http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2690d97ade05c5325cbf7c72b94b90d265659886

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.8

[oss-security] 20140128 Re: CVE request Linux kernel: netfilter: nf_nat: leakage of uninitialized buffer in IRC NAT helper

USN-2137-1

USN-2140-1

USN-2158-1

https://bugzilla.redhat.com/show_bug.cgi?id=1058748

https://github.com/torvalds/linux/commit/2690d97ade05c5325cbf7c72b94b90d265659886

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The n_tty_write function in drivers/tty/n_tty.c in the     Linux kernel through 3.14.3 does not properly manage     tty driver access in the 'LECHO i1/4+ !OPOST' case, which     allows local users to cause a denial of service (memory     corruption and system crash) or gain privileges by     triggering a race condition involving read and write     operations with long strings.(CVE-2014-0196)

  - Array index error in the aio_read_events_ring function     in fs/aio.c in the Linux kernel through 3.15.1 allows     local users to obtain sensitive information from kernel     memory via a large head value.(CVE-2014-0206)

  - The fst_get_iface function in drivers/net/wan/farsync.c     in the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444)

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445)

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446)

  - The help function in net/netfilter/nf_nat_irc.c in the     Linux kernel before 3.12.8 allows remote attackers to     obtain sensitive information from kernel memory by     establishing an IRC DCC session in which incorrect     packet data is transmitted during use of the NAT mangle     feature.(CVE-2014-1690)

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)

  - It was found that the Linux kernel's floppy driver     leaked internal kernel memory addresses to user space     during the processing of the FDRAWCMD IOCTL command. A     local user with write access to /dev/fdX could use this     flaw to obtain information about the kernel heap     arrangement. (CVE-2014-1738, Low)

  - Note: A local user with write access to /dev/fdX could     use these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1737)

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)

  - It was found that the Linux kernel's floppy driver     leaked internal kernel memory addresses to user space     during the processing of the FDRAWCMD IOCTL command. A     local user with write access to /dev/fdX could use this     flaw to obtain information about the kernel heap     arrangement. (CVE-2014-1738, Low)

  - Note: A local user with write access to /dev/fdX could     use these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1738)

  - An information leak flaw was found in the way the Linux     kernel handled media device enumerate entities IOCTL     requests. A local user able to access the /dev/media0     device file could use this flaw to leak kernel memory     bytes.(CVE-2014-1739)

  - The security_context_to_sid_core function in     security/selinux/ss/services.c in the Linux kernel     before 3.13.4 allows local users to cause a denial of     service (system crash) by leveraging the CAP_MAC_ADMIN     capability to set a zero-length security     context.(CVE-2014-1874)

  - The nfs_can_extend_write function in fs/nfs/write.c in     the Linux kernel before 3.13.3 relies on a write     delegation to extend a write operation without a     certain up-to-date verification, which allows local     users to obtain sensitive information from kernel     memory in opportunistic circumstances by writing to a     file in an NFS filesystem and then reading the same     file.(CVE-2014-2038)

  - The ip6_route_add function in net/ipv6/route.c in the     Linux kernel through 3.13.6 does not properly count the     addition of routes, which allows remote attackers to     cause a denial of service (memory consumption) via a     flood of ICMPv6 Router Advertisement     packets.(CVE-2014-2309)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux     kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call     to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error     function.(CVE-2014-2523)

  - Use-after-free vulnerability in the nfqnl_zcopy     function in net/netfilter/nfnetlink_queue_core.c in the     Linux kernel through 3.13.6 allows attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation. NOTE: the     affected code was moved to the skb_zerocopy function in     net/core/skbuff.c before the vulnerability was     announced.(CVE-2014-2568)

  - It was found that a remote attacker could use a race     condition flaw in the ath_tx_aggr_sleep() function to     crash the system by creating large network traffic on     the system's Atheros 9k wireless network     adapter.(CVE-2014-2672)

