[netfilter-devel] 20120330 Re: `iptables -m tcp --syn` doesn't do what the man says

https://bugzilla.redhat.com/show_bug.cgi?id=826702

This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.

The following security issues have been fixed :

CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack).

CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.

CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.

CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key.

CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.

CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.

CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed.

The following non-security issues have been fixed :

Packaging :

  - kbuild: Fix gcc -x syntax (bnc#773831).

NFS :

  - knfsd: An assortment of little fixes to the sunrpc cache     code (bnc#767766).

  - knfsd: Unexport cache_fresh and fix a small race     (bnc#767766).

  - knfsd: nfsd: do not drop silently on upcall deferral     (bnc#767766).

  - knfsd: svcrpc: remove another silent drop from deferral     code (bnc#767766).

  - sunrpc/cache: simplify cache_fresh_locked and     cache_fresh_unlocked (bnc#767766).

  - sunrpc/cache: recheck cache validity after     cache_defer_req (bnc#767766).

  - sunrpc/cache: use list_del_init for the list_head     entries in cache_deferred_req (bnc#767766).

  - sunrpc/cache: avoid variable over-loading in     cache_defer_req (bnc#767766).

  - sunrpc/cache: allow thread to block while waiting for     cache update (bnc#767766).

  - sunrpc/cache: Fix race in sunrpc/cache introduced by     patch to allow thread to block while waiting for cache     update (bnc#767766).

  - sunrpc/cache: Another fix for race problem with sunrpc     cache deferal (bnc#767766).

  - knfsd: nfsd: make all exp_finding functions return

-errnos on err (bnc#767766).

  - Fix kabi breakage in previous nfsd patch series     (bnc#767766).

  - nfsd: Work around incorrect return type for     wait_for_completion_interruptible_timeout (bnc#767766).

  - nfs: Fix a potential file corruption issue when writing     (bnc#773272).

  - nfs: Allow sync writes to be multiple pages     (bnc#763526).

  - nfs: fix reference counting for NFSv4 callback thread     (bnc#767504).

  - nfs: flush signals before taking down callback thread     (bnc#767504).

  - nfsv4: Ensure nfs_callback_down() calls svc_destroy()     (bnc#767504).

SCSI :

  - SCSI/ch: Check NULL for kmalloc() return (bnc#783058).
    drivers/scsi/aic94xx/aic94xx_init.c: correct the size     argument to kmalloc (bnc#783058).

    block: fail SCSI passthrough ioctls on partition devices     (bnc#738400).

    dm: do not forward ioctls from logical volumes to the     underlying device (bnc#738400).

    vmware: Fix VMware hypervisor detection (bnc#777575,     bnc#770507).

S/390 :

  - lgr: Make lgr_page static (bnc#772409,LTC#83520).

  - zfcp: Fix oops in _blk_add_trace()     (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection     (bnc#767277,LTC#RAS1203).

    be2net: Fix EEH error reset before a flash dump     completes (bnc#755546).

  - mptfusion: fix msgContext in mptctl_hp_hostinfo     (bnc#767939).

  - PCI: Fix bus resource assignment on 32 bits with 64b     resources. (bnc#762581)

  - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86:
    powernow-k8: Fix indexing issue (bnc#758985).

    net: Fix race condition about network device name     allocation (bnc#747576).

XEN :

  - smpboot: adjust ordering of operations.

  - xen/x86-64: provide a memset() that can deal with 4Gb or     above at a time (bnc#738528).

  - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53     (bnc#760974).

  - xen/gntdev: fix multi-page slot allocation (bnc#760974).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 11.4 kernel was updated to fix various bugs and security issues.

This is the final update of the 2.6.37 kernel of openSUSE 11.4.

This kernel update of the openSUSE 12.1 kernel brings various bug and security fixes.

Following issues were fixed :

  - tcp: drop SYN+FIN messages (bnc#765102, CVE-2012-2663).

  - net: sock: validate data_len before allocating skb in     sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136).

  - thp: avoid atomic64_read in pmd_read_atomic for 32bit     PAE (bnc#762991).

  - be2net: non-member vlan pkts not received in promiscous     mode (bnc#732006 CVE-2011-3347).

  - fcaps: clear the same personality flags as suid when     fcaps are used (bnc#758260 CVE-2012-2123).

