The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs.

The Following security issues have been fixed :

CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password.

CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.

CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.

CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.

CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability.

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.

CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call.

CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application.

CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation.

CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application.

CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument.

CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.

CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.

CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.

CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application.

CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.

CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.

CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.

CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.

CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and 'updating a negative key into a fully instantiated key.'

CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.

CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.

CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.

CVE-2011-4077: Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel, when CONFIG_XFS_DEBUG is disabled, allowed local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname.

CVE-2011-4324: The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.

CVE-2011-4330: Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/trans.c in the Linux kernel allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via an HFS image with a crafted len field.

CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-2525: The qdisc_notify function in net/sched/sch_api.c in the Linux kernel did not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected 0 character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

CVE-2011-3209: The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel on the x86 platform allowed local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating 0 character.

CVE-2011-2699: The IPv6 implementation in the Linux kernel did not generate Fragment Identification values separately for each destination, which made it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.

CVE-2011-2203: The hfs_find_init function in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record.

CVE-2009-4067: A USB string descriptor overflow in the auerwald USB driver was fixed, which could be used by physically proximate attackers to cause a kernel crash.

CVE-2011-3363: The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel did not properly handle DFS referrals, which allowed remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.

CVE-2011-2484: The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.

CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value.'

CVE-2010-4249: The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.

The following bugs have been fixed :

patches.fixes/allow-executables-larger-than-2GB.patch: Allow executables larger than 2GB (bnc#836856).

cio: prevent kernel panic after unexpected I/O interrupt (bnc#649868,LTC#67975).

  - cio: Add timeouts for internal IO     (bnc#701550,LTC#72691). kernel: first time swap use     results in heavy swapping (bnc#701550,LTC#73132).

    qla2xxx: Do not be so verbose on underrun detected

    patches.arch/i386-run-tsc-calibration-5-times.patch: Fix     the patch, the logic was wrong (bnc#537165, bnc#826551).

    xfs: Do not reclaim new inodes in xfs_sync_inodes()     (bnc#770980 bnc#811752).

    kbuild: Fix gcc -x syntax (bnc#773831).

    e1000e: stop cleaning when we reach tx_ring->next_to_use     (bnc#762825).

    Fix race condition about network device name allocation     (bnc#747576).

    kdump: bootmem map over crash reserved region     (bnc#749168, bnc#722400, bnc#742881).

    tcp: fix race condition leading to premature termination     of sockets in FIN_WAIT2 state and connection being reset     (bnc#745760)

    tcp: drop SYN+FIN messages (bnc#765102).

    net/linkwatch: Handle jiffies wrap-around (bnc#740131).

    patches.fixes/vm-dirty-bytes: Provide     /proc/sys/vm/dirty_{background_,}bytes for tuning     (bnc#727597).

    ipmi: Fix deadlock in start_next_msg() (bnc#730749).

    cpu-hotplug: release workqueue_mutex properly on CPU     hot-remove (bnc#733407).

    libiscsi: handle init task failures (bnc#721351).

    NFS/sunrpc: do not use a credential with extra groups     (bnc#725878).

    x86_64: fix reboot hang when 'reboot=b' is passed to the     kernel (bnc#721267).

    nf_nat: do not add NAT extension for confirmed     conntracks (bnc#709213).

    xfs: fix memory reclaim recursion deadlock on locked     inode buffer (bnc#699355 bnc#699354 bnc#721830).

    ipmi: do not grab locks in run-to-completion mode     (bnc#717421).

    cciss: do not attempt to read from a write-only register     (bnc#683101).

    qla2xxx: Disable MSI-X initialization (bnc#693513).

    Allow balance_dirty_pages to help other filesystems     (bnc#709369).

  - nfs: fix congestion control (bnc#709369).