  - A flaw was found in the way the Linux kernel performed     forking inside of a transaction. A local, unprivileged     user on a PowerPC system that supports transactional     memory could use this flaw to crash the     system.(CVE-2014-2673)

  - A race condition flaw was found in the way the Linux     kernel's mac80211 subsystem implementation handled     synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the     system.(CVE-2014-2706)

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851)

  - It was found that the try_to_unmap_cluster() function     in the Linux kernel's Memory Managment subsystem did     not properly handle page locking in certain cases,     which could potentially trigger the BUG_ON() macro in     the mlock_vma_page() function. A local, unprivileged     user could use this flaw to crash the     system.(CVE-2014-3122)

  - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST     extension implementations in the sk_run_filter function     in net/core/filter.c in the Linux kernel through 3.14.3     do not check whether a certain length value is     sufficiently large, which allows local users to cause a     denial of service (integer underflow and system crash)     via crafted BPF instructions. NOTE: the affected code     was moved to the __skb_get_nlattr and
    __skb_get_nlattr_nest functions before the     vulnerability was announced.(CVE-2014-3144)

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel before     4.5.5 does not properly initialize a certain data     structure, which allows attackers to obtain sensitive     information from kernel stack memory via an X.25 Call     Request.(CVE-2016-4580i1/4%0

  - A flaw was found in the Linux kernel's implementation     of seq_file where a local attacker could manipulate     memory in the put() function pointer. This could lead     to memory corruption and possible privileged     escalation.(CVE-2016-7910i1/4%0

  - A flaw was found in the way the Linux kernel's     netfilter subsystem handled generic protocol tracking.
    As demonstrated in the Stream Control Transmission     Protocol (SCTP) case, a remote attacker could use this     flaw to bypass intended iptables rule restrictions when     the associated connection tracking module was not     loaded on the system.(CVE-2014-8160i1/4%0

  - The get_endpoints function in     drivers/usb/misc/usbtest.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16532i1/4%0

  - An integer overflow flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4656i1/4%0

  - The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in     the Linux kernel through 4.16.12 allows local users to     cause a denial of service (stack-based buffer overflow)     or possibly have unspecified other impact because sense     buffers have different sizes at the CDROM layer and the     SCSI layer.(CVE-2018-11506i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729i1/4%0

  - The Linux kernel before version 4.11 is vulnerable to a     NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response is mishandled during session     recovery.(CVE-2018-1066i1/4%0

  - drivers/hid/hid-sensor-hub.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows     physically proximate attackers to obtain sensitive     information from kernel memory via a crafted     device.(CVE-2013-2898i1/4%0

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. A buffer overflow in     truncate_inline_inode() in the fs/f2fs/inline.c     function, when umounting a crafted f2fs image, can     occur because a length value may be     negative.(CVE-2018-14615i1/4%0

  - The help function in net/netfilter/nf_nat_irc.c in the     Linux kernel before 3.12.8 allows remote attackers to     obtain sensitive information from kernel memory by     establishing an IRC DCC session in which incorrect     packet data is transmitted during use of the NAT mangle     feature.(CVE-2014-1690i1/4%0

  - It was found that the Linux kernel's keys subsystem did     not correctly garbage collect uninstantiated keyrings.
    A local attacker could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-7872i1/4%0

  - The TCP stack in the Linux kernel 3.x does not properly     implement a SYN cookie protection mechanism for the     case of a fast network connection, which allows remote     attackers to cause a denial of service (CPU     consumption) by sending many TCP SYN packets, as     demonstrated by an attack against the kernel-3.10.0     package in CentOS Linux 7. NOTE: third parties have     been unable to discern any relationship between the     GitHub Engineering finding and the Trigemini.c attack     code.(CVE-2017-5972i1/4%0

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact by sending a XFRM_MSG_MIGRATE netlink     message. This flaw is present in the Linux kernel since     an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up     to 4.13-rc3.(CVE-2017-11600i1/4%0

  - A use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the     system.(CVE-2016-10200i1/4%0

