ID CVE-2017-17741
Summary The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h.
References
Vulnerable Configurations
  • Linux Kernel 4.14.7
    cpe:2.3:o:linux:linux_kernel:4.14.7
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 2.1
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0015.NASL
    description An update of {'linux'} packages of Photon OS has been released.
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 111285
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111285
    title Photon OS 2.0 : linux (PhotonOS-PHSA-2018-2.0-0015)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-1EBB87E7C0.NASL
    description The 4.14.8 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-02-01
    plugin id 105830
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105830
    title Fedora 27 : kernel (2017-1ebb87e7c0)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0237.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - dm: fix race between dm_get_from_kobject and __dm_destroy (Hou Tao) (CVE-2017-18203) - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] (CVE-2018-8781) - kernel/exit.c: avoid undefined behaviour when calling wait4 wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] (CVE-2018-10087) - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) (CVE-2018-10124) - bluetooth: Validate socket address length in sco_sock_bind. (mlevatic) [Orabug: 28130293] (CVE-2015-8575) - dccp: check sk for closed state in dccp_sendmsg (Alexey Kodanev) [Orabug: 28220402] (CVE-2017-8824) (CVE-2018-1130) - sctp: verify size of a new chunk in _sctp_make_chunk (Alexey Kodanev) [Orabug: 28240075] (CVE-2018-5803) - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] (CVE-2017-7616) - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] (CVE-2017-11600) (CVE-2017-11600) - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] (CVE-2018-3665) - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741) - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] (CVE-2018-10323) - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410) (CVE-2017-1000410) - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2549) - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548) - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2545) - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543) - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2544) - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384) - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] (CVE-2018-1000199) - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly) [Orabug: 27947608]
    last seen 2018-09-01
    modified 2018-08-07
    plugin id 111022
    published 2018-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111022
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0237)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-7810B7C59F.NASL
    description The 4.14.8 stable kernel update contains a number of important fixes across the tree. ---- The 4.14.7 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-02-02
    plugin id 105447
    published 2017-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105447
    title Fedora 26 : kernel (2017-7810b7c59f)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4073.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16644 Andrey Konovalov reported that the hdpvr media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16995 Jann Horn discovered that the Extended BPF verifier did not correctly model the behaviour of 32-bit load instructions. A local user can use this for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17712 Mohamed Ghannam discovered a race condition in the IPv4 raw socket implementation. A local user could use this to obtain sensitive information from the kernel. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. - CVE-2017-17862 Alexei Starovoitov discovered that the Extended BPF verifier ignored unreachable code, even though it would still be processed by JIT compilers. This could possibly be used by local users for denial of service. It also increases the severity of bugs in determining unreachable code. - CVE-2017-17863 Jann Horn discovered that the Extended BPF verifier did not correctly model pointer arithmetic on the stack frame pointer. A local user can use this for privilege escalation. - CVE-2017-17864 Jann Horn discovered that the Extended BPF verifier could fail to detect pointer leaks from conditional code. A local user could use this to obtain sensitive information in order to exploit other vulnerabilities. - CVE-2017-1000407 Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. - CVE-2017-1000410 Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel. The various problems in the Extended BPF verifier can be mitigated by disabling use of Extended BPF by unprivileged users:sysctl kernel.unprivileged_bpf_disabled=1 Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-17448 can be exploited by any local user.
    last seen 2018-09-02
    modified 2018-07-26
    plugin id 105433
    published 2017-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105433
    title Debian DSA-4073-1 : linux - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0525-1.NASL
    description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'. - CVE-2017-18079: drivers/input/serio/i8042.c allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922). - CVE-2015-1142857: Prevent guests from sending ethernet flow control pause frames via the PF (bnc#1077355). - CVE-2017-17741: KVM allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read (bnc#1073311). - CVE-2017-13215: Prevent elevation of privilege (bnc#1075908). - CVE-2018-1000004: Prevent race condition in the sound system, this could have lead a deadlock and denial of service condition (bnc#1076017). - CVE-2017-17806: The HMAC implementation did not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack-based buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization (bnc#1073874). - CVE-2017-17805: The Salsa20 encryption algorithm did not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-01
    plugin id 106967
    published 2018-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106967
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0525-1) (Spectre)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4134.NASL
    description Description of changes: kernel-uek [3.8.13-118.21.4.el7uek] - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] {CVE-2018-3665} [3.8.13-118.21.3.el7uek] - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] {CVE-2017-17741} {CVE-2017-17741} - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] {CVE-2018-10323} - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] {CVE-2017-1000410} {CVE-2017-1000410} - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2549} - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2547} {CVE-2016-2548} - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2545} - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2543} - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2544} - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] {CVE-2016-2384} [3.8.13-118.21.2.el7uek] - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-1000199} - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly) [Orabug: 27947608]
    last seen 2018-09-02
    modified 2018-06-18
    plugin id 110583
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110583
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4134)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3619-1.NASL
    description Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862) It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927) It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492) It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-07-26
    plugin id 108842
    published 2018-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108842
    title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0102.NASL
    description An update of 'linux' packages of Photon OS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111914
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111914
    title Photon OS 1.0: Linux PHSA-2018-1.0-0102
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4172.NASL
    description Description of changes: [2.6.39-400.300.2.el6uek] - Revert 'RDS: don't commit to queue till transport connection is up' (Santosh Shilimkar) [Orabug: 27619034] - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951293] {CVE-2017-17741} {CVE-2017-17741} - kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 28049790] {CVE-2018-10087} - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) [Orabug: 28082989] {CVE-2018-10124} - bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic) [Orabug: 28130291] {CVE-2015-8575} - x86/bug: Fix typo's from commit b2d2b5b2 (x86/fpu: Make eager FPU default) (Mihai Carabas) [Orabug: 28194606] - dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220512] {CVE-2017-8824} {CVE-2018-1130} - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242479] {CVE-2017-7616} - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264531] {CVE-2017-11600} {CVE-2017-11600}
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 111144
    published 2018-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111144
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4172)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3617-1.NASL
    description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-04-04
    plugin id 108834
    published 2018-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108834
    title Ubuntu 17.10 : linux vulnerabilities (USN-3617-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0437-1.NASL
    description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'. - CVE-2017-18079: drivers/input/serio/i8042.c allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922) - CVE-2015-1142857: Prevent guests from sending ethernet flow control pause frames via the PF (bnc#1077355) - CVE-2017-17741: KVM allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read (bnc#1073311) - CVE-2017-13215: Prevent elevation of privilege (bnc#1075908) - CVE-2018-1000004: Prevent race condition in the sound system, this could have lead a deadlock and denial of service condition (bnc#1076017) - CVE-2017-17806: The HMAC implementation did not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack-based buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization (bnc#1073874) - CVE-2017-17805: The Salsa20 encryption algorithm did not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 106815
