in nbytes (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): fix nbits calculation (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): fix out-of-bounds buffer access (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): purge redundant clearing of nbits (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): replace len argument by nbytes (bsc#1003581). - lib/mpi: mpi_read_raw_from_sgl(): sanitize meaning of indices (bsc#1003581). - libnvdimm, pfn: fix 'npfns' vs section alignment (bsc#1040125). - livepatch: Allow architectures to specify an alternate ftrace location (FATE#322421). - locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER (bsc#1031717). - lpfc: remove incorrect lockdep assertion (bsc#1040125). - md.c:didn't unlock the mddev before return EINVAL in array_size_store (bsc#1038143). - md-cluster: fix potential lock issue in add_new_disk (bsc#1041087). - md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop (bsc#1038142). - md/raid1: avoid reusing a resync bio after error handling (Fate#311379). - media: am437x-vpfe: fix an uninitialized variable bug (bsc#1031717). - media: b2c2: use IS_REACHABLE() instead of open-coding it (bsc#1031717). - media: c8sectpfe: Rework firmware loading mechanism (bsc#1031717). - media: cx231xx-audio: fix NULL-deref at probe (bsc#1031717). - media: cx231xx-cards: fix NULL-deref at probe (bsc#1031717). - media: cx23885: uninitialized variable in cx23885_av_work_handler() (bsc#1031717). - media: DaVinci-VPBE: Check return value of a setup_if_config() call in vpbe_set_output() (bsc#1031717). - media: DaVinci-VPFE-Capture: fix error handling (bsc#1031717). - media: dib0700: fix NULL-deref at probe (bsc#1031717). - media: dvb-usb: avoid link error with dib3000m{b,c| (bsc#1031717). - media: exynos4-is: fix a format string bug (bsc#1031717). - media: gspca: konica: add missing endpoint sanity check (bsc#1031717). - media: lirc_imon: do not leave imon_probe() with mutex held (bsc#1031717). - media: pvrusb2: reduce stack usage pvr2_eeprom_analyze() (bsc#1031717). - media: rc: allow rc modules to be loaded if rc-main is not a module (bsc#1031717). - media: s5p-mfc: Fix unbalanced call to clock management (bsc#1031717). - media: sh-vou: clarify videobuf2 dependency (bsc#1031717). - media: staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs() (bsc#1031717). - media: usbvision: fix NULL-deref at probe (bsc#1031717). - media: uvcvideo: Fix empty packet statistic (bsc#1031717). - mips: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix (4.4.68 stable queue). - mmc: debugfs: correct wrong voltage value (bsc#1031717). - mm,compaction: serialize waitqueue_active() checks (bsc#971975). - mmc: sdhci-pxav3: fix higher speed mode capabilities (bsc#1031717). - mmc: sdhci: restore behavior when setting VDD via external regulator (bsc#1031717). - mm: fix stray kernel-doc notation (bnc#971975 VM -- git fixes). - mwifiex: Avoid skipping WEP key deletion for AP (4.4.68 stable queue). - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print (4.4.68 stable queue). - mwifiex: pcie: fix cmd_buf use-after-free in remove/reset (bsc#1031717). - mwifiex: Removed unused 'pkt_type' variable (bsc#1031717). - mwifiex: remove redundant dma padding in AMSDU (4.4.68 stable queue). - mwifiex: Remove unused 'bcd_usb' variable (bsc#1031717). - mwifiex: Remove unused 'chan_num' variable (bsc#1031717). - mwifiex: Remove unused 'pm_flag' variable (bsc#1031717). - mwifiex: Remove unused 'sta_ptr' variable (bsc#1031717). - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670). - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670). - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670). - nfs: Fix inode corruption in nfs_prime_dcache() (git-fixes). - nfs: Fix missing pg_cleanup after nfs_pageio_cond_complete() (git-fixes). - nfs: Use GFP_NOIO for two allocations in writeback (git-fixes). - nfsv4.1: Fix Oopsable condition in server callback races (git-fixes). - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (bsc#1004003). - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (bsc#1004003). - pci: pciehp: Prioritize data-link event over presence detect (bsc#1031040,bsc#1037483). - pci: Reverse standard ACS vs device-specific ACS enabling (bsc#1030057). - pci: Work around Intel Sunrise Point PCH incorrect ACS capability (bsc#1030057). - perf/x86/intel/uncore: Remove SBOX support for Broadwell server (bsc#1035887). - phy: qcom-usb-hs: Add depends on EXTCON (4.4.68 stable queue). - pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes (bnc#1012985). - PKCS#7: fix missing break on OID_sha224 case (bsc#1031717). - platform/x86: fujitsu-laptop: use brightness_set_blocking for LED-setting callbacks (bsc#1031717). - PM / wakeirq: Enable dedicated wakeirq for suspend (bsc#1031717). - PM / wakeirq: Fix spurious wake-up events for dedicated wakeirqs (bsc#1031717). - PM / wakeirq: report a wakeup_event on dedicated wekup irq (bsc#1031717). - power: bq27xxx: fix register numbers of bq27500 (bsc#1031717). - powerpc: Create a helper for getting the kernel toc value (FATE#322421). - powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel (FATE#322421). - powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI (FATE#322421). - powerpc/ftrace: Use $(CC_FLAGS_FTRACE) when disabling ftrace (FATE#322421). - powerpc/ftrace: Use generic ftrace_modify_all_code() (FATE#322421). - powerpc: introduce TIF_KGR_IN_PROGRESS thread flag (FATE#322421). - powerpc/livepatch: Add livepatch header (FATE#322421). - powerpc/livepatch: Add live patching support on ppc64le (FATE#322421). - powerpc/livepatch: Add livepatch stack to struct thread_info (FATE#322421). - powerpc/module: Create a special stub for ftrace_caller() (FATE#322421). - powerpc/module: Mark module stubs with a magic value (FATE#322421). - powerpc/module: Only try to generate the ftrace_caller() stub once (FATE#322421). - powerpc/modules: Never restore r2 for a mprofile-kernel style mcount() call (FATE#322421). - powerpc/powernv: Fix opal_exit tracepoint opcode (4.4.68 stable queue). - power: supply: bq24190_charger: Call power_supply_changed() for relevant component (4.4.68 stable queue). - power: supply: bq24190_charger: Call set_mode_host() on pm_resume() (4.4.68 stable queue). - power: supply: bq24190_charger: Do not read fault register outside irq_handle_thread() (4.4.68 stable queue). - power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING (4.4.68 stable queue). - power: supply: bq24190_charger: Handle fault before status on interrupt (4.4.68 stable queue). - power: supply: bq24190_charger: Install irq_handler_thread() at end of probe() (4.4.68 stable queue). - ppc64le: Update ppc64le config files to use KGRAFT. - printk: Switch to the sync mode when an emergency message is printed (bsc#1034995). - RDMA/iw_cxgb4: Add missing error codes for act open cmd (bsc#1026570). - RDMA/iw_cxgb4: Low resource fixes for Completion queue (bsc#1026570). - RDMA/iw_cxgb4: only read markers_enabled mod param once (bsc#1026570). - regulator: isl9305: fix array size (bsc#1031717). - Revert 'acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)' (kabi). - Revert 'KVM: nested VMX: disable perf cpuid reporting' (4.4.68 stable queue). - Revert 'l2tp: take reference on sessions being dumped' (kabi). - Revert 'mac80211: pass block ack session timeout to to driver' (kabi). - Revert 'mac80211: RX BA support for sta max_rx_aggregation_subframes' (kabi). - Revert 'wlcore: Add RX_BA_WIN_SIZE_CHANGE_EVENT event' (kabi). - rpm/SLES-UEFI-SIGN-Certificate-2048.crt: Update the certificate (bsc#1035922) - rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string (4.4.68 stable queue). - s390/dasd: check if query host access feature is supported (bsc#1037871). - scsi: be2iscsi: Add FUNCTION_RESET