Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2037)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

Description of changes:

* Information leak in kernel memory leak detector.

In kmemleak_seq_next, failure to get the last object during list
traversal leaked a pointer when it should have returned NULL.

* Kernel oops after blk_cleanup_queue.

The kernel function blk_cleanup_queue() could deallocate an I/O
scheduler while it is still in use, causing a kernel oops.

* ext3 filesystem corruption when no space is left on the device.

When make_indexed_dir failed because there was no space left on the
device, not all changed buffers were being marked as dirty and thus
being written to disk, corrupting the directory.

* Denial of service in JBD fsync transaction handling.

Certain workloads involving fdatasync() and fsync() on filesystems
using the JBD layer could cause denial of service (BUG assertion
failure).

* CVE-2011-2182: Incomplete fix for CVE-2011-1017 buffer overflow in ldm_frag_add.

The patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) did not
handle some edge cases allowing for buffer overflows in the
ldm_frag_add function of the Windows Logical Disk Manager.

* Denial of service in CFQ IO scheduler.

A race condition in __cfq_exit_single_io_context could result in a
denial of service condition (general protection fault).

* CVE-2011-2909: Information leak in comedi driver.

The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.

* System freeze in JMicron driver.

A missing dma_unmap in the JMicron ethernet device driver caused
system freezes under heavy loads.

* CVE-2011-2707: Arbitrary read vulnerability in ptrace.

A missing access control check in the ptrace_setxregs() function in
the xtensa architecture allowed an unprivileged user to read arbitrary
kernel memory.

* Kernel BUG in ext3 xattr handling.

A race condition in the ext3 filesystem's handling of user extended
attributes (xattrs) could result in a denial of service condition
(kernel BUG).

* svrpc: Fix memory corruption on nfsd shutdown.

A logic error in the svc_delete_xprt function could result in a
use-after-free condition on nfsd shutdown, resulting in a potential
denial-of-service or privilege escalation.

* CVE-2011-1585: Authentication bypass in CIFS.

Jeff Layton reported an issue in the Common Internet File System
(CIFS). Local users can bypass authentication requirements for shares
that are already mounted by another user.

* Incorrect index handling in snd_pcm_ioctl_xfern_compat.

A programming error in the snd_pcm_ioctl_xfern_compat function could
result in denial of service or privilege escalation while processing
user requests to certain sound devices.

* NULL pointer deference in dm multipath driver.

Supplying fewer feature arguments than indicated to parse_features
allowed a NULL pointer dereference.

* Race condition in process ID generation.

A program that repeatedly forks and waits is susceptible to having the
same pid repeated, especially when it competes with another instance
of the same program.

* CVE-2011-1577: Missing boundary checks in GPT partition handling.

A heap overflow flaw in the Linux kernel's EFI GUID Partition Table
(GPT) implementation could allow a local attacker to cause a denial of
service by mounting a disk that contains specially-crafted partition
tables. (CVE-2011-1577, Low)

* Denial of service in Data Center Bridging.

A spinlock is not unlocked in dcbnl_ieee_get an error condition,
potentially leading to denial of service.dcbnl_getapp may dereference a
NULL pointer, potentially leading to denial of service.

* CVE-2011-4110: Denial of service in kernel key management facilities.

A flaw in the way user-defined key types were handled allowed an
uprivileged local user to crash the system via a NULL pointer
dereference and kernel OOPS.

* Improved fix for CVE-2011-2495: Information leak in /proc/PID/io.

The original patch for CVE-2011-2495, which added missing access
checks in /proc/PID/io, contained a race condition. This race condition
could be used to obtain io statistics for a privileged process, which could
in turn be used to gather sensitive information (e.g. ssh/ftp password
length).

* CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.

When splitting two extents in ext4_ext_convert_to_initialized(), an
extent was incorrectly not dirtied, resulting in the disk layout being
corrupted, which will eventually cause a kernel crash.

* CVE-2011-4330: Buffer overflow in HFS file name translation logic.

Clement Lecigne reported a flaw in the way the HFS filesystem
implementation handled file names larger than HFS_NAMELEN. A
missing length check in hfs_mac2asc could result in a buffer
overflow.

* Privilege escalation in Sun RPC credential cache.

A programming mistake in the cache of recently used Sun RPC
credentials may allow access to be incorrectly granted to
processes with certain group lists.

* CVE-2011-2525: Denial of Service in packet scheduler API.