  - NFS: Separate metadata and page cache revalidation     mechanisms (bnc#709369). knfsd: nfsd4: fix laundromat     shutdown race (bnc#752556).

    x87: Do not synchronize TSCs across cores if they     already should be synchronized by HW (bnc#615418     bnc#609220).

    reiserfs: Fix int overflow while calculating free space     (bnc#795075).

    af_unix: limit recursion level (bnc#656153).

    bcm43xx: netlink deadlock fix (bnc#850241).

    jbd: Issue cache flush after checkpointing (bnc#731770).

    cfq: Fix infinite loop in cfq_preempt_queue()     (bnc#724692).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 10 SP4 kernel has been updated to fix various bugs and security issues.

Security issues fixed :

CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.

CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device.

Also the following bugs have been fixed :

  - hugetlb: Fix regression introduced by the original patch     (bnc#790236, bnc#819403).

  - NFSv3/v2: Fix data corruption with NFS short reads     (bnc#818337).

  - Fix package descriptions in specfiles (bnc#817666).

  - TTY: fix atime/mtime regression (bnc#815745).

  - virtio_net: ensure big packets are 64k (bnc#760753).

  - virtio_net: refill rx buffers when oom occurs     (bnc#760753).

  - qeth: fix qeth_wait_for_threads() deadlock for OSN     devices (bnc#812317, LTC#90910).

  - nfsd: remove unnecessary NULL checks from nfsd_cross_mnt     (bnc#810628).

  - knfsd: Fixed problem with NFS exporting directories     which are mounted on (bnc#810628).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client. (CVE-2012-2375 , Moderate)

A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to 'illinois'), a local, unprivileged user could trigger this flaw and cause a denial of service. (CVE-2012-4565 , Moderate)

A NULL pointer dereference flaw was found in the way a new node's hot added memory was propagated to other nodes' zonelists. By utilizing this newly added memory from one of the remaining nodes, a local, unprivileged user could use this flaw to cause a denial of service.
(CVE-2012-5517 , Moderate)

It was found that a prevoius kernel release did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.
(CVE-2012-2100 , Low)

A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444 , Low)

From Red Hat Security Advisory 2013:0168 :

Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang). (CVE-2012-5515, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444, Low)

Red Hat would like to thank the Xen project for reporting CVE-2012-5515, and Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444.

This update also fixes several bugs. Space precludes documenting all of these changes in this advisory. Documentation for these changes will be available shortly from the Red Hat Enterprise Linux 5.9 Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-2048 advisory.

  - The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform     and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-     groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super     block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists     because of an incomplete fix for CVE-2009-4307. (CVE-2012-2100)

  - The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote     attackers to bypass intended network restrictions via overlapping IPv6 fragments. (CVE-2012-4444)

  - The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the     net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of     service (divide-by-zero error and OOPS) by reading TCP stats. (CVE-2012-4565)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-1580 advisory.

  - The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform     and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-     groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super     block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists     because of an incomplete fix for CVE-2009-4307. (CVE-2012-2100)

  - The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel     before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to     cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply.
    NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131. (CVE-2012-2375)

  - The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote     attackers to bypass intended network restrictions via overlapping IPv6 fragments. (CVE-2012-4444)

  - The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the     net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of     service (divide-by-zero error and OOPS) by reading TCP stats. (CVE-2012-4565)

  - The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to     cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other     impact in opportunistic circumstances by using memory that was hot-added by an administrator.
    (CVE-2012-5517)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 10 SP4 kernel has been updated to fix various bugs and security issues.

Security issues fixed :

  - The ip6_frag_queue function in net/ipv6/reassembly.c in     the Linux kernel allowed remote attackers to bypass     intended network restrictions via overlapping IPv6     fragments. (CVE-2012-4444)

  - The do_video_set_spu_palette function in     fs/compat_ioctl.c in the Linux kernel lacked a certain     error check, which might have allowed local users to     obtain sensitive information from kernel stack memory     via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a     /dev/dvb device. (CVE-2013-1928)

Also the following bugs have been fixed :

  - hugetlb: Fix regression introduced by the original     patch. (bnc#790236, bnc#819403)

  - NFSv3/v2: Fix data corruption with NFS short reads.
    (bnc#818337)

  - Fix package descriptions in specfiles. (bnc#817666)

  - TTY: fix atime/mtime regression. (bnc#815745)

  - virtio_net: ensure big packets are 64k. (bnc#760753)

  - virtio_net: refill rx buffers when oom occurs.
    (bnc#760753)

  - qeth: fix qeth_wait_for_threads() deadlock for OSN     devices (bnc#812317, LTC#90910).

  - nfsd: remove unnecessary NULL checks from     nfsd_cross_mnt. (bnc#810628)

  - knfsd: Fixed problem with NFS exporting directories     which are mounted on. (bnc#810628)

This update fixes the following security issues :

  - It was found that the Xen hypervisor implementation did     not perform range checking on the guest provided values     in multiple hypercalls. A privileged guest user could     use this flaw to trigger long loops, leading to a denial     of service (Xen hypervisor hang). (CVE-2012-5515,     Moderate)

  - It was found that when running a 32-bit binary that uses     a large number of shared libraries, one of the libraries     would always be loaded at a predictable address in     memory. An attacker could use this flaw to bypass the     Address Space Layout Randomization (ASLR) security     feature. (CVE-2012-1568, Low)

  - A flaw was found in the way the Linux kernel's IPv6     implementation handled overlapping, fragmented IPv6     packets. A remote attacker could potentially use this     flaw to bypass protection mechanisms (such as a firewall     or intrusion detection system (IDS)) when sending     network packets to a target system. (CVE-2012-4444, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang). (CVE-2012-5515, Moderate)

* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low)

* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444, Low)

Red Hat would like to thank the Xen project for reporting CVE-2012-5515, and Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444.

This update also fixes several bugs. Space precludes documenting all of these changes in this advisory. Documentation for these changes will be available shortly from the Red Hat Enterprise Linux 5.9 Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

This update fixes the following security issues :

  - It was found that a previous update did not correctly     fix the CVE-2011-4131 issue. A malicious Network File     System version 4 (NFSv4) server could return a crafted     reply to a GETACL request, causing a denial of service     on the client. (CVE-2012-2375, Moderate)

  - A divide-by-zero flaw was found in the TCP Illinois     congestion control algorithm implementation in the Linux     kernel. If the TCP Illinois congestion control algorithm     were in use (the sysctl net.ipv4.tcp_congestion_control     variable set to 'illinois'), a local, unprivileged user     could trigger this flaw and cause a denial of service.
    (CVE-2012-4565, Moderate)

  - A NULL pointer dereference flaw was found in the way a     new node's hot added memory was propagated to other     nodes' zonelists. By utilizing this newly added memory     from one of the remaining nodes, a local, unprivileged     user could use this flaw to cause a denial of service.
    (CVE-2012-5517, Moderate)

  - It was found that the initial release of Scientific     Linux 6 did not correctly fix the CVE-2009-4307 issue, a     divide-by-zero flaw in the ext4 file system code. A     local, unprivileged user with the ability to mount an     ext4 file system could use this flaw to cause a denial     of service. (CVE-2012-2100, Low)

  - A flaw was found in the way the Linux kernel's IPv6     implementation handled overlapping, fragmented IPv6     packets. A remote attacker could potentially use this     flaw to bypass protection mechanisms (such as a firewall     or intrusion detection system (IDS)) when sending     network packets to a target system. (CVE-2012-4444, Low)

The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues, numerous bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the RHSA-2012:0862 update did not correctly fix the CVE-2011-4131 issue. A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client. (CVE-2012-2375, Moderate)

* A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to 'illinois'), a local, unprivileged user could trigger this flaw and cause a denial of service. (CVE-2012-4565, Moderate)

* A NULL pointer dereference flaw was found in the way a new node's hot added memory was propagated to other nodes' zonelists. By utilizing this newly added memory from one of the remaining nodes, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-5517, Moderate)

* It was found that the initial release of Red Hat Enterprise Linux 6 did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service. (CVE-2012-2100, Low)

* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. (CVE-2012-4444, Low)

Red Hat would like to thank Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444. The CVE-2012-2375 issue was discovered by Jian Li of Red Hat, and CVE-2012-4565 was discovered by Rodrigo Freire of Red Hat.

This update also fixes numerous bugs and adds one enhancement. Space precludes documenting all of these changes in this advisory.
Documentation for these changes will be available shortly from the Red Hat Enterprise Linux 6.3 Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, fix these bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1580 advisory.

  - kernel: ext4: fix inconsistency in ext4_fill_flex_info() (CVE-2012-2100)

  - kernel: incomplete fix for CVE-2011-4131 (CVE-2012-2375)

  - kernel: net: acceptation of overlapping ipv6 fragments (CVE-2012-4444)

  - kernel: net: divide by zero in tcp algorithm illinois (CVE-2012-4565)

  - kernel: mm/hotplug: failure in propagating hot-added memory to other nodes (CVE-2012-5517)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Zhang Zuotao discovered a bug in the Linux kernel's handling of overlapping fragments in ipv6. A remote attacker could exploit this flaw to bypass firewalls and initial new network connections that should have been blocked by the firewall.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2013-0168.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-1580.

ID	Name	Product	Family	Severity
83611	SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)	Nessus	SuSE Local Security Checks	high
83603	SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)	Nessus	SuSE Local Security Checks	high
83586	SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2013:0856-1)	Nessus	SuSE Local Security Checks	medium
69707	Amazon Linux AMI : kernel / nvidia (ALAS-2013-148)	Nessus	Amazon Linux Local Security Checks	high
68711	Oracle Linux 5 : kernel (ELSA-2013-0168)	Nessus	Oracle Linux Local Security Checks	medium
68710	Oracle Linux 5 : kernel (ELSA-2013-0168-1)	Nessus	Oracle Linux Local Security Checks	medium
68690	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2048)	Nessus	Oracle Linux Local Security Checks	high
68666	Oracle Linux 6 : kernel (ELSA-2012-1580)	Nessus	Oracle Linux Local Security Checks	high
66782	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8587)	Nessus	SuSE Local Security Checks	medium
66781	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8583)	Nessus	SuSE Local Security Checks	medium
63677	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20130122)	Nessus	Scientific Linux Local Security Checks	medium
63670	CentOS 5 : kernel (CESA-2013:0168)	Nessus	CentOS Local Security Checks	medium
63662	RHEL 5 : kernel (RHSA-2013:0168)	Nessus	Red Hat Local Security Checks	medium
63313	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20121218)	Nessus	Scientific Linux Local Security Checks	high
63305	CentOS 6 : kernel (CESA-2012:1580)	Nessus	CentOS Local Security Checks	high
63292	RHEL 6 : kernel (RHSA-2012:1580)	Nessus	Red Hat Local Security Checks	medium
63262	Ubuntu 10.04 LTS : linux-ec2 vulnerability (USN-1664-1)	Nessus	Ubuntu Local Security Checks	medium
63222	Ubuntu 10.04 LTS : linux vulnerability (USN-1661-1)	Nessus	Ubuntu Local Security Checks	medium
63221	Ubuntu 8.04 LTS : linux vulnerability (USN-1660-1)	Nessus	Ubuntu Local Security Checks	medium
801533	CentOS RHSA-2013-0168 Security Check	Log Correlation Engine	Generic	high
801532	CentOS RHSA-2012-1580 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2012-4444

high

Tenable Plugins

high

high

medium

high

medium

medium

high

high

medium

medium

medium

medium

medium

high

high

medium

medium

medium

medium

high

high