  - macvtap: zerocopy: validate vectors before building skb     (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb     is built successfully (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: put page when fail to get all     requested user pages (bnc#758243 CVE-2012-2119).

  - macvtap: zerocopy: fix offset calculation when building     skb (bnc#758243 CVE-2012-2119).

  - Avoid reading past buffer when calling GETACL     (bnc#762992).

  - Avoid beyond bounds copy while caching ACL (bnc#762992).

  - Fix length of buffer copied in __nfs4_get_acl_uncached     (bnc#762992).

  - hfsplus: Fix potential buffer overflows (bnc#760902     CVE-2009-4020).

  - usb/net: rndis: merge command codes. only net/hyperv     part

  - usb/net: rndis: remove ambiguous status codes. only     net/hyperv part

  - usb/net: rndis: break out <linux/rndis.h> defines. only     net/hyperv part

  - net/hyperv: Add flow control based on hi/low watermark.

  - hv: fix return type of hv_post_message().

  - Drivers: hv: util: Properly handle version negotiations.

  - Drivers: hv: Get rid of an unnecessary check in     vmbus_prep_negotiate_resp().

  - HID: hyperv: Set the hid drvdata correctly.

  - HID: hid-hyperv: Do not use hid_parse_report() directly.

  - [SCSI] storvsc: Properly handle errors from the host     (bnc#747404).

  - Delete patches.suse/suse-hv-storvsc-ignore-ata_16.patch.

  - patches.suse/suse-hv-pata_piix-ignore-disks.patch     replace our version of this patch with upstream variant:
    ata_piix: defer disks to the Hyper-V drivers by default     libata: add a host flag to ignore detected ATA devices.

  - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs     pmd_populate SMP race condition (bnc#762991     CVE-2012-2373).

  - xfrm: take net hdr len into account for esp payload size     calculation (bnc#759545).

  - net/hyperv: Adding cancellation to ensure rndis filter     is closed.

  - xfs: Fix oops on IO error during     xlog_recover_process_iunlinks() (bnc#761681).

  - thp: reduce khugepaged freezing latency (bnc#760860).

  - igb: fix rtnl race in PM resume path (bnc#748859).

  - ixgbe: add missing rtnl_lock in PM resume path     (bnc#748859).

  - cdc_ether: Ignore bogus union descriptor for RNDIS     devices (bnc#735362). Taking the fix from net-next

  - Fix kABI breakage due to including proc_fs.h in     kernel/fork.c modversion changed because of changes in     struct proc_dir_entry (became defined) Refresh     patches.fixes/procfs-namespace-pid_ns-fix-leakage-on-for     k-failure.

  - Disabled MMC_TEST (bnc#760077).

  - Input: ALPS - add semi-MT support for v3 protocol     (bnc#716996).

  - Input: ALPS - add support for protocol versions 3 and 4     (bnc#716996).

  - Input: ALPS - remove assumptions about packet size     (bnc#716996).

  - Input: ALPS - add protocol version field in     alps_model_info (bnc#716996).

  - Input: ALPS - move protocol information to Documentation     (bnc#716996).

  - sysctl/defaults: kernel.hung_task_timeout ->     kernel.hung_task_timeout_secs (bnc#700174)

  - btrfs: partial revert of truncation improvements     (FATE#306586 bnc#748463 bnc#760279).

  - libata: skip old error history when counting probe     trials.

  - procfs, namespace, pid_ns: fix leakage upon fork()     failure (bnc#757783).

  - cdc-wdm: fix race leading leading to memory corruption     (bnc#759554). This patch fixes a race whereby a pointer     to a buffer would be overwritten while the buffer was in     use leading to a double free and a memory leak. This     causes crashes. This bug was introduced in 2.6.34

  - netfront: delay gARP until backend switches to     Connected.

  - xenbus: Reject replies with payload >     XENSTORE_PAYLOAD_MAX.

  - xenbus: check availability of XS_RESET_WATCHES command.

  - xenbus_dev: add missing error checks to watch handling.

  - drivers/xen/: use strlcpy() instead of strncpy().

  - blkfront: properly fail packet requests (bnc#745929).

  - Linux 3.1.10.

  - Update Xen config files.

  - Refresh other Xen patches.