    published 2018-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106815
    title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0437-1) (Spectre)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4108.NASL
    description Description of changes: [4.1.12-124.15.1.el7uek] - netfilter: nfnetlink_cthelper: Add missing permission checks (Kevin Cernekee) [Orabug: 27260771] {CVE-2017-17448} - netlink: Add netns check on taps (Kevin Cernekee) [Orabug: 27260799] {CVE-2017-17449} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27290606] {CVE-2017-17741} {CVE-2017-17741} - xprtrdma: Detect unreachable NFS/RDMA servers more reliably (Chuck Lever) [Orabug: 27587008] - sunrpc: Export xprt_force_disconnect() (Chuck Lever) [Orabug: 27587008] - sunrpc: Allow xprt->ops->timer method to sleep (Chuck Lever) [Orabug: 27587008] - KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit (Haozhong Zhang) [Orabug: 27720128] - x86/microcode: probe CPU features on microcode update (Ankur Arora) [Orabug: 27878230] - x86/microcode: microcode_write() should not reference boot_cpu_data (Ankur Arora) [Orabug: 27878230] - x86/cpufeatures: use cpu_data in init_scattered_cpuid_flags() (Ankur Arora) [Orabug: 27878230] - mm/pagewalk.c: report holes in hugetlb ranges (Jann Horn) [Orabug: 27913118] {CVE-2017-16994} - KEYS: don't let add_key() update an uninstantiated key (David Howells) [Orabug: 27913330] {CVE-2017-15299} - drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (Murray McAllister) [Orabug: 27913367] {CVE-2017-7294} - vmscan: Support multiple kswapd threads per node (Buddy Lumpkin) [Orabug: 27913411] - tcp: don't use F-RTO on non-recurring timeouts (Yuchung Cheng) [Orabug: 27901860] - net/rds: ib: Release correct number of frags (Hå kon Bugge) [Orabug: 27924161] - crypto: rng - Remove old low-level rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: drbg - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: ansi_cprng - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - crypto: krng - Convert to new rng interface (Herbert Xu) [Orabug: 27926676] {CVE-2017-15116} - RDS: Heap OOB write in rds_message_alloc_sgs() (Mohamed Ghannam) [Orabug: 27934066] {CVE-2018-5332} - net: Fix double free and memory corruption in get_net_ns_by_id() (Eric W. Biederman) [Orabug: 27934789] {CVE-2017-15129}
    last seen 2018-09-02
    modified 2018-05-16
    plugin id 109828
    published 2018-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109828
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4108)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3620-1.NASL
    description It was discovered that the netlink 802.11 configuration interface in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11089) It was discovered that a buffer overflow existed in the ioctl handling code in the ISDN subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-12762) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-04-05
    plugin id 108843
    published 2018-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108843
    title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3620-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3632-1.NASL
    description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-04-24
    plugin id 109316
    published 2018-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109316
    title Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3632-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3617-3.NASL
    description It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-04-05
    plugin id 108840
    published 2018-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108840
    title Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3617-3)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0231.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] (CVE-2018-3665) - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741) - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] (CVE-2018-10323) - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410) (CVE-2017-1000410) - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2549) - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548) - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2545) - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543) - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2544) - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384) - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] (CVE-2018-1000199) - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly) [Orabug: 27947608]
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 110581
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110581
    title OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0231)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0660-1.NASL
    description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'. - CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux kernel allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922). - CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311). - CVE-2017-13215: A elevation of privilege vulnerability in the Upstream kernel skcipher. (bnc#1075908). - CVE-2018-1000004: In the Linux kernel a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-01
    plugin id 108279
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108279
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0660-1) (Spectre)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-944.NASL
    description Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak A flaw was found in the Linux kernel's implementation of raw_sendmsg allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges. (CVE-2017-17712) Use-after-free vulnerability in DCCP socket A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges. (CVE-2017-8824) Stack-based out-of-bounds read via vmcall instruction Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes. (CVE-2017-17741) Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. (CVE-2017-17450) Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. (CVE-2017-17448)
    last seen 2018-09-01
    modified 2018-04-18
    plugin id 106171
    published 2018-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106171
    title Amazon Linux AMI : kernel (ALAS-2018-944)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-956.NASL
    description Stack-based out-of-bounds read via vmcall instruction Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.(CVE-2017-17741) drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service A flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. (CVE-2018-5344) pmd can become dirty without going through a COW cycle A flaw was found in the patches used to fix the 'dirtycow' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.(CVE-2017-1000405) Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied Linux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the 'rootsquash' options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa. (CVE-2018-1000028) Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750) Speculative execution bounds-check bypass An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.(CVE-2017-5753)
    last seen 2018-09-02
    modified 2018-05-25
    plugin id 109127
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109127
    title Amazon Linux 2 : kernel (ALAS-2018-956) (Dirty COW) (Spectre)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4164.NASL
    description Description of changes: kernel-uek kernel-uek [3.8.13-118.22.1.el7uek] - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) {CVE-2017-18203} - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] {CVE-2018-8781} - kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] {CVE-2018-10087} - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) {CVE-2018-10124} - bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic) [Orabug: 28130293] {CVE-2015-8575} - dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220402] {CVE-2017-8824} {CVE-2018-1130} - sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey Kodanev) [Orabug: 28240075] {CVE-2018-5803} - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] {CVE-2017-7616} - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] {CVE-2017-11600} {CVE-2017-11600} - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] {CVE-2018-3665} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] {CVE-2017-17741} {CVE-2017-17741} - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] {CVE-2018-10323} - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] {CVE-2017-1000410} {CVE-2017-1000410} - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2549} - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2547} {CVE-2016-2548} - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2545} - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2543} - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2544} - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] {CVE-2016-2384} - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-1000199} - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly) [Orabug: 27947608]
    last seen 2018-09-01
    modified 2018-07-11
    plugin id 110998
    published 2018-07-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110998
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0555-1.NASL
    description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'. - CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux kernel allowed attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated (bnc#1077922). - CVE-2015-1142857: On multiple SR-IOV cars it is possible for VF's assigned to guests to send ethernet flow control pause frames via the PF. (bnc#1077355). - CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311). - CVE-2017-13215: A elevation of privilege vulnerability in the Upstream kernel skcipher. (bnc#1075908). - CVE-2018-1000004: In the Linux kernel a race condition vulnerability existed in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 107055
    published 2018-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107055
    title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0555-1) (Meltdown) (Spectre)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4082.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing pti=off to the kernel command line. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. - CVE-2017-1000407 Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. - CVE-2017-1000410 Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel.