  - A flaw was found in the way the Linux kernel's VFS     subsystem handled file system locks. A local,     unprivileged user could use this flaw to trigger a     deadlock in the kernel, causing a denial of service on     the system.(CVE-2014-8559i1/4%0

  - Multiple buffer overflows in     drivers/staging/wlags49_h2/wl_priv.c in the Linux     kernel before 3.12 allow local users to cause a denial     of service or possibly have unspecified other impact by     leveraging the CAP_NET_ADMIN capability and providing a     long station-name string, related to the (1)     wvlan_uil_put_info and (2) wvlan_set_station_nickname     functions.(CVE-2013-4514i1/4%0

  - The udl_fb_mmap function in     drivers/gpu/drm/udl/udl_fb.c at the Linux kernel     version 3.4 and up to and including 4.15 has an     integer-overflow vulnerability allowing local users     with access to the udldrmfb driver to obtain full read     and write permissions on kernel physical pages,     resulting in a code execution in kernel     space.(CVE-2018-8781i1/4%0

  - A flaw was discovered in the Linux kernel where issuing     certain ioctl() -s commands to the '/dev/ppp' device     file could lead to a NULL pointer dereference. A     privileged user could use this flaw to cause a kernel     crash and denial of service.(CVE-2015-7799i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

  * A denial of service flaw was found in the way the Linux     kernel's IPv6 implementation processed IPv6 router     advertisement (RA) packets. An attacker able to send a     large number of RA packets to a target system could     potentially use this flaw to crash the target system.
    (CVE-2014-2309, Important)

  * A flaw was found in the way the Linux kernel's netfilter     connection tracking implementation for Datagram     Congestion Control Protocol (DCCP) packets used the     skb_header_pointer() function. A remote attacker could     use this flaw to send a specially crafted DCCP packet     to crash the system or, potentially, escalate their     privileges on the system. (CVE-2014-2523, Important)

  * A flaw was found in the way the Linux kernel's CIFS     implementation handled uncached write operations with     specially crafted iovec structures. An unprivileged     local user with access to a CIFS share could use this     flaw to crash the system, leak kernel memory, or,     potentially, escalate their privileges on the system.
    (CVE-2014-0069, Moderate)

  * A flaw was found in the way the Linux kernel handled     pending Floating Pointer Unit (FPU) exceptions during     the switching of tasks. A local attacker could use this     flaw to terminate arbitrary processes on the system,     causing a denial of service, or, potentially, escalate     their privileges on the system. Note that this flaw only     affected systems using AMD CPUs on both 32-bit and     64-bit architectures. (CVE-2014-1438, Moderate)

  * It was found that certain protocol handlers in the Linux     kernel's networking implementation could set the     addr_len value without initializing the associated data     structure. A local, unprivileged user could use this     flaw to leak kernel stack memory to user space using the     recvmsg, recvfrom, and recvmmsg system calls.
    (CVE-2013-7263, CVE-2013-7265, Low)

  * An information leak flaw was found in the Linux kernel's     netfilter connection tracking IRC NAT helper     implementation that could allow a remote attacker to     disclose portions of kernel stack memory during IRC     DCC (Direct Client-to-Client) communication over NAT.
    (CVE-2014-1690, Low)

  * A denial of service flaw was discovered in the way the     Linux kernel's SELinux implementation handled files with     an empty SELinux security context. A local user who has     the CAP_MAC_ADMIN capability could use this flaw to     crash the system. (CVE-2014-1874, Low)

This update also fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users are advised to upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.10.33-rt32.33, correct these issues, and fix the bugs and add the enhancements noted in the Red Hat Enterprise MRG 2 Technical Notes. The system must be rebooted for this update to take effect.

The Linux Kernel was updated to fix various security issues and bugs.

Main security issues fixed :

A security issue in the tty layer that was fixed that could be used by local attackers for code execution (CVE-2014-0196).

Two security issues in the floppy driver were fixed that could be used by local attackers on machines with the floppy to crash the kernel or potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738).