  - tlan: add cast needed for proper 64 bit operation     (bnc#756840).

  - dl2k: Tighten ioctl permissions (bnc#758813).

  - mqueue: fix a vfsmount longterm reference leak     (bnc#757783).

  - cciss: Add IRQF_SHARED back in for the non-MSI(X)     interrupt handler (bnc#757789).

  - procfs: fix a vfsmount longterm reference leak     (bnc#757783).

  - uwb: fix error handling (bnc#731720). This fixes a     kernel error on unplugging an uwb dongle

  - uwb: fix use of del_timer_sync() in interrupt     (bnc#731720). This fixes a kernel warning on plugging in     an uwb dongle

  - acer-wmi: Detect communication hot key number.

  - acer-wmi: replaced the hard coded bitmap by the     communication devices bitmap from SMBIOS.

  - acer-wmi: add ACER_WMID_v2 interface flag to represent     new notebooks.

  - acer-wmi: No wifi rfkill on Sony machines.

  - acer-wmi: No wifi rfkill on Lenovo machines.

  - [media] cx22702: Fix signal strength.

  - fs: cachefiles: Add support for large files in     filesystem caching (bnc#747038).

  - Drivers: scsi: storvsc: Account for in-transit packets     in the RESET path.

  - CPU hotplug, cpusets, suspend: Don't touch cpusets     during suspend/resume (bnc#752460).

  - net: fix a potential rcu_read_lock() imbalance in     rt6_fill_node() (bnc#754186, bnc#736268).

  - This commit fixes suspend to ram breakage reported in     bnc#764864. Remove dud patch. The problem it addressed     is being respun upstream, is in tip, but not yet     mainlined. See bnc#752460 for details regarding the     problem the now removed patch fixed while breaking S2R.
    Delete     patches.fixes/cpusets-Dont-touch-cpusets-during-suspend-     or-resume.patch.

  - Remove dud patch. The problem it addressed is being     respun upstream, is in tip, but not yet mainlined.
    Delete     patches.fixes/cpusets-Dont-touch-cpusets-during-suspend-     or-resume.patch.

  - fix VM_FOREIGN users after c/s 878:eba6fe6d8d53     (bnc#760974).

  - gntdev: fix multi-page slot allocation (bnc#760974).

  - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs     pmd_populateSMP race condition (bnc#762991     CVE-2012-2373).

  - thp: avoid atomic64_read in pmd_read_atomic for 32bit     PAE (bnc#762991).

  - sym53c8xx: Fix NULL pointer dereference in slave_destroy     (bnc#767786).

  - sky2: fix regression on Yukon Optima (bnc#731537).

This kernel update of the openSUSE 12.1 kernel fixes lots of bugs and security issues.

Following issues were fixed :

  - tcp: drop SYN+FIN messages (bnc#765102).

  - net: sock: validate data_len before allocating skb in     sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136).

  - fcaps: clear the same personality flags as suid when     fcaps are used (bnc#758260 CVE-2012-2123).

  - macvtap: zerocopy: validate vectors before building skb     (bnc#758243 CVE-2012-2119).

  - hfsplus: Fix potential buffer overflows (bnc#760902     CVE-2009-4020).

  - xfrm: take net hdr len into account for esp payload size     calculation (bnc#759545).

  - ext4: fix undefined behavior in ext4_fill_flex_info()     (bnc#757278).

  - igb: fix rtnl race in PM resume path (bnc#748859).

  - ixgbe: add missing rtnl_lock in PM resume path     (bnc#748859).

  - b43: allocate receive buffers big enough for max frame     len + offset (bnc#717749).

  - xenbus: Reject replies with payload >     XENSTORE_PAYLOAD_MAX.

  - xenbus_dev: add missing error checks to watch handling.

  - hwmon: (coretemp-xen) Fix TjMax detection for older     CPUs.

  - hwmon: (coretemp-xen) Relax target temperature range     check.

  - Refresh other Xen patches.

  - tlan: add cast needed for proper 64 bit operation     (bnc#756840).

  - dl2k: Tighten ioctl permissions (bnc#758813).

  - [media] cx22702: Fix signal strength.

  - fs: cachefiles: Add support for large files in     filesystem caching (bnc#747038).

  - bridge: correct IPv6 checksum after pull (bnc#738644).