during driver unload (bsc#1038458). - scsi: be2iscsi: Add IOCTL to check UER supported (bsc#1038458). - scsi: be2iscsi: Add TPE recovery feature (bsc#1038458). - scsi: be2iscsi: Add V1 of EPFW cleanup IOCTL (bsc#1038458). - scsi: be2iscsi: allocate enough memory in beiscsi_boot_get_sinfo() (bsc#1038458). - scsi: be2iscsi: Check all zeroes IP before issuing IOCTL (bsc#1038458). - scsi: be2iscsi: Fail the sessions immediately after TPE (bsc#1038458). - scsi: be2iscsi: Fix async PDU handling path (bsc#1038458). - scsi: be2iscsi: Fix bad WRB index error (bsc#1038458). - scsi: be2iscsi: Fix checks for HBA in error state (bsc#1038458). - scsi: be2iscsi: Fix gateway APIs to support IPv4 & IPv6 (bsc#1038458). - scsi: be2iscsi: Fix POST check and reset sequence (bsc#1038458). - scsi: be2iscsi: Fix queue and connection parameters (bsc#1038458). - scsi: be2iscsi: Fix release of DHCP IP in static mode (bsc#1038458). - scsi: be2iscsi: Fix to add timer for UE detection (bsc#1038458). - scsi: be2iscsi: Fix to make boot discovery non-blocking (bsc#1038458). - scsi: be2iscsi: Fix to use correct configuration values (bsc#1038458). - scsi: be2iscsi: Handle only NET_PARAM in iface_get_param (bsc#1038458). - scsi: be2iscsi: Move functions to right files (bsc#1038458). - scsi: be2iscsi: Move VLAN code to common iface_set_param (bsc#1038458). - scsi: be2iscsi: Reduce driver load/unload time (bsc#1038458). - scsi: be2iscsi: Remove alloc_mcc_tag & beiscsi_pci_soft_reset (bsc#1038458). - scsi: be2iscsi: Remove isr_lock and dead code (bsc#1038458). - scsi: be2iscsi: Rename iface get/set/create/destroy APIs (bsc#1038458). - scsi: be2iscsi: Replace _bh version for mcc_lock spinlock (bsc#1038458). - scsi: be2iscsi: Set and return right iface v4/v6 states (bsc#1038458). - scsi: be2iscsi: Update copyright information (bsc#1038458). - scsi: be2iscsi: Update iface handle before any set param (bsc#1038458). - scsi: be2iscsi: Update the driver version (bsc#1038458). - scsi: cxgb4i: libcxgbi: add missing module_put() (bsc#1018885). - scsi: cxlflash: Remove the device cleanly in the system shutdown path (bsc#1028310, fate#321597, bsc#1034762). cherry-pick from SP3 - scsi_dh_alua: do not call BUG_ON when updating port group (bsc#1028340). - scsi_dh_alua: Do not retry for unmapped device (bsc#1012910). - scsi: fnic: Correcting rport check location in fnic_queuecommand_lck (bsc#1035920). - scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m (4.4.68 stable queue). - scsi: scsi_dh_alua: Check scsi_device_get() return value (bsc#1040125). - scsi: scsi_dh_emc: return success in clariion_std_inquiry() (4.4.68 stable queue). - serial: 8250_omap: Fix probe and remove for PM runtime (4.4.68 stable queue). - staging: emxx_udc: remove incorrect __init annotations (4.4.68 stable queue). - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() (bsc#1031717). - staging: wlan-ng: add missing byte order conversion (4.4.68 stable queue). - sunrpc: Allow xprt->ops->timer method to sleep (git-fixes). - sunrpc: fix UDP memory accounting (git-fixes). - tcp: do not inherit fastopen_req from parent (4.4.68 stable queue). - tcp: do not underestimate skb->truesize in tcp_trim_head() (4.4.68 stable queue). - tcp: fix wraparound issue in tcp_lp (4.4.68 stable queue). - tracing/kprobes: Enforce kprobes teardown after testing (bnc#1012985). - usb: chipidea: Handle extcon events properly (4.4.68 stable queue). - usb: chipidea: Only read/write OTGSC from one place (4.4.68 stable queue). - usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths (4.4.68 stable queue). - usb: host: ohci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths (4.4.68 stable queue). - usb: musb: ux500: Fix NULL pointer dereference at system PM (bsc#1038033). - usb: serial: ark3116: fix open error handling (bnc#1038043). - usb: serial: ch341: add register and USB request definitions (bnc#1038043). - usb: serial: ch341: add support for parity, frame length, stop bits (bnc#1038043). - usb: serial: ch341: fix baud rate and line-control handling (bnc#1038043). - usb: serial: ch341: fix line settings after reset-resume (bnc#1038043). - usb: serial: ch341: fix modem-status handling (bnc#1038043). - usb: serial: ch341: reinitialize chip on reconfiguration (bnc#1038043). - usb: serial: digi_acceleport: fix incomplete rx sanity check (4.4.68 stable queue). - usb: serial: fix compare_const_fl.cocci warnings (bnc#1038043). - usb: serial: ftdi_sio: fix latency-timer error handling (4.4.68 stable queue). - usb: serial: io_edgeport: fix descriptor error handling (4.4.68 stable queue). - usb: serial: io_edgeport: fix epic-descriptor handling (bnc#1038043). - usb: serial: keyspan_pda: fix receive sanity checks (4.4.68 stable queue). - usb: serial: mct_u232: fix modem-status error handling (4.4.68 stable queue). - usb: serial: quatech2: fix control-message error handling (bnc#1038043). - usb: serial: sierra: fix bogus alternate-setting assumption (bnc#1038043). - usb: serial: ssu100: fix control-message error handling (bnc#1038043). - usb: serial: ti_usb_3410_5052: fix control-message error handling (4.4.68 stable queue). - Use make --output-sync feature when available (bsc#1012422). The mesages in make output can interleave making it impossible to extract warnings reliably. Since version 4 GNU Make supports --output-sync flag that prints output of each sub-command atomically preventing this issue. Detect the flag and use it if available. - Use up spare in struct module for livepatch (FATE#322421). - vsock: Detach QP check should filter out non matching QPs (bsc#1036752). - x86/ioapic: Restore IO-APIC irq_chip retrigger callback (4.4.68 stable queue). - x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 (4.4.68 stable queue). - x86/platform/intel-mid: Correct MSI IRQ line for watchdog device (4.4.68 stable queue). - x86/platform/uv/BAU: Add generic function pointers (bsc#1035024). - x86/platform/uv/BAU: Add payload descriptor qualifier (bsc#1035024). - x86/platform/uv/BAU: Add status mmr location fields to bau_control (bsc#1035024). - x86/platform/uv/BAU: Add UV4-specific functions (bsc#1035024). - x86/platform/uv/BAU: Add uv_bau_version enumerated constants (bsc#1035024). - x86/platform/uv/BAU: Add wait_completion to bau_operations (bsc#1035024). - x86/platform/uv/BAU: Clean up and update printks (bsc#1035024). - x86/platform/uv/BAU: Cleanup bau_operations declaration and instances (bsc#1035024). - x86/platform/uv/BAU: Clean up pq_init() (bsc#1035024). - x86/platform/uv/BAU: Clean up vertical alignment (bsc#1035024). - x86/platform/uv/BAU: Convert uv_physnodeaddr() use to uv_gpa_to_offset() (bsc#1035024). - x86/platform/uv/BAU: Disable software timeout on UV4 hardware (bsc#1035024). - x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register (bsc#1035024). - x86/platform/uv/BAU: Fix payload queue setup on UV4 hardware (bsc#1035024). - x86/platform/uv/BAU: Implement uv4_wait_completion with read_status (bsc#1035024). - x86/platform/uv/BAU: Populate ->uvhub_version with UV4 version information (bsc#1035024). - x86/platform/uv/BAU: Use generic function pointers (bsc#1035024). - xen: adjust early dom0 p2m handling to xen hypervisor behavior (bnc#1031470). - xfs: do not assert fail on non-async buffers on ioacct decrement (bsc#1041160). - xfs: fix eofblocks race with file extending async dio writes (bsc#1040929). - xfs: Fix missed holes in SEEK_HOLE implementation (bsc#1041168). - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() (bsc#1041168). - xfs: in _attrlist_by_handle, copy the cursor back to userspace (bsc#1041242). - xfs: only return -errno or success from attr ->put_listent (bsc#1041242). - xfs: Split default quota limits by quota type (bsc#1040941). - xfs: use ->b_state to fix buffer I/O accounting release race (bsc#1041160).