A flaw allowed the tc_fill_qdisc() function in the Linux kernel's
packet scheduler API implementation to be called on built-in qdisc
structures. A local, unprivileged user could use this flaw to trigger
a NULL pointer dereference, resulting in a denial of service.
(CVE-2011-2525, Moderate)

* Wrong reserved DMA addresses in AMD IOMMU.

An arithmetic error in the AMD IOMMU driver caused incorrect
addresses to be reserved for DMA.

* Denial of service in NFSv4 server open downgrade operation.

The WANT bits in the NFSv4 open downgrade operation could
potentially be used to trigger a denial of service (kernel BUG).

* Corruption with sendfile to non-sockets.

A flaw in the direct_splice_actor function could cause corruption in
userspace when using the sendfile system call with output files other
than sockets.

* CVE-2011-1020: Missing access restrictions in /proc subsystem.

The proc filesystem implementation did not restrict access to the
/proc directory tree of a process after this process performs an exec
of a setuid program, which allowed local users to obtain sensitive
information or potentially cause other integrity issues.


[2.6.32-300.3.1.el6uek]
- proc: fix oops on invalid /proc/<pid>/maps access (Linux Torvalds)
- Revert 'capabilities: do not grant full privs for setuid w/ file caps + no
effective caps' (Joe Jin)
- [mm]: Use MMF_COMPAT instead ia32_compat to prevent kabi be broken (Joe Jin)
- proc: enable writing to /proc/pid/mem (Stephen Wilson)
- proc: make check_mem_permission() return an mm_struct on success (Stephen Wilson)
- proc: hold cred_guard_mutex in check_mem_permission() (Joe Jin)
- proc: disable mem_write after exec (Stephen Wilson)
- mm: implement access_remote_vm (Stephen Wilson)
- mm: factor out main logic of access_process_vm (Stephen Wilson)
- mm: use mm_struct to resolve gate vma's in __get_user_pages (Stephen Wilson)
- mm: arch: rename in_gate_area_no_task to in_gate_area_no_mm (Stephen Wilson)
- mm: arch: make in_gate_area take an mm_struct instead of a task_struct
(Stephen Wilson)
- mm: arch: make get_gate_vma take an mm_struct instead of a task_struct
(Stephen Wilson)
- x86: mark associated mm when running a task in 32 bit compatibility mode
(Stephen Wilson)
- x86: add context tag to mark mm when running a task in 32-bit compatibility
mode (Stephen Wilson)
- auxv: require the target to be tracable (or yourself) (Al Viro)
- close race in /proc/*/environ (Al Viro)
- report errors in /proc/*/*map* sanely (Al Viro)
- pagemap: close races with suid execve (Al Viro)
- make sessionid permissions in /proc/*/task/* match those in /proc/* (Al Viro)
- Revert 'report errors in /proc/*/*map* sanely' (Joe Jin)
- Revert 'proc: fix oops on invalid /proc/<pid>/maps access' (Joe Jin)

[2.6.32-300.2.1.el6uek]
- [kabi] Add missing kabi (Srinivas Maturi)
- report errors in /proc/*/*map* sanely (Joe Jin)