  - bridge: fix a possible use after free (bnc#738644).

  - bridge: Pseudo-header required for the checksum of     ICMPv6 (bnc#738644).

  - bridge: mcast snooping, fix length check of snooped     MLDv1/2 (bnc#738644).

  - PCI/ACPI: Report ASPM support to BIOS if not disabled     from command line (bnc#714455).

  - ipc/sem.c: fix race with concurrent semtimedop()     timeouts and IPC_RMID (bnc#756203).

  - drm/i915/crt: Remove 0xa0 probe for VGA.

  - tty_audit: fix tty_audit_add_data live lock on audit     disabled (bnc#721366).

  - drm/i915: suspend fbdev device around suspend/hibernate     (bnc#732908).

  - dlm: Do not allocate a fd for peeloff (bnc#729247).

  - sctp: Export sctp_do_peeloff (bnc#729247).

  - i2c-algo-bit: Fix spurious SCL timeouts under heavy     load.

  - patches.fixes/epoll-dont-limit-non-nested.patch: Don't     limit non-nested epoll paths (bnc#676204).

  - Update patches.suse/sd_init.mark_majors_busy.patch     (bnc#744658).

  - igb: Fix for Alt MAC Address feature on 82580 and later     devices (bnc#746980).

  - mark busy sd majors as allocated (bug#744658).

  - regset: Return -EFAULT, not -EIO, on host-side memory     fault (bnc# 750079 CVE-2012-1097).

  - regset: Prevent NULL pointer reference on readonly     regsets (bnc#750079 CVE-2012-1097).

  - mm: memcg: Correct unregistring of events attached to     the same eventfd (CVE-2012-1146 bnc#750959).

  - befs: Validate length of long symbolic links     (CVE-2011-2928 bnc#713430).

  - si4713-i2c: avoid potential buffer overflow on si4713     (CVE-2011-2700 bnc#707332).

  - staging: comedi: fix infoleak to userspace     (CVE-2011-2909 bnc#711941).

  - hfs: add sanity check for file name length     (CVE-2011-4330 bnc#731673).

  - cifs: fix dentry refcount leak when opening a FIFO on     lookup (CVE-2012-1090 bnc#749569).

  - drm: integer overflow in drm_mode_dirtyfb_ioctl()     (CVE-2012-0044 bnc#740745).

  - xfs: fix acl count validation in xfs_acl_from_disk()     (CVE-2012-0038 bnc#740703).

  - xfs: validate acl count (CVE-2012-0038 bnc#740703).

  -     patches.fixes/xfs-fix-possible-memory-corruption-in-xfs_     readlink: Work around missing xfs_alert().

  - xfs: Fix missing xfs_iunlock() on error recovery path in     xfs_readlink() (CVE-2011-4077 bnc#726600).

  - xfs: Fix possible memory corruption in xfs_readlink     (CVE-2011-4077 bnc#726600).

  - ext4: make ext4_split_extent() handle error correctly.

  - ext4: ext4_ext_convert_to_initialized bug found in     extended FSX testing.

  - ext4: add ext4_split_extent_at() and     ext4_split_extent().

  - ext4: reimplement convert and split_unwritten     (CVE-2011-3638 bnc#726045).

  - patches.fixes/epoll-limit-paths.patch: epoll: limit     paths (bnc#676204 CVE-2011-1083).

  - patches.kabi/epoll-kabi-fix.patch: epoll: hide kabi     change in struct file (bnc#676204 CVE-2011-1083).

  - NAT/FTP: Fix broken conntrack (bnc#681639 bnc#466279     bnc#747660).

  - igmp: Avoid zero delay when receiving odd mixture of     IGMP queries (bnc#740448 CVE-2012-0207).

  - jbd2: clear BH_Delay & BH_Unwritten in     journal_unmap_buffer (bnc#745832 CVE-2011-4086).

  - AppArmor: fix oops in apparmor_setprocattr (bnc#717209     CVE-2011-3619).

  - Refresh patches.suse/SoN-22-netvm.patch. Clean and
    *working* patches.

  - Refresh patches.suse/SoN-22-netvm.patch. (bnc#683671)     Fix an rcu locking imbalance in the receive path     triggered when using vlans.