    last seen 2018-09-01
    modified 2018-01-30
    plugin id 105704
    published 2018-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105704
    title Debian DSA-4082-1 : linux - security update (Meltdown)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-656.NASL
    description The openSUSE Leap 42.3 was updated to 4.4.138 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bsc#1085308 bsc#1087082) This update improves the previous Spectre Variant 4 fixes and also mitigates them on the ARM architecture. - CVE-2018-3665: The FPU state and registers of x86 CPUs were saved and restored in a lazy fashion, which opened its disclosure by speculative side channel attacks. This has been fixed by replacing the lazy save/restore by eager saving and restoring (bnc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow (bnc#1097356). - CVE-2017-18249: The add_free_nid function in fs/f2fs/node.c did not properly track an allocated nid, which allowed local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads (bnc#1087036). - CVE-2017-18241: fs/f2fs/segment.c kernel allowed local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure (bnc#1086400). - CVE-2017-17741: The KVM implementation allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h (bnc#1073311 1091815). - CVE-2017-13305: A information disclosure vulnerability in the encrypted-keys. (bnc#1094353). - CVE-2018-1093: The ext4_valid_block_bitmap function in fs/ext4/balloc.c allowed attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers (bnc#1087095). - CVE-2018-1094: The ext4_fill_super function in fs/ext4/super.c did not always initialize the crc32c checksum driver, which allowed attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (bnc#1087007 1092903). - CVE-2018-1092: The ext4_iget function in fs/ext4/inode.c mishandled the case of a root directory with a zero i_links_count, which allowed attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (bnc#1087012). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c, a memory corruption bug in JFS could be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr. (bsc#1097234) The following non-security bugs were fixed : - 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() (bnc#1012382). - acpi: acpi_pad: Fix memory leak in power saving threads (bnc#1012382). - acpica: acpi: acpica: fix acpi operand cache leak in nseval.c (bnc#1012382). - acpica: Events: add a return on failure from acpi_hw_register_read (bnc#1012382). - acpi: processor_perflib: Do not send _PPC change notification if not ready (bnc#1012382). - affs_lookup(): close a race with affs_remove_link() (bnc#1012382). - aio: fix io_destroy(2) vs. lookup_ioctx() race (bnc#1012382). - alsa: control: fix a redundant-copy issue (bnc#1012382). - alsa: hda: Add Lenovo C50 All in one to the power_save blacklist (bnc#1012382). - alsa: hda - Use IS_REACHABLE() for dependency on input (bnc#1012382 bsc#1031717). - alsa: timer: Call notifier in the same spinlock (bnc#1012382 bsc#973378). - alsa: timer: Fix pause event notification (bnc#1012382 bsc#973378). - alsa: timer: Fix pause event notification (bsc#973378). - alsa: usb: mixer: volume quirk for CM102-A+/102S+ (bnc#1012382). - alsa: vmaster: Propagate slave error (bnc#1012382). - arc: Fix malformed ARC_EMUL_UNALIGNED default (bnc#1012382). - arm64: Add ARCH_WORKAROUND_2 probing (bsc#1085308). - arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 (bsc#1085308). - arm64: Add 'ssbd' command-line option (bsc#1085308). - arm64: Add this_cpu_ptr() assembler macro for use in entry.S (bsc#1085308). - arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bnc#1012382). - arm64: alternatives: Add dynamic patching feature (bsc#1085308). - arm64: assembler: introduce ldr_this_cpu (bsc#1085308). - arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 (bsc#1085308). - arm64: do not call C code with el0's fp register (bsc#1085308). - arm64: fix endianness annotation for __apply_alternatives()/get_alt_insn() (bsc#1085308). - arm64: introduce mov_q macro to move a constant into a 64-bit register (bnc#1012382 bsc#1068032). - arm64: lse: Add early clobbers to some input/output asm operands (bnc#1012382). - arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics (bnc#1012382). - arm64: ssbd: Add global mitigation state accessor (bsc#1085308). - arm64: ssbd: Add prctl interface for per-thread mitigation (bsc#1085308). - arm64: ssbd: Introduce thread flag to control userspace mitigation (bsc#1085308). - arm64: ssbd: Restore mitigation status on CPU resume (bsc#1085308). - arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation (bsc#1085308). - arm: 8748/1: mm: Define vdso_start, vdso_end as array (bnc#1012382). - arm: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed (bnc#1012382). - arm: 8770/1: kprobes: Prohibit probing on optimized_callback (bnc#1012382). - arm: 8771/1: kprobes: Prohibit kprobes on do_undefinstr (bnc#1012382). - arm: 8772/1: kprobes: Prohibit kprobes on get_user functions (bnc#1012382). - arm/arm64: smccc: Add SMCCC-specific return codes (bsc#1085308). - arm: dts: socfpga: fix GIC PPI warning (bnc#1012382). - arm: OMAP1: clock: Fix debugfs_create_*() usage (bnc#1012382). - arm: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt (bnc#1012382). - arm: OMAP3: Fix prm wake interrupt for resume (bnc#1012382). - arm: OMAP: Fix dmtimer init for omap1 (bnc#1012382). - asm-generic: provide generic_pmdp_establish() (bnc#1012382). - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() (bnc#1012382 bsc#1031717). - ASoC: Intel: sst: remove redundant variable dma_dev_name (bnc#1012382). - ASoC: samsung: i2s: Ensure the RCLK rate is properly determined (bnc#1012382). - ASoC: topology: create TLV data for dapm widgets (bnc#1012382). - ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) (bnc#1012382). - audit: move calcs after alloc and check when logging set loginuid (bnc#1012382). - audit: return on memory error to avoid NULL pointer dereference (bnc#1012382). - autofs: change autofs4_expire_wait()/do_expire_wait() to take struct path (bsc#1086716). - autofs: change autofs4_wait() to take struct path (bsc#1086716). - autofs: use path_has_submounts() to fix unreliable have_submount() checks (bsc#1086716). - autofs: use path_is_mountpoint() to fix unreliable d_mountpoint() checks (bsc#1086716). - batman-adv: fix header size check in batadv_dbg_arp() (bnc#1012382). - batman-adv: fix multicast-via-unicast transmission with AP isolation (bnc#1012382). - batman-adv: fix packet checksum in receive path (bnc#1012382). - batman-adv: fix packet loss for broadcasted DHCP packets to a server (bnc#1012382). - batman-adv: invalidate checksum on fragment reassembly (bnc#1012382). - bcache: fix for allocator and register thread race (bnc#1012382). - bcache: fix for data collapse after re-attaching an attached device (bnc#1012382). - bcache: fix kcrashes with fio in RAID5 backend dev (bnc#1012382). - bcache: properly