[2.6.32-300.1.1.el6uek]
- [SCSI] qla4xxx: fix build error for OL6 (Joe Jin)
- Ecryptfs: Add mount option to check uid of device being mounted = expect uid (Maxim Uvarov)
- proc: fix oops on invalid /proc/<pid>/maps access (Linus Torvalds)
- x86/mm: Fix pgd_lock deadlock (Joe Jin)
- x86, mm: Hold mm->page_table_lock while doing vmalloc_sync (Joe Jin)
- proc: restrict access to /proc/PID/io (Vasiliy Kulikov)
- futex: Fix regression with read only mappings (Shawn Bohrer)
- x86-32, vdso: On system call restart after SYSENTER, use int $0x80 (H. Peter Anvin)
- x86, UV: Remove UV delay in starting slave cpus (Jack Steiner)
- Include several Xen pv hugepage fixes. (Dave McCracken)
- GRO: fix merging a paged skb after non-paged skbs (Michal Schmidt)
- md/linear: avoid corrupting structure while waiting for rcu_free to complete. (NeilBrown)
- xen: x86_32: do not enable iterrupts when returning from exception in interrupt context (Igor Mammedov)
- xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead. (Konrad Rzeszutek Wilk)
- hvc_console: Improve tty/console put_chars handling (Hendrik Brueckner)
- 3w-9xxx: fix iommu_iova leak (James Bottomley)
- aacraid: reset should disable MSI interrupt (Vasily Averin)
- libsas: fix failure to revalidate domain for anything but the first expander child. (Mark Salyzyn)
- splice: direct_splice_actor() should not use pos in sd (Changli Gao)
- libsas: fix panic when single phy is disabled on a wide port (Mark Salyzyn)
- epoll: fix spurious lockdep warnings (Nelson Elhage)
- kobj_uevent: Ignore if some listeners cannot handle message (Milan Broz)
- kmod: prevent kmod_loop_msg overflow in __request_module() (Jiri Kosina)
- nfsd4: ignore WANT bits in open downgrade (J. Bruce Fields)
- nfsd4: Remove check for a 32-bit cookie in nfsd4_readdir() (Bernd Schubert)
- iommu/amd: Fix wrong shift direction (Joerg Roedel)
- cfq: Don't allow queue merges for queues that have no process references (Jeff Moyer)
- cfq-iosched: get rid of the coop_preempt flag (Jens Axboe)
- cfq: break apart merged cfqqs if they stop cooperating (Jeff Moyer)
- cfq: change the meaning of the cfqq_coop flag (Jeff Moyer)
- cfq: merge cooperating cfq_queues (Jeff Moyer)
- cfq: calculate the seek_mean per cfq_queue not per cfq_io_context (Jeff Moyer)
- kcore: fix test for end of list (Dan Carpenter)
- deal with races in /proc/*/{syscall,stack,personality} (Al Viro)
- NLM: Don't hang forever on NLM unlock requests (Maxim Uvarov)
- vm: fix vm_pgoff wrap in upward expansion (Hugh Dickins)
- vm: fix vm_pgoff wrap in stack expansion (Linus Torvalds)
- net_sched: Fix qdisc_notify() (Eric Dumazet)
- drivers/net/rionet.c: fix ethernet address macros for LE platforms (Alexandre Bounine)
- ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes (Theodore Ts'o)
- st: fix race in st_scsi_execute_end (Petr Uzel)
- Make scsi_free_queue() kill pending SCSI commands (Bart Van Assche)
- NFS/sunrpc: don't use a credential with extra groups. (NeilBrown)
- netlink: validate NLA_MSECS length (Johannes Berg)
- mtd: mtdchar: add missing initializer on raw write (Peter Wippich)
- PM / Suspend: Off by one in pm_suspend() (Dan Carpenter)
- hfs: add sanity check for file name length (Dan Carpenter)
- md/raid5: abort any pending parity operations when array fails. (NeilBrown)
- mm: avoid null pointer access in vm_struct via /proc/vmallocinfo (Mitsuo Hayasaka)
- USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c (Andrew Worsley)
- usb-storage: Accept 8020i-protocol commands longer than 12 bytes (Alan Stern)
- [SCSI] ql4xxx: upgrade to 5.02.14.00.32.01-c0 (Joe Jin)
- [netdrv] be2net: Merge fixes for CVE-2011-3347 (Joe Jin)
- ext4: fix BUG_ON() in ext4_ext_insert_extent() (Zheng Liu)
- proc: fix a race in do_io_accounting() (Vasiliy Kulikov)
- capabilities: do not grant full privs for setuid w/ file caps + no effective caps (Zhi Li)
- KEYS: Fix a NULL pointer deref in the user-defined key type (Maxim Uvarov)
- igb: Fix for Alt MAC Address feature on 82580 and later devices (Joe Jin)
- [netdrv] enic: fix accidental GRO off by default (Joe Jin)
- Fixing use of netif_set_real_num_tx_queues in cxgb4_main.c (Joe Jin)
- firmware: Update cxgb4 NIC driver firmware (Joe Jin)
- firmware Add latest cxgb3 firmware (Joe Jin)
- [netdrv] cxgb3: misc fixes. (Joe Jin)
- bnx2x: upgrade bnx2x (Joe Jin)
- dcb: add DCBX mode to event notifier attributes (John Fastabend)
- dcb: Use ifindex instead of ifname (Mark Rustad)
- dcbnl: unlock on an error path in dcbnl_cee_fill() (Dan Carpenter)
- dcbnl: Add CEE notification (Shmulik Ravid)
- dcbnl: Aggregated CEE GET operation (Shmulik Ravid)
- dcb: use nlmsg_free() instead of kfree() (Dan Carpenter)
- dcb: Add missing error check in dcb_ieee_set() (John Fastabend)
- dcb: fix return type on dcb_setapp() (John Fastabend)
- dcb: Add dcb_ieee_getapp_mask() for drivers to query APP settings (John Fastabend)
- dcb: Add ieee_dcb_delapp() and dcb op to delete app entry (John Fastabend)
- dcb: Add ieee_dcb_setapp() to be used for IEEE 802.1Qaz APP data (John Fastabend)
- net: dcbnl, add multicast group for DCB (John Fastabend)
- dcb: Add DCBX capabilities bitmask to the get_ieee response (John Fastabend)
- dcbnl: add support for retrieving peer configuration - cee (Shmulik Ravid)
- dcbnl: add support for retrieving peer configuration - ieee (Shmulik Ravid)
- net: dcbnl: check correct ops in dcbnl_ieee_set() (John Fastabend)
- Don't potentially dereference NULL in net/dcb/dcbnl.c:dcbnl_getapp() (Jesper Juhl)
- net: dcb: application priority is per net_device (John Fastabend)
- dcbnl: make get_app handling symmetric for IEEE and CEE DCBx (John Fastabend)
- dcb: use after free in dcb_flushapp() (Dan Carpenter)
- dcb: unlock on error in dcbnl_ieee_get() (Dan Carpenter)
- dcbnl: more informed return values for new dcbnl routines (Shmulik Ravid)
- dcbnl: cleanup (Shmulik Ravid)
- net_dcb: add application notifiers (John Fastabend)
- [netdrv] firmware: add bnx2x FW 7.0.23 (Joe Jin)
- [netdrv] Fixing use of netif_set_real_num_tx_queues in bnx2.c (Joe Jin)
- [netdrv] tg3: drver update. (Joe Jin)
- tg3: negate USE_PHYLIB flag check (Jiri Pirko)
- [netdrv] e1000e: fix WoL on 82578DM and 82567V3 (Joe Jin)
- e1000: don't enable dma receives until after dma address has been setup (Dean Nelson)
- [SCSI] bnx2i: Fixed the endian on TTT for NOP out transmission (Eddie Wai)
- [SCSI] bnx2fc: upgrade to 1.0.8 (Joe Jin)
- [scsi] hpsa: add heartbeat sysfs host attribute (Joe Jin)
- [SCSI] move PCI_DEVICE_ID_HP_CISSE to include/linux/pci_ids.h (Joe Jin)
- [SCSI] lpfc: update to 8.3.5.45.4p (Joe Jin)
- [SCSI] be2iscsi: upgrade to 4.1.239.0 (Joe Jin)
- fcoe/libfcoe: Move common code for fcoe_get_lesb to fcoe_transport (Joe Jin)
- libfc: Prevent race that causes panic during FCoE port destroy via sysfs (Joe Jin)
- [SCSI] isci: dynamic interrupt coalescing (Dan Williams)
- megaraid_sas: trim the space and tab. (Joe Jin)
- megaraid_sas: Add driver workaround for PERC5/1068 kdump kernel panic (Joe Jin)
- scsi_transport_fc: Fix deadlock during fc_remove_host (Joe Jin)
- [SCSI] libfc: improve flogi retries to avoid lport stuck (Vasu Dev)
- [SCSI] libfc: avoid exchanges collision during lport reset (Vasu Dev)
- [SCSI] libfc: fix checking FC_TYPE_BLS (Vasu Dev)
- [SCSI] libsas: fix warnings when checking sata/stp protocol (Dan Williams)
- [SCSI] libsas: disable scanning lun> 0 on ata devices (Dan Williams)
- [SCSI] libsas: Allow expander T-T attachments (Luben Tuikov)
- [SCSI] isci: atapi support (Dan Williams)
- isci: export phy events via ->lldd_control_phy() (Dan Williams)
- [SCSI] isci: The port state should be set to stopping on the last phy. (Jeff Skirvin)
- [SCSI] isci: fix decode of DONE_CRC_ERR TC completion status (Jeff Skirvin)
- [SCSI] isci: SATA/STP I/O is only returned in the normal path to libsas (Jeff Skirvin)
- [SCSI] isci: fix support for large smp requests (Dan Williams)
- [SCSI] isci: fix missed unlock in apc_agent_timeout() (Jeff Skirvin)
- [SCSI] isci: fix event-get pointer increment (Dan Williams)
- [SCSI] isci: add version number (Dan Williams)
- [SCSI] isci: fix sata response handling (Dan Williams)
- [SCSI] isci: Leave requests alone if already terminating. (Jeff Skirvin)
- [SCSI] isci: initial sgpio write support (Dan Williams)
- [SCSI] isci: fix sgpio register definitions (Dan Williams)
- [SCSI] libsas: sgpio write support (Dan Williams)
- [SCSI] scsi scan: don't fail scans when host is in recovery (Mike Christie)
- net: Remove atmclip.h to prevent break kabi check (Joe Jin)
- SPEC: ol6 req dracut-kernel-004-242.0.3 (Maxim Uvarov)
- SPEC: req udev-095-14.27.0.1.el5_7.1 or more (Maxim Uvarov)
- SPEC: el5 mkinird more then 5.1.19.6-71.0.10 (Maxim Uvarov)
- ipv6: make fragment identifications less predictable (Joe Jin)
- vlan: fix panic when handling priority tagged frames (Joe Jin)
- ipv6: udp: fix the wrong headroom check (Shan Wei)
- b43: allocate receive buffers big enough for max frame len + offset (Maxim Uvarov)
- fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message (Miklos Szeredi)
- cifs: fix possible memory corruption in CIFSFindNext (Jeff Layton)
- crypto: md5 - Add export support (Maxim Uvarov)
- fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops (Timo Warns)
- block: use struct parsed_partitions *state universally in partition check code (Maxim Uvarov)
- net: Compute protocol sequence numbers and fragment IDs using MD5 (Maxim Uvarov)
- perf tools: do not look at ./config for configuration (Jonathan Nieder)
- Make TASKSTATS require root access (Linus Torvalds)
- TPM: Zero buffer after copying to userspace (Peter Huewe)
- TPM: Call tpm_transmit with correct size (Peter Huewe)
- PCI: Set device power state to PCI_D0 for device without native PM support (Ajaykumar Hotchandani)