  - Fix mangled patch (invalid date) Although accepted by     `patch`, this is rejected by `git apply`

  - Fix mangled diff lines (leading space tab vs tab)     Although accepted by `patch`, these are rejected by `git     apply`

  - jbd/jbd2: validate sb->s_first in     journal_get_superblock() (bnc#730118).

  - fsnotify: don't BUG in fsnotify_destroy_mark()     (bnc#689860).

  - Fix     patches.fixes/x25-Handle-undersized-fragmented-skbs.patc     h (CVE-2010-3873 bnc#651219).

  - Fix     patches.fixes/x25-Prevent-skb-overreads-when-checking-ca     ll-user-da.patch (CVE-2010-3873 bnc#651219).

  - Fix     patches.fixes/x25-Validate-incoming-call-user-data-lengt     hs.patch (CVE-2010-3873 bnc#651219).

  - Fix     patches.fixes/x25-possible-skb-leak-on-bad-facilities.pa     tch (CVE-2010-3873 bnc#651219 CVE-2010-4164 bnc#653260).

  - Update     patches.fixes/econet-4-byte-infoleak-to-the-network.patc     h (bnc#681186 CVE-2011-1173). Fix reference.

  - hwmon: (w83627ehf) Properly report thermal diode     sensors.

  - nl80211: fix overflow in ssid_len (bnc#703410     CVE-2011-2517).

  - nl80211: fix check for valid SSID size in scan     operations (bnc#703410 CVE-2011-2517).

  - x25: Prevent skb overreads when checking call user data     (CVE-2010-3873 bnc#737624).

  - x25: Handle undersized/fragmented skbs (CVE-2010-3873     bnc#737624).

  - x25: Validate incoming call user data lengths     (CVE-2010-3873 bnc#737624).

  - x25: possible skb leak on bad facilities (CVE-2010-3873     bnc#737624).

  - net: Add a flow_cache_flush_deferred function     (bnc#737624).

  - xfrm: avoid possible oopse in xfrm_alloc_dst     (bnc#737624).

  - scm: lower SCM_MAX_FD (bnc#655696 CVE-2010-4249).

The SUSE Linux Enterprise 11 SP1 kernel have been updated to fix various bugs and security issues.

The following security issues have been fixed :

  - Several buffer overread and overwrite errors in the UDF     logical volume descriptor code were fixed that might     have allowed local attackers able to mount UDF volumes     to crash the kernel or potentially gain privileges.
    (CVE-2012-3400)

  - A local denial of service in the last epoll fix was     fixed. (CVE-2012-3375)

  - A integer overflow in i915_gem_do_execbuffer() was fixed     that might be used by local attackers to crash the     kernel or potentially execute code. (CVE-2012-2384)

  - A integer overflow in i915_gem_execbuffer2() was fixed     that might be used by local attackers to crash the     kernel or potentially execute code. (CVE-2012-2383)

  - Memiory leaks in the hugetlbfs map reservation code were     fixed that could be used by local attackers to exhaust     machine memory. (CVE-2012-2390)

  - The filesystem capability handling was not fully     correct, allowing local users to bypass fscaps related     restrictions to disable e.g. address space     randomization. (CVE-2012-2123)

  - Validation of data_len before allocating fragments of     skbs was fixed that might have allowed a heap overflow.
    (CVE-2012-2136)

  - Fixed potential buffer overflows in the hfsplus     filesystem, which might be exploited by local attackers     able to mount such filesystems. (CVE-2012-2319)

Several leapsecond related bug fixes have been created :

  - hrtimer: provide clock_was_set_delayed(). (bnc#768632)

  - time: Fix leapsecond triggered hrtimer/futex load spike     issue. (bnc#768632)

  - ntp: fix leap second hrtimer deadlock. (bnc#768632)

  - ntp: avoid printk under xtime_lock (bnc#767684). The     following non-security issues have been fixed :

  - tcp: drop SYN+FIN messages to avoid memory leaks.
    (bnc#765102)

  - be2net: Fix EEH error reset before a flash dump     completes. (bnc#755546)

  - REVERT svcrpc: destroy server sockets all at once.
    (bnc#769210)

  - sched: Make sure to not re-read variables after     validation. (bnc#769685)

  - audit: Do not send uninitialized data for AUDIT_TTY_GET.
    (bnc#755513)

  - dlm: do not depend on sctp. (bnc#729247, bnc#763656)

  - RPC: killing RPC tasks races fixed. (bnc#765548)

  - vlan/core: Fix memory leak/corruption on VLAN GRO_DROP.
    (bnc#758058)

  - CPU hotplug, cpusets, suspend/resume: Do not modify     cpusets during suspend/resume. (bnc#752858)

  - ioat2: kill pending flag. (bnc#765022)

  - Fix massive driver induced spin_lock_bh() contention.