Other security issues and bugs that were fixed :

  - netfilter: nf_nat: fix access to uninitialized buffer in     IRC NAT helper (bnc#860835 CVE-2014-1690).

  - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer     is AUTH (bnc#866102, CVE-2014-0101).

  - n_tty: Fix a n_tty_write crash and code execution when     echoing in raw mode (bnc#871252 bnc#875690     CVE-2014-0196).

  - netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones     (bnc#873717).

  - Update config files: re-enable twofish crypto support     Software twofish crypto support was disabled in several     architectures since openSUSE 10.3. For i386 and x86_64     it was on purpose, because hardware-accelerated     alternatives exist. However for all other architectures     it was by accident. Re-enable software twofish crypto     support in arm, ia64 and ppc configuration files, to     guarantee that at least one implementation is always     available (bnc#871325).

  - Update config files: disable CONFIG_TOUCHSCREEN_W90X900     The w90p910_ts driver only makes sense on the W90x900     architecture, which we do not support.

  - ath9k: protect tid->sched check     (bnc#871148,CVE-2014-2672).

  - Fix dst_neigh_lookup/dst_neigh_lookup_skb return value     handling bug (bnc#869898).

  - SELinux: Fix kernel BUG on empty security contexts     (bnc#863335,CVE-2014-1874).

  - hamradio/yam: fix info leak in ioctl (bnc#858872,     CVE-2014-1446).

  - wanxl: fix info leak in ioctl (bnc#858870,     CVE-2014-1445).

  - farsync: fix info leak in ioctl (bnc#858869,     CVE-2014-1444).

  - ARM: 7809/1: perf: fix event validation for software     group leaders (CVE-2013-4254, bnc#837111).

  - netfilter: nf_conntrack_dccp: fix skb_header_pointer API     usages (bnc#868653, CVE-2014-2523).

  - ath9k_htc: properly set MAC address and BSSID mask     (bnc#851426, CVE-2013-4579).

  - drm/ttm: don't oops if no invalidate_caches()     (bnc#869414).

  - Apply missing     patches.fixes/drm-nouveau-hwmon-rename-fan0-to-fan1.patc     h

  - xfs: growfs: use uncached buffers for new headers     (bnc#858233).

  - xfs: use btree block initialisation functions in growfs     (bnc#858233).

  - Revert 'Delete     patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond
    -the-filesystem-end.' (bnc#858233) Put back again the     patch     patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond
    -the-filesystem-end back as there is a better fix than     reverting the affecting patch.

  - Delete     patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond
    -the-filesystem-end. It turned out that this patch     causes regressions (bnc#858233) The upstream 3.7.x also     reverted it in the end (commit c3793e0d94af2).

  - tcp: syncookies: reduce cookie lifetime to 128 seconds     (bnc#833968).

  - tcp: syncookies: reduce mss table to four values     (bnc#833968).

  - x86, cpu, amd: Add workaround for family 16h, erratum     793 (bnc#852967 CVE-2013-6885).

  - cifs: ensure that uncached writes handle unmapped areas     correctly (bnc#864025 CVE-2014-0691).

  - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround     (bnc#858638 CVE-2014-1438).

  - xencons: generalize use of add_preferred_console()     (bnc#733022, bnc#852652).

  - balloon: don't crash in HVM-with-PoD guests.

  - hwmon: (coretemp) Fix truncated name of alarm     attributes.

  - NFS: Avoid PUTROOTFH when managing leases (bnc#811746).

  - cifs: delay super block destruction until all     cifsFileInfo objects are gone (bnc#862145).

This Linux kernel security update fixes various security issues and bugs.

The Linux Kernel was updated to fix various security issues and bugs.

Main security issues fixed :

A security issue in the tty layer that was fixed that could be used by local attackers for code execution (CVE-2014-0196).

Two security issues in the floppy driver were fixed that could be used by local attackers on machines with the floppy to crash the kernel or potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738).