set task state in bch_writeback_thread() (bnc#1012382). - bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set (bnc#1012382). - bcache: return attach error when no cache set exist (bnc#1012382). - blacklist.conf: blacklist fc218544fbc8 This commit requires major changes from 4.17, namely commit b9e281c2b388 ('libceph: introduce BVECS data type') - blacklist.conf: No need for 0aa48468d009 ('KVM/VMX: Expose SSBD properly to guests') since KF(SSBD) in our case does the expected. - block: cancel workqueue entries on blk_mq_freeze_queue() (bsc#1090435). - bluetooth: Apply QCA Rome patches for some ATH3012 models (bsc#1082504, bsc#1095147). - bluetooth: btusb: Add device ID for RTL8822BE (bnc#1012382). - bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB (bnc#1012382). - bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa() (bnc#1012382). - bonding: do not allow rlb updates to invalid mac (bnc#1012382). - bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y (bnc#1012382). - bridge: check iface upper dev when setting master via ioctl (bnc#1012382). - btrfs: bail out on error during replay_dir_deletes (bnc#1012382). - btrfs: fix copy_items() return value when logging an inode (bnc#1012382). - btrfs: fix crash when trying to resume balance without the resume flag (bnc#1012382). - btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers (bnc#1012382). - btrfs: fix NULL pointer dereference in log_dir_items (bnc#1012382). - btrfs: Fix out of bounds access in btrfs_search_slot (bnc#1012382). - btrfs: Fix possible softlock on single core machines (bnc#1012382). - btrfs: fix reading stale metadata blocks after degraded raid1 mounts (bnc#1012382). - btrfs: fix scrub to repair raid6 corruption (bnc#1012382). - btrfs: fix xattr loss after power failure (bnc#1012382). - btrfs: send, fix issuing write op when processing hole in no data mode (bnc#1012382). - btrfs: set plug for fsync (bnc#1012382). - btrfs: tests/qgroup: Fix wrong tree backref level (bnc#1012382). - cdrom: do not call check_disk_change() inside cdrom_open() (bnc#1012382). - ceph: delete unreachable code in ceph_check_caps() (bsc#1096214). - ceph: fix race of queuing delayed caps (bsc#1096214). - ceph: fix st_nlink stat for directories (bsc#1093904). - cfg80211: further limit wiphy names to 64 bytes (bnc#1012382 git-fixes). - cfg80211: further limit wiphy names to 64 bytes (git-fixes). - cfg80211: limit wiphy names to 128 bytes (bnc#1012382). - cifs: silence compiler warnings showing up with gcc-8.0.0 (bnc#1012382 bsc#1090734). - clk: Do not show the incorrect clock phase (bnc#1012382). - clk: rockchip: Prevent calculating mmc phase if clock rate is zero (bnc#1012382). - clk: samsung: exynos3250: Fix PLL rates (bnc#1012382). - clk: samsung: exynos5250: Fix PLL rates (bnc#1012382). - clk: samsung: exynos5260: Fix PLL rates (bnc#1012382). - clk: samsung: exynos5433: Fix PLL rates (bnc#1012382). - clk: samsung: s3c2410: Fix PLL rates (bnc#1012382). - clocksource/drivers/fsl_ftm_timer: Fix error return checking (bnc#1012382). - config: arm64: enable Spectre-v4 per-thread mitigation - cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path (bnc#1012382). - cpufreq: CPPC: Initialize shared perf capabilities of CPUs (bnc#1012382). - cpufreq: intel_pstate: Enable HWP by default (FATE#319178 bnc#1012382). - cpuidle: coupled: remove unused define cpuidle_coupled_lock (bnc#1012382). - crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss (bnc#1012382). - cxgb4: Setup FW queues before registering netdev (bsc#1022743 FATE#322540). - dccp: fix tasklet usage (bnc#1012382). - dlm: fix a clerical error when set SCTP_NODELAY (bsc#1091594). - dlm: make sctp_connect_to_sock() return in specified time (bsc#1080542). - dlm: remove O_NONBLOCK flag in sctp_connect_to_sock (bsc#1080542). - dmaengine: ensure dmaengine helpers check valid callback (bnc#1012382). - dmaengine: pl330: fix a race condition in case of threaded irqs (bnc#1012382). - dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 (bnc#1012382). - dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all() (bnc#1012382). - dm thin: fix documentation relative to low water mark threshold (bnc#1012382). - do d_instantiate/unlock_new_inode combinations safely (bnc#1012382). - dp83640: Ensure against premature access to PHY registers after reset (bnc#1012382). - drm/exynos: fix comparison to bitshift when dealing with a mask (bnc#1012382). - drm/i915: Disable LVDS on Radiant P845 (bnc#1012382). - drm/rockchip: Respect page offset for PRIME mmap calls (bnc#1012382). - e1000e: allocate ring descriptors with dma_zalloc_coherent (bnc#1012382). - e1000e: Fix check_for_link return value with autoneg off (bnc#1012382 bsc#1075428). - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode (bnc#1012382). - enic: enable rq before updating rq descriptors (bnc#1012382). - ext2: fix a block leak (bnc#1012382). - fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper() (bnc#1012382). - firewire-ohci: work around oversized DMA reads on JMicron controllers (bnc#1012382). - firmware: dmi_scan: Fix handling of empty DMI strings (bnc#1012382). - Fix excessive newline in /proc/*/status (bsc#1094823). - fix io_destroy()/aio_complete() race (bnc#1012382). - Force log to disk before reading the AGF during a fstrim (bnc#1012382). - fscache: Fix hanging wait on page discarded by writeback (bnc#1012382). - fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table (bnc#1012382). - futex: futex_wake_op, do not fail on invalid op (git-fixes). - futex: futex_wake_op, fix sign_extend32 sign bits (bnc#1012382). - futex: Remove duplicated code and fix undefined behaviour (bnc#1012382). - futex: Remove unnecessary warning from get_futex_key (bnc#1012382). - gfs2: Fix fallocate chunk size (bnc#1012382). - gianfar: Fix Rx byte accounting for ndev stats (bnc#1012382). - gpio: rcar: Add Runtime PM handling for interrupts (bnc#1012382). - hfsplus: stop workqueue when fill_super() failed (bnc#1012382). - hid: roccat: prevent an out of bounds read in kovaplus_profile_activated() (bnc#1012382). - hwmon: (nct6775) Fix writing pwmX_mode (bnc#1012382). - hwmon: (pmbus/adm1275) Accept negative page register values (bnc#1012382). - hwmon: (pmbus/max8688) Accept negative page register values (bnc#1012382). - hwrng: stm32 - add reset during probe (bnc#1012382). - hwtracing: stm: fix build error on some arches (bnc#1012382). - i2c: mv64xxx: Apply errata delay only in standard mode (bnc#1012382). - i2c: rcar: check master irqs before slave irqs (bnc#1012382). - i2c: rcar: do not issue stop when HW does it automatically (bnc#1012382). - i2c: rcar: init new messages in irq (bnc#1012382). - i2c: rcar: make sure clocks are on when doing clock calculation (bnc#1012382). - i2c: rcar: refactor setup of a msg (bnc#1012382). - i2c: rcar: remove spinlock (bnc#1012382). - i2c: rcar: remove unused IOERROR state (bnc#1012382). - i2c: rcar: revoke START request early (bnc#1012382). - i2c: rcar: rework hw init (bnc#1012382). - ib/ipoib: Fix for potential no-carrier state (bnc#1012382). - ibmvnic: Check CRQ command return codes (bsc#1094840). - ibmvnic: Create separate initialization routine for resets (bsc#1094840). - ibmvnic: Fix partial success login retries (bsc#1094840). - ibmvnic: Handle error case when setting link state (bsc#1094840). - ibmvnic: Introduce active CRQ state (bsc#1094840). - ibmvnic: Introduce hard reset recovery (bsc#1094840). - ibmvnic: Mark NAPI flag as disabled when released (bsc#1094840). - ibmvnic: Only do H_EOI for mobility events (bsc#1094356). - ibmvnic: Return error code if init interrupted by transport event (bsc#1094840). - ibmvnic: Set resetting state at earliest possible point (bsc#1094840). - iio:kfifo_buf: check for uint overflow (bnc#1012382). - ima: Fallback to the builtin hash algorithm (bnc#1012382). - ima: Fix Kconfig to select TPM 2.0 CRB interface (bnc#1012382). - init: fix false positives in W+X checking (bsc#1096982). - input: elan_i2c_smbus - fix corrupted stack (bnc#1012382). - ipc/shm: fix shmat() nil address after round-down when remapping (bnc#1012382). - ipmi/powernv: Fix error return code in ipmi_powernv_probe() (bnc#1012382). - ipmi_ssif: Fix kernel panic at msg_done_handler (bnc#1012382 bsc#1088871). - ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg (bnc#1012382). - ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu (bnc#1012382). - ipv6: add mtu lock check in __ip6_rt_update_pmtu (bsc#1092552). - ipv6: omit traffic class when calculating flow hash (bsc#1095042). - irda: fix overly long udelay() (bnc#1012382). - irqchip/gic-v3: Change pr_debug message to pr_devel (bnc#1012382). - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (bnc#1012382 git-fixes). - kabi: vfs: Restore dentry_operations->d_manage (bsc#1086716). - kABI: work around BPF SSBD removal (bsc#1087082). - kasan: fix memory hotplug during boot (bnc#1012382). - kbuild: change CC_OPTIMIZE_FOR_SIZE definition (bnc#1012382). - kconfig: Do not leak main menus during parsing (bnc#1012382). - kconfig: Fix automatic menu creation mem leak (bnc#1012382). - kconfig: Fix expr_free() E_NOT leak (bnc#1012382). - kdb: make 'mdr' command repeat (bnc#1012382). - kernel: Fix memory leak on EP11 target list processing (bnc#1096751, LTC#168596). - kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE (bnc#1012382). - kernel/sys.c: fix potential Spectre v1 issue (bnc#1012382). - kvm: Fix spelling mistake: 'cop_unsuable' -> 'cop_unusable' (bnc#1012382). - kvm: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use (bnc#1012382). - kvm: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing (bnc#1012382). - kvm: VMX: raise internal error for exception during invalid protected mode state (bnc#1012382). - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl (bnc#1012382). - kvm: x86: Sync back MSR_IA32_SPEC_CTRL to VCPU data structure (bsc#1096242, bsc#1096281). - l2tp: revert 'l2tp: fix missing print session offset info' (bnc#1012382). - libata: blacklist Micron 500IT SSD with MU01 firmware (bnc#1012382). - libata: Blacklist some Sandisk SSDs for NCQ (bnc#1012382). - libnvdimm, dax: fix 1GB-aligned namespaces vs physical misalignment (FATE#320457, FATE#320460). - libnvdimm, namespace: use a safe lookup for dimm device name (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393). - libnvdimm, pfn: fix start_pad handling for aligned namespaces (FATE#320460). - llc: better deal with too small mtu (bnc#1012382). - llc: properly handle dev_queue_xmit() return value (bnc#1012382). - lockd: lost rollback of set_grace_period() in lockd_down_net() (bnc#1012382 git-fixes). - locking/qspinlock: Ensure node->count is updated before initialising node (bnc#1012382). - locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() (bnc#1012382). - locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs (bnc#1012382). - loop: handle short DIO reads (bsc#1094177). - m68k: set dma and coherent masks for platform FEC ethernets (bnc#1012382). - mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 (bnc#1012382). - md raid10: fix NULL deference in handle_write_completed() (bnc#1012382 bsc#1056415). - md/raid1: fix NULL pointer dereference (bnc#1012382). - md: raid5: avoid string overflow warning (bnc#1012382). - media: cx23885: Override 888 ImpactVCBe crystal frequency (bnc#1012382). - media: cx23885: Set subdev host data to clk_freq pointer (bnc#1012382). - media: cx25821: prevent out-of-bounds read on array card (bnc#1012382 bsc#1031717). - media: dmxdev: fix error code for invalid ioctls (bnc#1012382). - media: em28xx: USB bulk packet size fix (bnc#1012382). - media: s3c-camif: fix out-of-bounds array access (bnc#1012382 bsc#1031717). - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register (bnc#1012382). - mm: do not allow deferred pages with NEED_PER_CPU_KM (bnc#1012382). - mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read (-- VM bnc#1012382 bnc#971975 generic performance read). - mm: filemap: remove redundant code in do_read_cache_page (-- VM bnc#1012382 bnc#971975 generic performance read). - mm: fix races between address_space dereference and free in page_evicatable (bnc#1012382). - mm: fix the NULL mapping case in __isolate_lru_page() (bnc#1012382). - mm/kmemleak.c: wait for scan completion before disabling free (bnc#1012382). - mm/ksm: fix interaction with THP (bnc#1012382). - mm/mempolicy: add nodes_empty check in SYSC_migrate_pages (bnc#1012382). - mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1012382). - mm/mempolicy: fix the check of nodemask from user (bnc#1012382). - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset (bsc#1079152, VM Functionality). - mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1012382 bnc#1081500). - net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() (bnc#1012382). - net: ethernet: sun: niu set correct packet size in skb (bnc#1012382). - netfilter: ebtables: convert BUG_ONs to WARN_ONs (bnc#1012382). - net: Fix untag for vlan packets without ethernet header (bnc#1012382). - net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off (bnc#1012382). - netlabel: If PF_INET6, check sk_buff ip header version (bnc#1012382). - net/mlx4_en: Verify coalescing parameters are in range (bnc#1012382). - net/mlx5: Protect from command bit overflow (bnc#1012382). - net: mvneta: fix enable of all initialized RXQs (bnc#1012382). - net: qmi_wwan: add BroadMobi BM806U 2020:2033 (bnc#1012382). - net_sched: fq: take care of throttled flows before reuse (bnc#1012382). - net: support compat 64-bit time in {s,g}etsockopt (bnc#1012382). - net/tcp/illinois: replace broken algorithm reference link (bnc#1012382). - net: test tailroom before appending to linear skb (bnc#1012382). - net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 (bnc#1012382). - net/usb/qmi_wwan.c: Add USB id for lt4120 modem (bnc#1012382). - nfc: llcp: Limit size of SDP URI (bnc#1012382). - nfit, address-range-scrub: fix scrub in-progress reporting (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393). - nfit: fix region registration vs block-data-window ranges (FATE#319858). - nfs: Do not convert nfs_idmap_cache_timeout to jiffies (bnc#1012382 git-fixes). - nfsv4: always set NFS_LOCK_LOST when a lock is lost (bnc#1012382 bsc#1068951). - ntb_transport: Fix bug with max_mw_size parameter (bnc#1012382). - nvme-pci: Fix EEH failure on ppc (bsc#1093533). - nvme-pci: Fix nvme queue cleanup if IRQ setup fails (bnc#1012382). - ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute (bnc#1012382). - ocfs2/dlm: do not handle migrate lockres if already in shutdown (bnc#1012382). - ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid (bnc#1012382). - ocfs2: return error when we attempt to access a dirty bh in jbd2 (bnc#1012382 bsc#1070404). - openvswitch: Do not swap table in nlattr_set() after OVS_ATTR_NESTED is found (bnc#1012382). - packet: fix reserve calculation (git-fixes). - packet: in packet_snd start writing at link layer allocation (bnc#1012382). - parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode (bnc#1012382). - pci: Add function 1 DMA alias quirk for Marvell 88SE9220 (bnc#1012382). - pci: Add function 1 DMA alias quirk for Marvell 9128 (bnc#1012382). - pci: hv: Fix a __local_bh_enable_ip warning in hv_compose_msi_msg() (bnc#1094268). - pci: Restore config space on runtime resume despite being unbound (bnc#1012382). - perf callchain: Fix attr.sample_max_stack setting (bnc#1012382). - perf/cgroup: Fix child event counting bug (bnc#1012382). - perf/core: Fix perf_output_read_group() (bnc#1012382). - perf report: Fix memory corruption in --branch-history mode --branch-history (bnc#1012382). - perf tests: Use arch__compare_symbol_names to compare symbols (bnc#1012382). - pipe: cap initial pipe capacity according to pipe-max-size limit (bnc#1012382 bsc#1045330). - powerpc/64s: Clear PCR on boot (bnc#1012382). - powerpc: Add missing prototype for arch_irq_work_raise() (bnc#1012382). - powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access (bnc#1012382). - powerpc: Do not preempt_disable() in show_cpuinfo() (bnc#1012382 bsc#1066223). - powerpc/livepatch: Fix livepatch stack access (bsc#1094466). - powerpc/modules: Do not try to restore r2 after a sibling call (bsc#1094466). - powerpc/mpic: Check if cpu_possible() in mpic_physmask() (bnc#1012382). - powerpc/numa: Ensure nodes initialized for hotplug (FATE#322022 bnc#1012382 bsc#1081514). - powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (FATE#322022 bnc#1012382 bsc#1081514). - powerpc/perf: Fix kernel address leak via sampling registers (bnc#1012382). - powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer (bnc#1012382). - powerpc/powernv: Fix NVRAM sleep in invalid context when crashing (bnc#1012382). - powerpc/powernv: panic() on OPAL < V3 (bnc#1012382). - powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL (bnc#1012382). - powerpc/powernv: Remove OPALv2 firmware define and references (bnc#1012382). - proc: fix /proc/*/map_files lookup (bnc#1012382). - procfs: fix pthread cross-thread naming if !PR_DUMPABLE (bnc#1012382). - proc: meminfo: estimate available memory more conservatively (-- VM bnc#1012382 functionality monitoring space user). - proc read mm's {arg,env}_{start,end} with mmap semaphore taken (bnc#1012382). - qede: Fix ref-cnt usage count (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - qed: Fix LL2 race during connection terminate (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - qed: Fix possibility of list corruption during rmmod flows (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - qed: LL2 flush isles when connection is closed (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747). - qla2xxx: Mask off Scope bits in retry delay (bsc#1068054). - qmi_wwan: do not steal interfaces from class drivers (bnc#1012382). - r8152: fix tx packets accounting (bnc#1012382). - r8169: fix powering up RTL8168h (bnc#1012382). - rdma/mlx5: Avoid memory leak in case of XRCD dealloc failure (bnc#1012382). - rdma/qedr: Fix doorbell bar mapping for dpi > 1 (bsc#1022604 FATE#321747). - rdma/ucma: Correct option size check using optlen (bnc#1012382). - rds: IB: Fix NULL pointer issue (bnc#1012382). - Refresh patches.arch/arm64-bsc1031492-0165-arm64-Add-MIDR-values -for-Cavium-cn83XX-SoCs.patch. - regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' (bnc#1012382). - regulatory: add NUL to request alpha2 (bnc#1012382). - Revert 'arm: dts: imx6qdl-wandboard: Fix audio channel swap' (bnc#1012382). - Revert 'bs-upload-kernel: do not set %opensuse_bs' This reverts commit e89e2b8cbef05df6c874ba70af3cb4c57f82a821. - Revert 'ima: limit file hash setting by user to fix and log modes' (bnc#1012382). - Revert 'ipc/shm: Fix shmat mmap nil-page protection' (bnc#1012382). - Revert 'regulatory: add NUL to request alpha2' (kabi). - Revert 'vti4: Do not override MTU passed on link creation via IFLA_MTU' (bnc#1012382). - rtc: hctosys: Ensure system time does not overflow time_t (bnc#1012382). - rtc: snvs: Fix usage of snvs_rtc_enable (bnc#1012382). - rtc: tx4939: avoid unintended sign extension on a 24 bit shift (bnc#1012382). - rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c (bnc#1012382). - s390: add assembler macros for CPU alternatives (bnc#1012382). - s390/cio: clear timer when terminating driver I/O (bnc#1012382). - s390/cio: fix return code after missing interrupt (bnc#1012382). - s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero (bnc#1094532, LTC#168035). - s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero (LTC#168035 bnc#1012382 bnc#1094532). - s390: extend expoline to BC instructions (bnc#1012382). - s390/ftrace: use expoline for indirect branches (bnc#1012382). - s390/kernel: use expoline for indirect branches (bnc#1012382). - s390/lib: use expoline for indirect branches (bnc#1012382). - s390: move expoline assembler macros to a header (bnc#1012382). - s390: move spectre sysfs attribute code (bnc#1012382). - s390/qdio: do not release memory in qdio_setup_irq() (bnc#1012382). - s390/qdio: fix access to uninitialized qdio_q fields (bnc#1094532, LTC#168037). - s390/qdio: fix access to uninitialized qdio_q fields (LTC#168037 bnc#1012382 bnc#1094532). - s390: remove indirect branch from do_softirq_own_stack (bnc#1012382). - s390: use expoline thunks in the BPF JIT (bnc#1012382). - sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning (bnc#1012382). - scripts/git-pre-commit : - scsi: aacraid: Correct hba_send to include iu_type (bsc#1022607, FATE#321673). - scsi: aacraid: fix shutdown crash when init fails (bnc#1012382). - scsi: aacraid: Insure command thread is not recursively stopped (bnc#1012382). - scsi: bnx2fc: Fix check in SCSI completion handler for timed out request (bnc#1012382). - scsi: fas216: fix sense buffer initialization (bnc#1012382 bsc#1082979). - scsi: libsas: defer ata device eh