[2.6.32-300.0.12.el6uek]
- Install include/drm headers (Maxim Uvarov) [orabug 13260234]
- qla2xxx: Double check for command completion if abort mailbox command fails (Chad Dupuis)
- Ensure full IOC buffer can be mapped (Martin K. Petersen)
- Fix incorrect timeout handling (Martin K. Petersen)

[2.6.32-300.0.11.el6uek]
- fix pgoff in mbind vma merge (Caspar Zhang) [orabug 13370691]

[2.6.32-300.0.10.el6uek]
- compat_ioct: move initialization before use in sg_ioctl_trans() (Dan Carpenter)
- genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier (Dan Carpenter)
- xen/timer: Missing IRQF_NO_SUSPEND in timer code broke suspend [orabug 13359907]
- pids: fix a race in pid generation that causes pids to be reused immediately (Salman) [orabug 13370594]
- Revert 'mlx4: Updated the driver version from 1.5.1.6 August 2010 to 1.5.4.1 March 2011 update' (Maxim Uvarov) [orabug 13322248]

[2.6.32-300.0.9.el6uek]
- [firmware] bnx2x 7.0.20 (Maxim Uvarov) [orabug 13354737]
- Revert 'qla2xxx: Double check for command completion if abort mailbox [orabug 13339986]
- SPEC: fixes for spec file [orabugs 13359985, 13339700, 13348381]
- kabi: Modify Kabi and enable kabicheck

[2.6.32-300.0.8.el6uek]
- ipv6: add a missing unregister_pernet_subsys call (Neil Horman)
- SPEC: hwcap set to 1 for nosegneg (Guru Anbalagane) [orabug 13321811]
- put firmware to kernel version specific location (Maxim Uvarov) [orabug 13254457]
- xen: drop xen_sched_clock in favour of using plain wallclock time (Jeremy Fitzhardinge)
- Revert '[scsi] add lockless to improve queuecommand performance'
- fix fnic init panic and san disks are not visible (Xiaowei Hu)
- SPEC: Add debug to the list of kernels that kernel-uek should replace in
/etc/sysconfig/kernel (Kevin Lyons) [bug 13260459,13339700]
- bfa: cleanup Makefile. (Joe Jin)
- fc class: add fc host default default dev loss setting (Mike Christie)
- fc class: add fc host dev loss sysfs file (Mike Christie)
- add dev_loss_tmo support for lpfc, fnic and ibmvfc (Joe Jin)
- scsi_transport_fc: Protect against overflow in dev_loss_tmo (Hannes Reinecke)
- [netdrv] bna: cleanup Makefile. (Joe Jin)
- PCI/e1000e: Add and use pci_disable_link_state_locked() (Yinghai Lu)
- tracepoint: Move signal sending tracepoint to events/signal.h (Masami Hiramatsu)
- perf_event, x86, mce: Use TRACE_EVENT() for MCE logging (Hidetoshi Seto)
- xen: Add support for hugepages on Xen pv domains, including support for hugepages
in the balloon driver. (Dave Mccracken)

[2.6.32-300.0.7.el6uek]
- Add entropy generation to NIC drivers
- [netdrv] bnx2x: replace pci_find_capability to pci_pcie_cap
- [pci] dma-mapping: dma-mapping.h: add dma_set_coherent_mask
- PCI: introduce pci_is_pcie()
- PCI: introduce pci_pcie_cap()
- PCI: cache PCIe capability offset
- [scsi] add lockless to improve queuecommand performance

[2.6.32-300.0.6.el6uek]
- [netdrv] ixgbe: correct Makefile.

[2.6.32-300.0.5.el6uek]
bnx2: upgrade to 2.1.11
vlan: allow null VLAN ID to be used
ethtool: Add 20G bit definitions
ethtool: Add Direct Attach support to connector port reporting
bnx2i: add pci_id for brocadcom
fcoe: Prevent creation of an NPIV port with duplicate WWPN
bnx2i: upgrade to 2.7.0.3
bnx2fc: upgrade to 1.0.6
lpfc: upgrade to 0:8.3.5.45.3p
mptsas: upgrade to 3.04.19
netdev: ethtool RXHASH flag
be2net: upgrade to 4.0.160r
be2iscsi: upgrade to 4.0.160r
vmxnet3: upgrade to 1.1.18.0-k
add vmxnet3 support
e100: merge misc fixes.
igb: upgrade to 3.0.6-k
igbvf: upgrade to 2.0.0-k
e1000: upgrade to 7.3.21-k6-1-NAPI
e1000e: upgrade to 1.4.4-k
ixgbevf: upgrade to 2.1.0-k
[netdrv] bnx2x: upgrade to 1.70.00-0]
[block] cciss: upgrade to 3.6.28]
[scsi] hpsa: upgrade to 2.0.2-3]
[scsi] arcmsr: upgrade to 1.20.00.15.el6u2 2010/08/05]
[scsi] megaraid: minor update megaraid]
fcoe: correct checking for bonding
[scsi] ipr: upgrade to 2.5.2]
[SCSI] sd: Combine DIF/DIX error handling]
[SCSI] Fix printing of failed 32-byte commands]
[SCSI] sd: Logical Block Provisioning update]
[SCSI] sd: retry read_capacity on UNIT_ATTENTION]
[SCSI] libfc: fix mm leak in handling incoming request for target discovery]
[SCSI] libfc: release DDP context if frame_send() fails]
[SCSI] libfc: don't call resp handler after FC_EX_TIMEOUT]
[SCSI] libfc: fix race in SRR response]
[SCSI] libfc: do not immediately retry the cmd when seq_send fails in fc_fcp_send_data]
[SCSI] libfcoe: Remove unnecessary module state checks]
[SCSI] libfc: Enhancement to RPORT state machine applicable only for VN2VN mode]
[SCSI] fcoe: Unable to select the exchangeID from offload pool for storage targets]
[SCSI] fcoe: Round-robin based selection of CPU for post-processing of incoming commands]
[SCSI] fcoe: Amends previous patch, Round-robin based selection of CPU for post processing of incoming request for FCoE target]
[SCSI] libfc:Fix for exchange/seq loopup failure when FCoE stack is used as target and connected to w
indows initaitor]
[SCSI] libfc: post reset event on lport reset]
[SCSI] fcoe: cleanup cpu selection for incoming requests]
[SCSI] scsi_dh_alua: Attach to UNAVAILABLE/OFFLINE AAS devices]
[SCSI] iscsi: add module alias]
[SCSI] iscsi: fix iscsi_endpoint leak]
[SCSI] libiscsi: add helper to convert addr to string]
[SCSI] iscsi_tcp: use iscsi_conn_get_addr_param libiscsi function]
[SCSI] iscsi class: add callout to get iscsi_endpoint values]
[SCSI] libiscsi_tcp: use kmap in xmit path]
[SCSI] iscsi_tcp: fix locking around iscsi sk user data]
[SCSI] libiscsi_tcp: fix LLD data allocation]
[SCSI] libsas: remove spurious sata control register read/write]
[SCSI] libsas: fix SATA NCQ error]
[SCSI] libsas: fix loopback topology bug during discovery]
[SCSI] fcoe: remove unused ptype field in fcoe_rcv_info]
[SCSI] libfc: use FC_MAX_ERROR_CNT]
[SCSI] libfc: Remove the reference to FCP packet from scsi_cmnd in case of error]
[SCSI] libfc: release exchg cache]
[SCSI] libfc, fcoe: ignore rx frame with wrong xid info]
[SCSI] libfc: two minor changes in comments]
[SCSI] libfc: cleanup sending SRR request]
[SCSI] libfc: fix warn on in lport retry]
[SCSI] fcoe: add fip retry to avoid missing critical keep alive]
libfc: fix fc_eh_host_reset
[SCSI] libfc: block SCSI eh thread for blocked rports]
[SCSI] libfc: fix referencing to fc_fcp_pkt from the frame pointer via fr_fsp()]
[SCSI] scsi_lib: pause between error retries]
KConfig: add CONFIG_UEK5=n to ol6/config-generic
[SCSI] Fix race when removing SCSI devices]
ipmi: reduce polling when interrupts are available
ipmi: reduce polling
ipmi: Fix IPMI errors due to timing problems
[SCSI] scsi_dh: Make alua hardware handler's activate() async]