Other security issues and bugfixes :

  - netfilter: nf_nat: fix access to uninitialized buffer in     IRC NAT helper (bnc#860835 CVE-2014-1690).

  - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer     is AUTH (bnc#866102, CVE-2014-0101).

  - [media] ivtv: Fix Oops when no firmware is loaded     (bnc#875440).

  - ALSA: hda - Add dock pin setups for Thinkpad T440     (bnc#876699).

  - ip6tnl: fix double free of fb_tnl_dev on exit     (bnc#876531).

  - Update arm config files: Enable all USB-to-serial     drivers Specifically, enable USB_SERIAL_WISHBONE and     USB_SERIAL_QT2 on all arm flavors.

  - mei: limit the number of consecutive resets     (bnc#821619,bnc#852656).

  - mei: revamp mei reset state machine     (bnc#821619,bnc#852656).

  - mei: use hbm idle state to prevent spurious resets     (bnc#821619).

  - mei: do not run reset flow from the interrupt thread     (bnc#821619,bnc#852656).

  - mei: don't get stuck in select during reset     (bnc#821619).

  - mei: wake also writers on reset (bnc#821619).

  - mei: remove flash_work_queue (bnc#821619,bnc#852656).

  - mei: me: do not load the driver if the FW doesn't     support MEI interface (bnc#821619).

  - Update ec2 config files: Disable CONFIG_CAN CAN support     is disabled everywhere else, so disable it in ec2 too.

  - Refresh Xen patches (bnc#851244).

  - Update arm/exynos config file: disable AHCI_IMX This     driver is only used on Freescale i.MX systems so it     isn't needed on Exynos.

  - drm: Prefer noninterlace cmdline mode unless explicitly     specified (bnc#853350).

  - kabi/severities: add exception for irda. The changes     resulted in a 4x performance increase. Any external     users of this API will also want to rebuild their     modules.

  - i7core_edac: Fix PCI device reference count.

  - KABI: revert tcp: TSO packets automatic sizing.

  - KABI: revert tcp: TSQ can use a dynamic limit.

  - kabi: add exceptions for kvm and l2tp

  -     patches.fixes/sunrpc-add-an-info-file-for-the-dummy-gssd
    -pipe.patch: Move include of utsname.h to where it's     needed to avoid kABI breakage due to utsname becoming     defined.

  - Update kabi files. The kABI references were never     establishd at release.

  - Refresh patches.rpmify/chipidea-clean-up-dependencies     Replace OF_DEVICE by OF (OF_DEVICE does not exist     anymore.)

  - inet: fix addr_len/msg->msg_namelen assignment in     recv_error and rxpmtu functions (bnc#857643     CVE-2013-7263 CVE-2013-7264 CVE-2013-7265).

  - inet: prevent leakage of uninitialized memory to user in     recv syscalls (bnc#857643 CVE-2013-7263 CVE-2013-7264     CVE-2013-7265 CVE-2013-7281).

  - Update config files: re-enable twofish crypto support     Software twofish crypto support was disabled in several     architectures since openSUSE 10.3. For i386 and x86_64     it was on purpose, because hardware-accelerated     alternatives exist. However for all other architectures     it was by accident. Re-enable software twofish crypto     support in arm, ia64 and ppc configuration files, to     guarantee that at least one implementation is always     available (bnc#871325).

  - kvm: optimize away THP checks in kvm_is_mmio_pfn()     (bnc#871160).

  - Update patches.fixes/mm-close-PageTail-race.patch     (bnc#871160).

  - Update     patches.fixes/mm-hugetlbfs-fix-hugetlbfs-optimization.pa     tch (bnc#871160).

  - mm: close PageTail race (bnc#81660).

  - mm: hugetlbfs: fix hugetlbfs optimization (bnc#81660).

  - Update config files: disable CONFIG_TOUCHSCREEN_W90X900     The w90p910_ts driver only makes sense on the W90x900     architecture, which we do not support.

  - ath9k: protect tid->sched check     (bnc#871148,CVE-2014-2672).

  - Update ec2 config files: disable CONFIG_INPUT_FF_MEMLESS     This helper module is useless on EC2.

  - SELinux: Fix kernel BUG on empty security contexts     (bnc#863335,CVE-2014-1874).

  - hamradio/yam: fix info leak in ioctl     (bnc#858872,CVE-2014-1446).

  - netfilter: nf_conntrack_dccp: fix skb_header_pointer API     usages (bnc#868653 CVE-2014-2523).

  - ath9k_htc: properly set MAC address and BSSID mask     (bnc#851426,CVE-2013-4579).

  - drm/ttm: don't oops if no invalidate_caches()     (bnc#869414).

  - Btrfs: do not bug_on if we try to cow a free space cache     inode (bnc#863235).

  - Update vanilla config files: enable console rotation     It's enabled in all other kernel flavors so it should be     enabled in vanilla too.

  - Update config files. (CONFIG_EFIVAR_FS=m) Due to systemd     can auto-load efivarfs.ko, so wet CONFIG_EFIVAR_FS to     module on x86_64.

  - libata, freezer: avoid block device removal while system     is frozen (bnc#849334).

  - Enable CONFIG_IRDA_FAST_RR=y (bnc#860502)

  - [media] bttv: don't setup the controls if there are no     video devices (bnc#861750).

  - drm/i915/dp: add native aux defer retry limit     (bnc#867718).

  - drm/i915/dp: increase native aux defer retry timeout     (bnc#867718).

  - rpc_pipe: fix cleanup of dummy gssd directory when     notification fails (bnc#862746).

  - sunrpc: add an 'info' file for the dummy gssd pipe     (bnc#862746).

  - rpc_pipe: remove the clntXX dir if creating the pipe     fails (bnc#862746).

  - Delete rpm/_constraints after mismerge

Sat Mar 8 00:41:07 CET 2014 - jbohac@suse.cz

  - Refresh     patches.fixes/tcp-syncookies-reduce-cookie-lifetime-to-1     28-seconds.patch.

  - tcp: syncookies: reduce cookie lifetime to 128 seconds     (bnc#833968).

  - tcp: syncookies: reduce mss table to four values     (bnc#833968).

  - rpm/mkspec: Generate a per-architecture per-package
    _constraints file

  - rpm/mkspec: Remove dead code

  - Refresh     patches.fixes/rtc-cmos-add-an-alarm-disable-quirk.patch.

  - rtc-cmos: Add an alarm disable quirk (bnc#812592).

  - Refresh patches.xen/xen-x86-EFI.

  - Refresh     patches.apparmor/apparmor-compatibility-patch-for-v5-net     work-control.
    patches.drivers/pstore_disable_efi_backend_by_default.pa     tch. patches.fixes/dm-table-switch-to-readonly.
    patches.fixes/kvm-ioapic.patch.
    patches.fixes/kvm-macos.patch.
    patches.fixes/remount-no-shrink-dcache.
    patches.fixes/scsi-dh-queuedata-accessors.
    patches.suse/0001-vfs-Hooks-for-more-fine-grained-direct     ory-permission.patch.
    patches.suse/ovl01-vfs-add-i_op-dentry_open.patch.
    patches.suse/sd_init.mark_majors_busy.patch.

  - rpm/mkspec: Fix whitespace in NoSource lines

  - rpm/kernel-binary.spec.in: Do not zero modules.dep     before using it (bnc#866075)

  - rpm/kernel-obs-build.spec: Drop useless ExclusiveArch     statement

  - Update config files. Set CONFIG_EFIVAR_FS to build-in     for MOK support Update config files. Set     CONFIG_EFIVAR_FS to build-in for MOK support

  - nfs: always make sure page is up-to-date before     extending a write to cover the entire page (bnc#864867     bnc#865075).

  - x86, cpu, amd: Add workaround for family 16h, erratum     793 (bnc#852967 CVE-2013-6885).

  - Refresh patches.xen/xen3-patch-3.10.

  - cifs: ensure that uncached writes handle unmapped areas     correctly (bnc#864025 CVE-2014-0069).

  - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround     (bnc#858638 CVE-2014-1438).

  - rpm/kernel-obs-build.spec: Do not mount /sys, the build     script does it

  - Update config files: Disable TS5500-specific drivers     These drivers are useless without TS5500 board support:
    mtd-ts5500, gpio-ts5500 and max197.

  - balloon: don't crash in HVM-with-PoD guests.

  - usbback: fix after c/s 1232:8806dfb939d4 (bnc#842553).

  - hwmon: (coretemp) Fix truncated name of alarm     attributes.

  - rpm/kernel-obs-build.spec: Fix for ppc64le

  - Scripts: .nosrc.rpm should contain only the specfile     (bnc #639379)

  - config: update arm7hl/exynos

  - Enhances exynos support :

  - Add USB support

  - Add sound support

  - Add devices (accelerometer, etc.) on arndale board

  - drm/cirrus: Fix cirrus drm driver for fbdev + qemu     (bnc#856760).

  - Spec: zeroing modules.dep to get identical builds among     different machines

  - doc/README.SUSE: Update to match the current package     layout

  - Add the README.SUSE file to the packaging branch

  - lockd: send correct lock when granting a delayed lock     (bnc#859342).

  - mm/page-writeback.c: do not count anon pages as     dirtyable memory (reclaim stalls).

  - mm/page-writeback.c: fix dirty_balance_reserve     subtraction from dirtyable memory (reclaim stalls).

Stephan Mueller reported an error in the Linux kernel's ansi cprng random number generator. This flaw makes it easier for a local attacker to break cryptographic protections. (CVE-2013-4345)

Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local user with CAP_SYS_ADMIN could exploit these flaw to cause a denial of service (memory corruption) or possibly other unspecified issues.
(CVE-2013-6382)

An information leak was discovered in the Linux kernel when built with the NetFilter Connection Tracking (NF_CONNTRACK) support for IRC protocol (NF_NAT_IRC). A remote attacker could exploit this flaw to obtain potentially sensitive kernel information when communicating over a client- to-client IRC connection(/dcc) via a NAT-ed network.
(CVE-2014-1690).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information leak was discovered in the Linux kernel when built with the NetFilter Connection Tracking (NF_CONNTRACK) support for IRC protocol (NF_NAT_IRC). A remote attacker could exploit this flaw to obtain potentially sensitive kernel information when communicating over a client- to-client IRC connection(/dcc) via a NAT-ed network.
(CVE-2014-1690)

Matthew Thode reported a denial of service vulnerability in the Linux kernel when SELinux support is enabled. A local user with the CAP_MAC_ADMIN capability (and the SELinux mac_admin permission if running in enforcing mode) could exploit this flaw to cause a denial of service (kernel crash). (CVE-2014-1874)

An information leak was discovered in the Linux kernel's NFS filesystem. A local users with write access to an NFS share could exploit this flaw to obtain potential sensative information from kernel memory. (CVE-2014-2038).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127146	NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)	Nessus	NewStart CGSL Local Security Checks	critical
124803	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1479)	Nessus	Huawei Local Security Checks	critical
124798	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1474)	Nessus	Huawei Local Security Checks	high
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
77355	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2014-3070)	Nessus	Oracle Linux Local Security Checks	high
76674	RHEL 6 : MRG (RHSA-2014:0439)	Nessus	Red Hat Local Security Checks	critical
75364	openSUSE Security Update : kernel (openSUSE-SU-2014:0677-1)	Nessus	SuSE Local Security Checks	critical
75363	openSUSE Security Update : kernel (openSUSE-SU-2014:0678-1)	Nessus	SuSE Local Security Checks	critical
73288	Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2158-1)	Nessus	Ubuntu Local Security Checks	medium
72902	Ubuntu 13.10 : linux vulnerabilities (USN-2140-1)	Nessus	Ubuntu Local Security Checks	medium
72900	Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2137-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2014-1690

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins