http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=256df2f3879efdb2e9808bdb1b54b16fbb11fa38

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.36

69721

https://bugzilla.redhat.com/show_bug.cgi?id=1114540

https://github.com/torvalds/linux/commit/256df2f3879efdb2e9808bdb1b54b16fbb11fa38

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3096 advisory.

  - The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically     proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides     a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c. (CVE-2014-3184)

  - The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that     namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by     first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership     of root. (CVE-2014-4014)

  - The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6     does not initialize a certain data structure, which allows local users to obtain sensitive information     from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
    (CVE-2014-1739)

  - mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range     notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by     using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity     by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.
    (CVE-2014-4171)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An updated rhev-hypervisor6 package that fixes three security issues and one bug is now available.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface. (CVE-2014-3535)

Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223)

Red Hat would like to thank NSA for reporting CVE-2014-0222 and CVE-2014-0223.

This update also fixes the following bug :

* Previously, an updated version of Qlogic firmware was not supported in the Red Hat Enterprise Virtualization Hypervisor 6.5 image and an error message returned when users were using a newer version of Qlogic firmware. This update includes the latest Qlogic firmware package in the Red Hat Enterprise Virtualization Hypervisor 6.5 image so no firmware errors are returned. (BZ#1135780)

This updated package also provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2012-6647, CVE-2013-7339, CVE-2014-2672, CVE-2014-2678, CVE-2014-2706, CVE-2014-2851, CVE-2014-3144, CVE-2014-3145, CVE-2014-0205, CVE-2014-3917, and CVE-2014-4667 (kernel issues)

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3086 advisory.

  - include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and     its related logging implementation, which allows remote attackers to cause a denial of service (NULL     pointer dereference and system crash) by sending invalid packets to a VxLAN interface. (CVE-2014-3535)

  - Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the     Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by     leveraging incorrect PIT emulation. (CVE-2014-3611)

  - Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in     the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to     execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted     device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.
    (CVE-2014-3185)

  - Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c     in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to     cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that     provides a large amount of (1) EHCI or (2) XHCI data associated with an event. (CVE-2014-3181)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3081 advisory.

  - include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and     its related logging implementation, which allows remote attackers to cause a denial of service (NULL     pointer dereference and system crash) by sending invalid packets to a VxLAN interface. (CVE-2014-3535)

  - sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure     possession of a read/write lock, which allows local users to cause a denial of service (use-after-free)     and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
    (CVE-2014-4653)

  - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux     kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows     local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by     leveraging /dev/snd/controlCX access for an ioctl call. (CVE-2014-4654)

  - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux     kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to     cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for     a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (CVE-2014-4655)

  - The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP     authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference     and OOPS) by starting to establish an association between two endpoints immediately after an exchange of     INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite     direction. (CVE-2014-5077)

  - The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the     number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a     denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a     large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn     value that leads to permanently pinned pages. (CVE-2014-3601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait().
A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
(CVE-2014-0205, Important)

* A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface. (CVE-2014-3535, Important)

* An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
(CVE-2014-3917, Moderate)

* An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.
(CVE-2014-4667, Moderate)

Red Hat would like to thank Gopal Reddy Kodudula of Nokia Siemens Networks for reporting CVE-2014-4667. The security impact of the CVE-2014-0205 issue was discovered by Mateusz Guzik of Red Hat.

This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

* A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait().
A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation.
(CVE-2014-0205, Important)

* A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface. (CVE-2014-3535, Important)

* An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.
(CVE-2014-3917, Moderate)

* An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.
(CVE-2014-4667, Moderate)

The system must be rebooted for this update to take effect.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-1167 advisory.

  - The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not     properly manage a certain backlog value, which allows remote attackers to cause a denial of service     (socket outage) via a crafted SCTP packet. (CVE-2014-4667)

  - kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain     syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or     cause a denial of service (OOPS) via a large value of a syscall number. (CVE-2014-3917)

  - The futex_wait function in kernel/futex.c in the Linux kernel before 2.6.37 does not properly maintain a     certain reference count during requeue operations, which allows local users to cause a denial of service     (use-after-free and system crash) or possibly gain privileges via a crafted application that triggers a     zero count. (CVE-2014-0205)

  - include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and     its related logging implementation, which allows remote attackers to cause a denial of service (NULL     pointer dereference and system crash) by sending invalid packets to a VxLAN interface. (CVE-2014-3535)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
79735	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2014-3096)	Nessus	Oracle Linux Local Security Checks	high
79048	RHEL 6 : rhev-hypervisor6 (RHSA-2014:1168)	Nessus	Red Hat Local Security Checks	high
78839	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3086)	Nessus	Oracle Linux Local Security Checks	medium
78578	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2014-3081)	Nessus	Oracle Linux Local Security Checks	high
77626	RHEL 6 : kernel (RHSA-2014:1167)	Nessus	Red Hat Local Security Checks	high
77598	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20140909)	Nessus	Scientific Linux Local Security Checks	high
77597	Oracle Linux 6 : kernel (ELSA-2014-1167)	Nessus	Oracle Linux Local Security Checks	high
77584	CentOS 6 : kernel (CESA-2014:1167)	Nessus	CentOS Local Security Checks	high

CVE-2014-3535

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

medium

high

high

high

high

high