commands to libata (bnc#1012382). - scsi: lpfc: Fix frequency of Release WQE CQEs (bnc#1012382). - scsi: lpfc: Fix issue_lip if link is disabled (bnc#1012382 bsc#1080656). - scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bnc#1012382 bsc#1080656). - scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bnc#1012382 bsc#1078583). - scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() (bnc#1012382). - scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() (bnc#1012382). - scsi: qla4xxx: skip error recovery in case of register disconnect (bnc#1012382). - scsi: scsi_transport_srp: Fix shost to rport translation (bnc#1012382). - scsi: sd: Keep disk read-only when re-reading partition (bnc#1012382). - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (bnc#1012382). - scsi: storvsc: Increase cmd_per_lun for higher speed devices (bnc#1012382). - scsi: sym53c8xx_2: iterator underflow in sym_getsync() (bnc#1012382). - scsi: ufs: Enable quirk to ignore sending WRITE_SAME command (bnc#1012382). - scsi: zfcp: fix infinite iteration on ERP ready list (bnc#1094532, LTC#168038). - scsi: zfcp: fix infinite iteration on ERP ready list (LTC#168038 bnc#1012382 bnc#1094532). - sctp: delay the authentication for the duplicated cookie-echo chunk (bnc#1012382). - sctp: fix the issue that the cookie-ack with auth can't get processed (bnc#1012382). - sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr (bnc#1012382). - sctp: use the old asoc when making the cookie-ack chunk in dupcook_d (bnc#1012382). - selftests: ftrace: Add a testcase for probepoint (bnc#1012382). - selftests: ftrace: Add a testcase for string type with kprobe_event (bnc#1012382). - selftests: ftrace: Add probe event argument syntax testcase (bnc#1012382). - selftests: memfd: add config fragment for fuse (bnc#1012382). - selftests/net: fixes psock_fanout eBPF test case (bnc#1012382). - selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable (bnc#1012382). - selftests: Print the test we're running to /dev/kmsg (bnc#1012382). - selinux: KASAN: slab-out-of-bounds in xattr_getsecurity (bnc#1012382). - serial: arc_uart: Fix out-of-bounds access through DT alias (bnc#1012382). - serial: fsl_lpuart: Fix out-of-bounds access through DT alias (bnc#1012382). - serial: imx: Fix out-of-bounds access through serial port index (bnc#1012382). - serial: mxs-auart: Fix out-of-bounds access through serial port index (bnc#1012382). - serial: samsung: Fix out-of-bounds access through serial port index (bnc#1012382). - serial: xuartps: Fix out-of-bounds access through DT alias (bnc#1012382). - sh: fix debug trap failure to process signals before return to user (bnc#1012382). - sh: New gcc support (bnc#1012382). - signals: avoid unnecessary taking of sighand->siglock (-- Scheduler bnc#1012382 bnc#978907 performance signals). - sit: fix IFLA_MTU ignored on NEWLINK (bnc#1012382). - smsc75xx: fix smsc75xx_set_features() (bnc#1012382). - sock_diag: fix use-after-free read in __sk_free (bnc#1012382). - sparc64: Fix build warnings with gcc 7 (bnc#1012382). - sparc64: Make atomic_xchg() an inline function rather than a macro (bnc#1012382). - spi: pxa2xx: Allow 64-bit DMA (bnc#1012382). - sr: get/drop reference to device in revalidate and check_events (bnc#1012382). - staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr (bnc#1012382). - stm class: Use vmalloc for the master map (bnc#1012382). - sunvnet: does not support GSO for sctp (bnc#1012382). - swap: divide-by-zero when zero length swap file on ssd (bnc#1012382 bsc#1082153). - tcp: avoid integer overflows in tcp_rcv_space_adjust() (bnc#1012382). - tcp: ignore Fast Open on repair mode (bnc#1012382). - tcp: purge write queue in tcp_connect_init() (bnc#1012382). - test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches (git-fixes). - tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent() (bnc#1012382). - tick/broadcast: Use for_each_cpu() specially on UP kernels (bnc#1012382). - time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting (bnc#1012382). - tools/libbpf: handle issues with bpf ELF objects containing .eh_frames (bnc#1012382). - tools lib traceevent: Fix get_field_str() for dynamic strings (bnc#1012382). - tools lib traceevent: Simplify pointer print logic and fix %pF (bnc#1012382). - tools/thermal: tmon: fix for segfault (bnc#1012382). - tracing: Fix crash when freeing instances with event triggers (bnc#1012382). - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account (bnc#1012382). - tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} (bnc#1012382). - udf: Provide saner default for invalid uid / gid (bnc#1012382). - usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() (bnc#1012382). - usb: dwc2: Fix interval type issue (bnc#1012382). - usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields (bnc#1012382). - usb: gadget: composite: fix incorrect handling of OS desc requests (bnc#1012382). - usb: gadget: ffs: Execute copy_to_user() with USER_DS set (bnc#1012382). - usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS (bnc#1012382). - usb: gadget: fsl_udc_core: fix ep valid checks (bnc#1012382). - usb: gadget: f_uac2: fix bFirstInterface in composite gadget (bnc#1012382). - usb: gadget: udc: change comparison to bitshift when dealing with a mask (bnc#1012382). - usbip: usbip_host: delete device from busid_table after rebind (bnc#1012382). - usbip: usbip_host: fix bad unlock balance during stub_probe() (bnc#1012382). - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors (bnc#1012382). - usbip: usbip_host: refine probe and disconnect debug msgs to be useful (bnc#1012382). - usbip: usbip_host: run rebind from exit when module is removed (bnc#1012382). - usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers (bnc#1012382). - usb: musb: fix enumeration after resume (bnc#1012382). - USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM (bnc#1012382). - USB: serial: cp210x: use tcflag_t to fix incompatible pointer type (bnc#1012382). - vfs: add path_has_submounts() (bsc#1086716). - vfs: add path_is_mountpoint() helper (bsc#1086716). - vfs: change d_manage() to take a struct path (bsc#1086716). - virtio-gpu: fix ioctl and expose the fixed status to userspace (bnc#1012382). - virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS (bnc#1012382). - vmscan: do not force-scan file lru if its absolute size is small (-- VM bnc#1012382 page performance reclaim). - vti4: Do not count header length twice on tunnel setup (bnc#1012382). - vti4: Do not override MTU passed on link creation via IFLA_MTU (bnc#1012382). - watchdog: f71808e_wdt: Fix magic close handling (bnc#1012382). - watchdog: sp5100_tco: Fix watchdog disable bit (bnc#1012382). - workqueue: use put_device() instead of kfree() (bnc#1012382). - x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified (bnc#1012382). - x86/boot: Fix early command-line parsing when partial word matches (bsc#1096140). - x86/bugs: IBRS: make runtime