    last seen 2017-10-29
    modified 2017-06-09
    plugin id 100711
    published 2017-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100711
    title openSUSE Security Update : the Linux Kernel (openSUSE-2017-666)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-993.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-0605 A buffer overflow flaw was discovered in the trace subsystem. CVE-2017-7487 Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured. CVE-2017-7645 Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service. CVE-2017-7895 Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations do not properly handle payload bounds checking of WRITE requests. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space. CVE-2017-8890 It was discovered that the net_csk_clone_lock() function allows a remote attacker to cause a double free leading to a denial of service or potentially have other impact. CVE-2017-8924 Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected. CVE-2017-8925 Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices. CVE-2017-9074 Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. A local user or guest VM might be able to use this to leak sensitive information or to cause a denial of service (crash). CVE-2017-9075 Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user. CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075. CVE-2017-9242 Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. A local user could use this for denial of service (memory corruption; crash) and possibly for privilege escalation. CVE-2017-1000364 The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx t For Debian 7 'Wheezy', this problem has been fixed in version 3.2.89-2. For Debian 8 'Jessie', this problem has been fixed in version 3.16.43-2+deb8u2. For Debian 9 'Stretch', this problem has been fixed in version 4.9.30-2+deb9u2. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100876
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100876
    title Debian DLA-993-2 : linux regression update (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3325-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100923
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100923
    title Ubuntu 17.04 : linux-meta-raspi2, linux-raspi2 vulnerabilities (USN-3325-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3326-1.NASL
    description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100924
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100924
    title Ubuntu 16.10 : linux, linux-meta vulnerabilities (USN-3326-1) (Stack Clash)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZA-2017-044.NASL
    description According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-08-16
    plugin id 100600
    published 2017-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100600
    title Virtuozzo 7 : readykernel-patch (VZA-2017-044)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3333-1.NASL
    description It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374) It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) Ingo Molnar discovered that the VideoCore DRM driver in the Linux kernel did not return an error after detecting certain overflows. A local attacker could exploit this issue to cause a denial of service (OOPS). (CVE-2017-5577) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100931
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100931
    title Ubuntu 16.04 LTS : linux-hwe, linux-meta-hwe vulnerabilities (USN-3333-1) (Stack Clash)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3329-1.NASL
    description It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges (CVE-2017-1000364) Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments. A local attacker with write access to the kernel command line arguments could use this to execute arbitrary code. (CVE-2017-1000363) A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487) A double free bug was discovered in the IPv4 stack of the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2017-8890) Andrey Konovalov discovered an IPv6 out-of-bounds read error in the Linux kernel's IPv6 stack. A local attacker could cause a denial of service or potentially other unspecified problems. (CVE-2017-9074) Andrey Konovalov discovered a flaw in the handling of inheritance in the Linux kernel's IPv6 stack. A local user could exploit this issue to cause a denial of service or possibly other unspecified problems. (CVE-2017-9075) It was discovered that dccp v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9076) It was discovered that the transmission control protocol (tcp) v6 in the Linux kernel mishandled inheritance. A local attacker could exploit this issue to cause a denial of service or potentially other unspecified problems. (CVE-2017-9077) It was discovered that the IPv6 stack was doing over write consistency check after the data was actually overwritten. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2017-9242). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-10-06
    plugin id 100927
    published 2017-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100927
    title Ubuntu 16.04 LTS : linux-gke, linux-meta-gke vulnerabilities (USN-3329-1) (Stack Clash)
redhat via4
advisories
  • rhsa
    id RHSA-2017:1842
  • rhsa
    id RHSA-2017:2077
  • rhsa
    id RHSA-2017:2669
rpms
  • kernel-0:3.10.0-693.el7
  • kernel-abi-whitelists-0:3.10.0-693.el7
  • kernel-bootwrapper-0:3.10.0-693.el7
  • kernel-debug-0:3.10.0-693.el7
  • kernel-debug-devel-0:3.10.0-693.el7
  • kernel-devel-0:3.10.0-693.el7
  • kernel-doc-0:3.10.0-693.el7
  • kernel-headers-0:3.10.0-693.el7
  • kernel-kdump-0:3.10.0-693.el7
  • kernel-kdump-devel-0:3.10.0-693.el7
  • kernel-tools-0:3.10.0-693.el7
  • kernel-tools-libs-0:3.10.0-693.el7
  • kernel-tools-libs-devel-0:3.10.0-693.el7
  • perf-0:3.10.0-693.el7
  • python-perf-0:3.10.0-693.el7
  • kernel-rt-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.rt56.617.el7
  • kernel-rt-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-doc-0:3.10.0-693.rt56.617.el7
  • kernel-rt-kvm-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-devel-0:3.10.0-693.rt56.617.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.rt56.617.el7
refmap via4
bid 98586
confirm
debian DSA-3886
Last major update 19-05-2017 - 03:29
Published 19-05-2017 - 03:29
Last modified 04-01-2018 - 21:31
Back to Top