[SCSI] scsi_dh_alua: Handle all states correctly]
[SCSI] scsi_dh_alua: fix submit_stpg return]
[SCSI] scsi_dh_alua: fix deadlock in stpg_endio]
[SCSI] scsi_dh_alua: fix stpg_endio group state reporting]
[SCSI] scsi_dh: cosmetic change to sizeof()]
[SCSI] scsi_dh_rdac : Add definitions for different RDAC operating modes]
[SCSI] scsi_dh_rdac : decide whether to send mode select based on operating mode]
[SCSI] dh_rdac: Use WWID from C8 page instead of Subsystem id from C4 page to identify storage]
[SCSI] dh_rdac: Associate HBA and storage in rdac_controller to support partitions in storage]
[SCSI] scsi_dh: Make hp hardware handler's activate() async]
[SCSI] scsi_dh_hp_sw: fix deadlock in start_stop_endio]
cnic: upgrade to 2.5.7
update enic to 2.1.1.24
enic: remove VF
[SCSI] libiscsi: use bh locking instead of irq with session lock]
[SCSI] libiscsi: Check TMF state before sending PDU]
iscsi: Use struct scsi_lun in iscsi structs instead of u8[8]
[SCSI] fix id computation in scsi_eh_target_reset()]
[SCSI] Reduce error recovery time by reducing use of TURs]
[scsi] mpt2sas: upgrade 09.101.00.00]
[SCSI] fcoe: Rearrange fcoe port and NPIV port cleanup]
[SCSI] fcoe: Fix deadlock between fip's recv_work and rtnl]
[SCSI] Add missing SPC-4 CDB and MAINTENANCE_[IN,OUT] service action definitions]
[SCSI] scsi_debug: Thin provisioning support]
[SCSI] scsi_debug: fix Thin provisioning support]
[SCSI] scsi_debug: add max_queue + no_uld parameters]
[SCSI] scsi_debug: Block Limits VPD page fixes]
[SCSI] scsi_debug: fix map_region and unmap_region oops]
[SCSI] scsi_debug: Update thin provisioning support]
[SCSI] scsi_debug: Convert to use root_device_register() and root_device_unregister()]
[SCSI] scsi_debug: set resid to indicate no data-in when medium error]
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption]
[SCSI] scsi_debug: Logical Block Provisioning (SBC3r26)]
[SCSI] scsi_debug: add consecutive medium errors]
drivers/firmware/iscsi_ibft.c: use %pM to show MAC address
drivers/firmware/iscsi_ibft.c: remove NIPQUAD_FMT, use %pI4
x86: Make sure wakeup trampoline code is below 1MB
ibft, x86: Change reserve_ibft_region() to find_ibft_region()
ibft: Update iBFT handling for v1.03 of the spec.
[xen] remove unused functions.]
bitmap: introduce bitmap_set, bitmap_clear, bitmap_find_next_zero_area
[netdrv] s2io: upgrade to 2.0.26.28]
[watchdog] hpwdt: upgrade to 1.3.0]
qla2xxx: During loopdown perform Diagnostic loopback.
qla2xxx: Save and restore irq in the response queue interrupt handler.
qla2xxx: Prevent CPU lockups when 'ql2xdontresethba' module param is set.
qla2xxx: Fix array out of bound warning.
qla2xxx: Acquire hardware lock while manipulating dsd list.
qla2xxx: check for marker IOCB during response queue processing.
qla2xxx: Fix qla24xx revision check while enabling interrupts.
qla2xxx: Implemeted beacon on/off for ISP82XX.
qla2xxx: Double check for command completion if abort mailbox command fails.
qla2xxx: T10 DIF - Convert HBA specific checks to capability based.
qla2xxx: Add support for ISP82xx to capture dump (minidump) on failure.
qla2xxx: Enable write permission to some debug related module parameters to be changed dynamically.
qla2xxx: Provide method for updating I2C attached VPD.
qla2xxx: Set the task attributes after memsetting fcp cmnd.
qla2xxx: Update to the beacon implementation.
qla2xxx: Correct inadvertent loop state transitions during port-update handling.
qla2xxx: Return sysfs error codes appropriate to conditions.
qla2xxx: Issue mailbox command only when firmware hung bit is reset for ISP82xx.
qla2xxx: Don't call alloc_fw_dump for ISP82XX.
qla2xxx: Remove qla2x00_wait_for_loop_ready function.
qla2xxx: Display FCP_CMND priority on update.
qla2xxx: Check for SCSI status on underruns.
qla2xxx: Fix for active_mask warning.
qla2xxx: Updated the driver version to 8.03.07.08.32.1-k.
ixgbe-3.4.24
kernel.h: add BUILD_BUG_ON_NOT_POWER_OF_2()
isci update
isci firmware update
tg3: Updated the driver version from 3.113 to 3.119
mlx4: Updated the driver version from 1.5.1.6 August 2010 to 1.5.4.1

[2.6.32-300.0.4.el56uek]
- Add 32-bit value for MAX_LOCAL_APIC to fix i386-i686 build error after a9da091

[2.6.32-300.0.3.el6uek]
- [NET] Update qlcnic driver to 5.0.24 [orabug 13005421]
- [NET] Update netxen NIC driver to 4.0.76 [orabug 13005427]
- [SCSI] Update megaraid_sas driver to v5.40-rc1 [orabug 13005432]
- [NET] Update Brocade BNA driver to 3.0.2.2 [orabug 13005438]
- [SCSI] Update Brocade BFA driver to 3.0.2.2 [orabug 13005441]
- [NET] Update qlge driver to v1.00.00.29.00.00-01 [orabug 13005443]
- [SCSI] mpt2sas: Add a module parameter that permits overriding protection capabilities (Martin K. P
etersen)
- [SCSI] mpt2sas: Return the correct sense key for DIF errors (Martin K. Petersen)
- [SCSI] mpt2sas: Do not check DIF for unwritten blocks (Martin K. Petersen)
- [NET] bnx2x: prevent flooded warning kernel info [orabug 12687487] (Joe Jin)
- [SCSI] fix lport uninitalized bug in fnic [orabug 12866385] (Xiaowei Hu)
- acpi: Handle xapic/x2apic entries in MADT at same time (Yinghai <A HREF='http://oss.oracle.com/mailman/listinfo/el-errata'>Luyinghai at kernel.org</A>)

[2.6.32-300.0.2.el6uek]
- Revert 'netns xfrm: fixup xfrm6_tunnel error propagation'
- block: export blk_{get,put}_queue()
- Revert 'block: export blk_{get,put}_queue()'

[2.6.32-300.0.1.el6uek]
- [SCSI] mpt2sas: Fix missing reference tag seed with Type 2 devices (Martin K. Petersen)
- stable tree merge to 2.6.32.45

See also :

https://oss.oracle.com/pipermail/el-errata/2011-December/002529.html
https://oss.oracle.com/pipermail/el-errata/2011-December/002506.html

Solution :

Update the affected unbreakable enterprise kernel packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false