disabling fully dynamic (bsc#1068032). - x86/bugs: spec_ctrl must be cleared from cpu_caps_set when being disabled (bsc#1096140). - x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros (bnc#1012382). - x86/devicetree: Fix device IRQ settings in DT (bnc#1012382). - x86/devicetree: Initialize device tree before using it (bnc#1012382). - x86: ENABLE_IBRS clobbers %rax which it shouldn't do there is probably a place where forcing _IBRS_OFF is missed (or is too late) and therefore ENABLE_IBRS is sometimes called early during boot while it should not. Let's drop the uoptimization for now. (bsc#1098009 and bsc#1098012) - x86/fpu: Default eagerfpu=on on all CPUs (CVE-2018-3665 bnc#1012382 bnc#1087086). - x86/fpu: Disable AVX when eagerfpu is off (bnc#1012382). - x86/fpu: Disable MPX when eagerfpu is off (CVE-2018-3665 bnc#1012382 bnc#1087086). - x86/fpu: Fix early FPU command-line parsing (CVE-2018-3665 bnc#1012382 bnc#1087086). - x86/kaiser: export symbol kaiser_set_shadow_pgd() (bsc#1092813) - x86/kexec: Avoid double free_page() upon do_kexec_load() failure (bnc#1012382). - x86-mce-Make-timer-handling-more-robust.patch: Fix metadata - x86/pgtable: Do not set huge PUD/PMD on non-leaf entries (bnc#1012382). - x86/pkeys: Do not special case protection key 0 (1041740). - x86/pkeys: Override pkey when moving away from PROT_EXEC (1041740). - x86/power: Fix swsusp_arch_resume prototype (bnc#1012382). - x86: Remove unused function cpu_has_ht_siblings() (bnc#1012382). - x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (bnc#1012382). - xen/acpi: off by one in read_acpi_id() (bnc#1012382). - xen/grant-table: Use put_page instead of free_page (bnc#1012382). - xen-netfront: Fix race between device setup and open (bnc#1012382). - xen/netfront: raise max number of slots in xennet_get_responses() (bnc#1076049). - xen/pirq: fix error path cleanup when binding MSIs (bnc#1012382). - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent (bnc#1012382). - xen: xenbus: use put_device() instead of kfree() (bnc#1012382). - xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) (bnc#1012382). - xfs: convert XFS_AGFL_SIZE to a helper function (bsc#1090955, bsc#1090534). - xfs: detect agfl count corruption and reset agfl (bnc#1012382 bsc#1090534 bsc#1090955). - xfs: detect agfl count corruption and reset agfl (bsc#1090955, bsc#1090534). - xfs: do not log/recover swapext extent owner changes for deleted inodes (bsc#1090955). - xfs: fix endianness error when checking log block crc on big endian platforms (bsc#1094405, bsc#1036215). - xfs: remove racy hasattr check from attr ops (bnc#1012382 bsc#1035432). - xhci: Fix USB3 NULL pointer dereference at logical disconnect (git-fixes). - xhci: Fix use-after-free in xhci_free_virt_device (git-fixes). - xhci: zero usb device slot_id member when disabling and freeing a xhci slot (bnc#1012382). - zorro: Set up z->dev.dma_mask for the DMA API (bnc#1012382). - jfs: Fix buffer overrun in ea_get (bsc#1097234, CVE-2018-12233).
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 110658
    published 2018-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110658
    title openSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1232.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off' to the kernel command line. CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. For Debian 7 'Wheezy', these problems have been fixed in version 3.2.96-3. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 105622
    published 2018-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105622
    title Debian DLA-1232-1 : linux security update (Meltdown)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3619-2.NASL
    description USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862) It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927) It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492) It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-26
    plugin id 108878
    published 2018-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108878
    title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3617-2.NASL
    description USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026) It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5332) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-04-04
    plugin id 108835
    published 2018-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108835
    title Ubuntu 16.04 LTS : linux-hwe, linux-gcp, linux-oem vulnerabilities (USN-3617-2)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-956.NASL
    description Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750) Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied Linux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the 'rootsquash' options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.(CVE-2018-1000028) Stack-based out-of-bounds read via vmcall instruction Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.(CVE-2017-17741) The pmd can become dirty without going through a COW cycle A flaw was found in the patches used to fix the 'dirtycow' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.(CVE-2017-1000405) Speculative execution bounds-check bypass An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.(CVE-2017-5753) drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service A flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. (CVE-2018-5344)
    last seen 2018-09-01
    modified 2018-05-25
    plugin id 106933
    published 2018-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106933
    title Amazon Linux AMI : kernel (ALAS-2018-956) (Dirty COW) (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1772-1.NASL
    description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument could have caused a buffer overflow (bnc#1097356). - CVE-2017-18249: The add_free_nid function did not properly track an allocated nid, which allowed local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads (bnc#1087036). - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086). - CVE-2017-18241: Prevent a NULL pointer dereference by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure (bnc#1086400). - CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read (bnc#1073311). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr (bnc#1097234). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 110660
    published 2018-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110660
    title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1772-1)
refmap via4
bid 102227
debian
  • DSA-4073
  • DSA-4082
misc https://www.spinics.net/lists/kvm/msg160796.html
mlist [debian-lts-announce] 20180107 [SECURITY] [DLA 1232-1] linux security update
ubuntu
  • USN-3617-1
  • USN-3617-2
  • USN-3617-3
  • USN-3619-1
  • USN-3619-2
  • USN-3620-1
  • USN-3620-2
  • USN-3632-1
Last major update 18-12-2017 - 03:29
Published 18-12-2017 - 03:29
Last modified 24-04-2018 - 21:29
Back to Top