  - ipmi: Fix IPMI errors due to timing problems.
    (bnc#761988)

  - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.
    (bnc#760974)

  - xen: gntdev: fix multi-page slot allocation.
    (bnc#760974)

  - rpm/kernel-binary.spec.in: Own the right -kdump initrd.
    (bnc#764500)

  - kernel: pfault task state race (bnc#764098,LTC#81724).

  - xfrm: take net hdr len into account for esp payload size     calculation. (bnc#759545)

  - bonding: do not dereference NULL pointer to device of     VLAN 0. (bnc#763830)

  - cifs: fix oops while traversing open file list (try #4).
    (bnc#756050)

  - nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink.
    (bnc#769777)

  - nfs: Ensure we never try to mount an NFS auto-mount dir     (bnc748601).

  - patches.suse/cgroup-disable-memcg-when-low-lowmem.patch:
    fix typo: use if defined(CONFIG_) rather than if CONFIG_

  - patches.suse/pagecache-limit-fix-shmem-deadlock.patch:
    Fixed the GFP_NOWAIT is zero and not suitable for tests     bug. (bnc#755537)

  - sys_poll: fix incorrect type for timeout parameter.
    (bnc#754428)

  - scsi_transport_fc: fix blocked bsg request when fc     object deleted. (bnc#761414, bnc#734300)

  - ehea: fix allmulticast support. (bnc#758013)

  - scsi: Silence unnecessary warnings about ioctl to     partition. (bnc#758104)

  - sched/x86: Fix overflow in cyc2ns_offset. (bnc#630970,     bnc#661605)

  - sched/rt: Do not throttle when PI boosting. (bnc#754085)

  - sched/rt: Keep period timer ticking when rt throttling     is active. (bnc#754085)

  - sched,rt: fix isolated CPUs leaving root_task_group     indefinitely throttled. (bnc#754085)

This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.

The following security issues have been fixed :

  - kernel/taskstats.c in the Linux kernel allowed local     users to obtain sensitive I/O statistics by sending     taskstats commands to a netlink socket, as demonstrated     by discovering the length of another users password (a     side channel attack). (CVE-2011-2494)

  - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux     kernel, when the nf_conntrack_ipv6 module is enabled,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via certain     types of fragmented IPv6 packets. (CVE-2012-2744)

  - Use-after-free vulnerability in the xacct_add_tsk     function in kernel/tsacct.c in the Linux kernel allowed     local users to obtain potentially sensitive information     from kernel memory or cause a denial of service (system     crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.
    (CVE-2012-3510)

  - The user_update function in security/keys/user_defined.c     in the Linux kernel 2.6 allowed local users to cause a     denial of service (NULL pointer dereference and kernel     oops) via vectors related to a user-defined key and     updating a negative key into a fully instantiated key.
    (CVE-2011-4110)

  - The ib_uverbs_poll_cq function in     drivers/infiniband/core/uverbs_cmd.c in the Linux kernel     did not initialize a certain response buffer, which     allowed local users to obtain potentially sensitive     information from kernel memory via vectors that cause     this buffer to be only partially filled, a different     vulnerability than CVE-2010-4649. (CVE-2011-1044)

  - Heap-based buffer overflow in the udf_load_logicalvol     function in fs/udf/super.c in the Linux kernel allowed     remote attackers to cause a denial of service (system     crash) or possibly have unspecified other impact via a     crafted UDF filesystem. (CVE-2012-3400)

  - The sock_alloc_send_pskb function in net/core/sock.c in     the Linux kernel did not properly validate a certain     length value, which allowed local users to cause a     denial of service (heap-based buffer overflow and system     crash) or possibly gain privileges by leveraging access     to a TUN/TAP device. (CVE-2012-2136)

  - A small denial of service leak in dropping syn+fin     messages was fixed. (CVE-2012-2663)

The following non-security issues have been fixed :

Packaging :

  - kbuild: Fix gcc -x syntax (bnc#773831). NFS :

  - knfsd: An assortment of little fixes to the sunrpc cache     code. (bnc#767766)

  - knfsd: Unexport cache_fresh and fix a small race.
    (bnc#767766)

  - knfsd: nfsd: do not drop silently on upcall deferral.
    (bnc#767766)

  - knfsd: svcrpc: remove another silent drop from deferral     code. (bnc#767766)

  - sunrpc/cache: simplify cache_fresh_locked and     cache_fresh_unlocked. (bnc#767766)

  - sunrpc/cache: recheck cache validity after     cache_defer_req. (bnc#767766)

  - sunrpc/cache: use list_del_init for the list_head     entries in cache_deferred_req. (bnc#767766)

  - sunrpc/cache: avoid variable over-loading in     cache_defer_req. (bnc#767766)

  - sunrpc/cache: allow thread to block while waiting for     cache update. (bnc#767766)

  - sunrpc/cache: Fix race in sunrpc/cache introduced by     patch to allow thread to block while waiting for cache     update. (bnc#767766)

  - sunrpc/cache: Another fix for race problem with sunrpc     cache deferal. (bnc#767766)

  - knfsd: nfsd: make all exp_finding functions return
    -errnos on err. (bnc#767766)

  - Fix kabi breakage in previous nfsd patch series.
    (bnc#767766)

  - nfsd: Work around incorrect return type for     wait_for_completion_interruptible_timeout. (bnc#767766)

  - nfs: Fix a potential file corruption issue when writing.
    (bnc#773272)

  - nfs: Allow sync writes to be multiple pages.
    (bnc#763526)

  - nfs: fix reference counting for NFSv4 callback thread.
    (bnc#767504)

  - nfs: flush signals before taking down callback thread.
    (bnc#767504)

  - nfsv4: Ensure nfs_callback_down() calls svc_destroy()     (bnc#767504). SCSI :

  - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058)

  - drivers/scsi/aic94xx/aic94xx_init.c: correct the size     argument to kmalloc. (bnc#783058)

  - block: fail SCSI passthrough ioctls on partition     devices. (bnc#738400)

  - dm: do not forward ioctls from logical volumes to the     underlying device. (bnc#738400)

  - vmware: Fix VMware hypervisor detection (bnc#777575,     bnc#770507). S/390 :

  - lgr: Make lgr_page static (bnc#772409,LTC#83520).

  - zfcp: Fix oops in _blk_add_trace()     (bnc#772409,LTC#83510).

  - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).

  - be2net: Fix EEH error reset before a flash dump     completes. (bnc#755546)

  - mptfusion: fix msgContext in mptctl_hp_hostinfo.
    (bnc#767939)

  - PCI: Fix bus resource assignment on 32 bits with 64b     resources. . (bnc#762581)

  - PCI: fix up setup-bus.c #ifdef. (bnc#762581)

  - x86: powernow-k8: Fix indexing issue. (bnc#758985)

  - net: Fix race condition about network device name     allocation. (bnc#747576)

XEN :

  - smpboot: adjust ordering of operations.

  - xen/x86-64: provide a memset() that can deal with 4Gb or     above at a time. (bnc#738528)

  - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.
    (bnc#760974)

  - xen/gntdev: fix multi-page slot allocation. (bnc#760974)

ID	Name	Product	Family	Severity
83563	SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1)	Nessus	SuSE Local Security Checks	high
74801	openSUSE Security Update : kernel (openSUSE-SU-2012:1439-1)	Nessus	SuSE Local Security Checks	critical
74661	openSUSE Security Update : Kernel (openSUSE-SU-2012:0812-1)	Nessus	SuSE Local Security Checks	high
74658	openSUSE Security Update : Kernel (openSUSE-SU-2012:0799-1)	Nessus	SuSE Local Security Checks	critical
64177	SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 6547 / 6548 / 6550)	Nessus	SuSE Local Security Checks	high
62676	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325)	Nessus	SuSE Local Security Checks	high
62675	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324)	Nessus	SuSE Local Security Checks	high

CVE-2012-2663

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins