http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=338f977f4eb441e69bb9a46eaa0ac715c931a67f

SUSE-SU-2015:0481

openSUSE-SU-2015:0566

SUSE-SU-2015:0652

RHSA-2015:0290

RHSA-2015:1272

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.5

[oss-security] 20141109 Re: CVE Request: Linux kernel mac80211 plain text leak

70965

1037968

linux-kernel-cve20148709-info-disclsoure(98922)

https://github.com/torvalds/linux/commit/338f977f4eb441e69bb9a46eaa0ac715c931a67f

https://source.android.com/security/bulletin/2017-03-01.html

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's eCryptfs implementation decoded encrypted file names. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-9683, Moderate)

* A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low)

* An information leak flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled access of the user control's state. A local, privileged user could use this flaw to leak kernel memory to user space. (CVE-2014-4652, Low)

* It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses. (CVE-2014-8133, Low)

* An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Scientific Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low)

The system must be rebooted for this update to take effect.

The remote Oracle Linux host is missing a security update for one or more kernel-related packages.

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 6. This is the seventh regular update.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's eCryptfs implementation decoded encrypted file names. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-9683, Moderate)

* A race condition flaw was found between the chown and execve system calls. When changing the owner of a setuid user binary to root, the race condition could momentarily make the binary setuid root. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low)

* An information leak flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled access of the user control's state. A local, privileged user could use this flaw to leak kernel memory to user space. (CVE-2014-4652, Low)

* It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses. (CVE-2014-8133, Low)

* An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor.
(CVE-2015-0239, Low)

Red Hat would like to thank Andy Lutomirski for reporting the CVE-2014-8133 issue, and Nadav Amit for reporting the CVE-2015-0239 issue.

This update fixes several hundred bugs and adds numerous enhancements.
Refer to the Red Hat Enterprise Linux 6.7 Release Notes for information on the most significant of these changes, and the following Knowledgebase article for further information :

https://access.redhat.com/articles/1466073

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

The SUSE Linux Enterprise 11 Service Pack 1 LTSS kernel was updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2013-4299: Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allowed remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block device (bnc#846404).

  - CVE-2014-8160: SCTP firewalling failed until the SCTP     module was loaded (bnc#913059).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel through 3.18.1 did     not restrict the number of Rock Ridge continuation     entries, which allowed local users to cause a denial of     service (infinite loop, and system crash or hang) via a     crafted iso9660 image (bnc#911325).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2010-5313: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 2.6.38 allowed L2 guest OS users     to cause a denial of service (L1 guest OS crash) via a     crafted instruction that triggers an L2 emulation     failure report, a similar issue to CVE-2014-7842     (bnc#907822).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updated     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2012-6657: The sock_setsockopt function in     net/core/sock.c in the Linux kernel before 3.5.7 did not     ensure that a keepalive action is associated with a     stream socket, which allowed local users to cause a     denial of service (system crash) by leveraging the     ability to create a raw socket (bnc#896779).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might allow     physically proximate attackers to cause a denial of     service (out-of-bounds write) via a crafted device that     provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel has been updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2012-4398: The __request_module function in     kernel/kmod.c in the Linux kernel before 3.4 did not set     a certain killable attribute, which allowed local users     to cause a denial of service (memory consumption) via a     crafted application (bnc#779488).

  - CVE-2013-2893: The Human Interface Device (HID)     subsystem in the Linux kernel through 3.11, when     CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or     CONFIG_LOGIWHEELS_FF is enabled, allowed physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted device,     related to (1) drivers/hid/hid-lgff.c, (2)     drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c     (bnc#835839).

  - CVE-2013-2897: Multiple array index errors in     drivers/hid/hid-multitouch.c in the Human Interface     Device (HID) subsystem in the Linux kernel through 3.11,     when CONFIG_HID_MULTITOUCH is enabled, allowed     physically proximate attackers to cause a denial of     service (heap memory corruption, or NULL pointer     dereference and OOPS) via a crafted device (bnc#835839).

  - CVE-2013-2899: drivers/hid/hid-picolcd_core.c in the     Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_HID_PICOLCD is enabled,     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and OOPS) via a     crafted device (bnc#835839).

  - CVE-2013-2929: The Linux kernel before 3.12.2 did not     properly use the get_dumpable function, which allowed     local users to bypass intended ptrace restrictions or     obtain sensitive information from IA64 scratch registers     via a crafted application, related to kernel/ptrace.c     and arch/ia64/include/asm/processor.h (bnc#847652).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updates     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2014-0131: Use-after-free vulnerability in the     skb_segment function in net/core/skbuff.c in the Linux     kernel through 3.13.6 allowed attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation     (bnc#867723).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2014-2309: The ip6_route_add function in     net/ipv6/route.c in the Linux kernel through 3.13.6 did     not properly count the addition of routes, which allowed     remote attackers to cause a denial of service (memory     consumption) via a flood of ICMPv6 Router Advertisement     packets (bnc#867531).

  - CVE-2014-3181: Multiple stack-based buffer overflows in     the magicmouse_raw_event function in     drivers/hid/hid-magicmouse.c in the Magic Mouse HID     driver in the Linux kernel through 3.16.3 allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that provides a large amount     of (1) EHCI or (2) XHCI data associated with an event     (bnc#896382).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might have     allowed physically proximate attackers to cause a denial     of service (out-of-bounds write) via a crafted device     that provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3186: Buffer overflow in the picolcd_raw_event     function in devices/hid/hid-picolcd_core.c in the     PicoLCD HID device driver in the Linux kernel through     3.16.3, as used in Android on Nexus 7 devices, allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that sends a large report     (bnc#896392).

  - CVE-2014-3601: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.16.1     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to (1)     cause a denial of service (host OS memory corruption) or     possibly have unspecified other impact by triggering a     large gfn value or (2) cause a denial of service (host     OS memory consumption) by triggering a small gfn value     that leads to permanently pinned pages (bnc#892782).

  - CVE-2014-3610: The WRMSR processing functionality in the     KVM subsystem in the Linux kernel through 3.17.2 did not     properly handle the writing of a non-canonical address     to a model-specific register, which allowed guest OS     users to cause a denial of service (host OS crash) by     leveraging guest OS privileges, related to the     wrmsr_interception function in arch/x86/kvm/svm.c and     the handle_wrmsr function in arch/x86/kvm/vmx.c     (bnc#899192).

  - CVE-2014-3646: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel through 3.17.2 did not have an exit     handler for the INVVPID instruction, which allowed guest     OS users to cause a denial of service (guest OS crash)     via a crafted application (bnc#899192).

  - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM     subsystem in the Linux kernel through 3.17.2 did not     properly perform RIP changes, which allowed guest OS     users to cause a denial of service (guest OS crash) via     a crafted application (bnc#899192).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3690: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel before 3.17.2 on Intel processors     did not ensure that the value in the CR4 control     register remains the same after a VM entry, which     allowed host OS users to kill arbitrary processes or     cause a denial of service (system disruption) by     leveraging /dev/kvm access, as demonstrated by     PR_SET_TSC prctl calls within a modified copy of QEMU     (bnc#902232).

  - CVE-2014-4608: Multiple integer overflows in the     lzo1x_decompress_safe function in     lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor     in the Linux kernel before 3.15.2 allowed     context-dependent attackers to cause a denial of service     (memory corruption) via a crafted Literal Run     (bnc#883948).

  - CVE-2014-4943: The PPPoL2TP feature in     net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6     allowed local users to gain privileges by leveraging     data-structure differences between an l2tp socket and an     inet socket (bnc#887082).

  - CVE-2014-5471: Stack consumption vulnerability in the     parse_rock_ridge_inode_internal function in     fs/isofs/rock.c in the Linux kernel through 3.16.1     allowed local users to cause a denial of service     (uncontrolled recursion, and system crash or reboot) via     a crafted iso9660 image with a CL entry referring to a     directory entry that has a CL entry (bnc#892490).

  - CVE-2014-5472: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel through     3.16.1 allowed local users to cause a denial of service     (unkillable mount process) via a crafted iso9660 image     with a self-referential CL entry (bnc#892490).

  - CVE-2014-7826: kernel/trace/trace_syscalls.c in the     Linux kernel through 3.17.2 did not properly handle     private syscall numbers during use of the ftrace     subsystem, which allowed local users to gain privileges     or cause a denial of service (invalid pointer     dereference) via a crafted application (bnc#904013).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel through 3.18     uses an improper paravirt_enabled setting for KVM guest     kernels, which made it easier for guest OS users to     bypass the ASLR protection mechanism via a crafted     application that reads a 16-bit value (bnc#909078).

  - CVE-2014-8369: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.17.2     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to cause     a denial of service (host OS page unpinning) or possibly     have unspecified other impact by leveraging guest OS     privileges. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2014-3601 (bnc#902675).

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through 3.17.2 did not properly maintain     the semantics of rename_lock, which allowed local users     to cause a denial of service (deadlock and system hang)     via a crafted application (bnc#903640).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

* A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. (CVE-2015-0274, Important)

* It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause denial of service on the system.
(CVE-2014-3690, Moderate)

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's perf subsystem. A local, unprivileged user could use this flaw to crash the system.
(CVE-2014-7825, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's ftrace subsystem. On a system with ftrace syscall tracing enabled, a local, unprivileged user could use this flaw to crash the system, or escalate their privileges.
(CVE-2014-7826, Moderate)

* A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)

* A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system.
(CVE-2014-8160, Moderate)

* It was found that due to excessive files_lock locking, a soft lockup could be triggered in the Linux kernel when performing asynchronous I/O operations. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8172, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8173, Moderate)

* An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low)

* A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge DEC USB device driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges on the system.
(CVE-2014-8884, Low)

* Users of kernel modules may need to upgrade the module to maintain compatibility.

The system must be rebooted for this update to take effect.

Non-maintainer upload by the Squeeze LTS and Kernel Teams.

New upstream stable release 2.6.32.65, see http://lkml.org/lkml/2014/12/13/81 for more information.

The stable release 2.6.32.65 includes the following new commits compared to the previous 2.6.32-48squeeze9 package :

  - USB: whiteheat: Added bounds checking for bulk command     response (CVE-2014-3185)

  - net: sctp: fix panic on duplicate ASCONF chunks     (CVE-2014-3687)

  - net: sctp: fix remote memory pressure from excessive     queueing (CVE-2014-3688)

  - udf: Avoid infinite loop when processing indirect ICBs     (CVE-2014-6410)

  - net: sctp: fix NULL pointer dereference in     af->from_addr_param on malformed packet (CVE-2014-7841)

  - mac80211: fix fragmentation code, particularly for     encryption (CVE-2014-8709)

  - ttusb-dec: buffer overflow in ioctl (CVE-2014-8884)

We recommend that you upgrade your linux-2.6 packages.

We apologize for a minor cosmetic glitch :

The following commits were already included in 2.6.32-48squeeze9 despite claims in debian/changelog they were only fixed in 2.6.32-48squeez10 :

  - vlan: Don't propagate flag changes on down interfaces.

  - sctp: Fix double-free introduced by bad backport in     2.6.32.62

  - md/raid6: Fix misapplied backport in 2.6.32.64

  - block: add missing blk_queue_dead() checks

  - block: Fix blk_execute_rq_nowait() dead queue handling

  - proc connector: Delete spurious memset in     proc_exit_connector()

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the first regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. (CVE-2015-0274, Important)

* It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause denial of service on the system.
(CVE-2014-3690, Moderate)

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's perf subsystem. A local, unprivileged user could use this flaw to crash the system.
(CVE-2014-7825, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's ftrace subsystem. On a system with ftrace syscall tracing enabled, a local, unprivileged user could use this flaw to crash the system, or escalate their privileges.
(CVE-2014-7826, Moderate)

* A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)

* A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system.
(CVE-2014-8160, Moderate)

* It was found that due to excessive files_lock locking, a soft lockup could be triggered in the Linux kernel when performing asynchronous I/O operations. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8172, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8173, Moderate)

* An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low)

* A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge DEC USB device driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges on the system.
(CVE-2014-8884, Low)

Red Hat would like to thank Eric Windisch of the Docker project for reporting CVE-2015-0274, Andy Lutomirski for reporting CVE-2014-3690, and Robert Święcki for reporting CVE-2014-7825 and CVE-2014-7826.

This update also fixes several hundred bugs and adds numerous enhancements. Refer to the Red Hat Enterprise Linux 7.1 Release Notes for information on the most significant of these changes, and the following Knowledgebase article for further information:
https://access.redhat.com/articles/1352803

All Red Hat Enterprise Linux 7 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

Description of changes:

kernel-uek [2.6.32-400.37.2.el6uek]
- netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal)  [Orabug: 20679631]  {CVE-2014-8160}
- mac80211: fix fragmentation code, particularly for encryption (Johannes Berg)  [Orabug: 20673314]  {CVE-2014-8709}
- tracing/syscalls: Ignore numbers outside NR_syscalls' range (Rabin Vincent)  [Orabug: 20673165]  {CVE-2014-7825} {CVE-2014-7826}
- tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 (Will Deacon)  [Orabug: 20673165]  {CVE-2014-7825} {CVE-2014-7826}

Description of changes:

[2.6.39-400.248.3.el6uek]
- kvm: fix excessive pages un-pinning in kvm_iommu_map error path. (Quentin Casasnovas)  [Orabug: 20687314]  {CVE-2014-3601} {CVE-2014-8369} {CVE-2014-3601}
- Revert 'mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support' (Guangyu Sun)  [Orabug: 20673281]  {CVE-2014-8173}

[2.6.39-400.248.2.el6uek]
- netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal)  [Orabug: 20679630]  {CVE-2014-8160}
- mac80211: fix fragmentation code, particularly for encryption (Johannes Berg)  [Orabug: 20673313]  {CVE-2014-8709}
- mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support (Kirill A. Shutemov)  [Orabug: 20673282]  {CVE-2014-8173}
- tracing/syscalls: Ignore numbers outside NR_syscalls' range (Rabin Vincent)  [Orabug: 20673164]  {CVE-2014-7825} {CVE-2014-7826}
- tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 (Will Deacon)  [Orabug: 20673164]  {CVE-2014-7825} {CVE-2014-7826}

[2.6.39-400.248.1.el6uek]
- NVMe: Disable pci before clearing queue (Keith Busch)  [Orabug: 20533100] - x86, fpu: disable eagerfpu by default (Santosh Shilimkar) [Orabug: 20521543]

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the first regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. (CVE-2015-0274, Important)

* It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause denial of service on the system.
(CVE-2014-3690, Moderate)

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's perf subsystem. A local, unprivileged user could use this flaw to crash the system.
(CVE-2014-7825, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's ftrace subsystem. On a system with ftrace syscall tracing enabled, a local, unprivileged user could use this flaw to crash the system, or escalate their privileges.
(CVE-2014-7826, Moderate)

* A race condition flaw was found in the Linux kernel's ext4 file system implementation that allowed a local, unprivileged user to crash the system by simultaneously writing to a file and toggling the O_DIRECT flag using fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)

* A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system.
(CVE-2014-8160, Moderate)

* It was found that due to excessive files_lock locking, a soft lockup could be triggered in the Linux kernel when performing asynchronous I/O operations. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8172, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-8173, Moderate)

* An information leak flaw was found in the Linux kernel's IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext. (CVE-2014-8709, Low)

* A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge DEC USB device driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges on the system.
(CVE-2014-8884, Low)

Red Hat would like to thank Eric Windisch of the Docker project for reporting CVE-2015-0274, Andy Lutomirski for reporting CVE-2014-3690, and Robert Swiecki for reporting CVE-2014-7825 and CVE-2014-7826.

This update also fixes several hundred bugs and adds numerous enhancements. Refer to the Red Hat Enterprise Linux 7.1 Release Notes for information on the most significant of these changes, and the following Knowledgebase article for further information:
https://access.redhat.com/articles/1352803

All Red Hat Enterprise Linux 7 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues.

The following security bugs have been fixed :

  - The __request_module function in kernel/kmod.c in the     Linux kernel before 3.4 did not set a certain killable     attribute, which allowed local users to cause a denial     of service (memory consumption) via a crafted     application. (bnc#779488). (CVE-2012-4398)

  - drivers/hid/hid-zpff.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_ZEROPLUS is enabled, allowed physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted device.
    (bnc#835839). (CVE-2013-2889)

  - The Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_LOGITECH_FF,     CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,     allowed physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device, related to (1) drivers/hid/hid-lgff.c,     (2) drivers/hid/hid-lg3ff.c, and (3)     drivers/hid/hid-lg4ff.c. (bnc#835839). (CVE-2013-2893)

  - Multiple array index errors in     drivers/hid/hid-multitouch.c in the Human Interface     Device (HID) subsystem in the Linux kernel through 3.11,     when CONFIG_HID_MULTITOUCH is enabled, allowed     physically proximate attackers to cause a denial of     service (heap memory corruption, or NULL pointer     dereference and OOPS) via a crafted device.
    (bnc#835839). (CVE-2013-2897)

  - drivers/hid/hid-picolcd_core.c in the Human Interface     Device (HID) subsystem in the Linux kernel through 3.11,     when CONFIG_HID_PICOLCD is enabled, allowed physically     proximate attackers to cause a denial of service (NULL     pointer dereference and OOPS) via a crafted device.
    (bnc#835839). (CVE-2013-2899)

  - The Linux kernel before 3.12.4 updates certain length     values before ensuring that associated data structures     have been initialized, which allowed local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call, related to net/ipv4/ping.c, net/ipv4/raw.c,     net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.
    (bnc#853040, bnc#857643). (CVE-2013-7263)

  - Multiple stack-based buffer overflows in the     magicmouse_raw_event function in     drivers/hid/hid-magicmouse.c in the Magic Mouse HID     driver in the Linux kernel through 3.16.3 allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that provides a large amount     of (1) EHCI or (2) XHCI data associated with an event.
    (bnc#896382). (CVE-2014-3181)

  - The report_fixup functions in the HID subsystem in the     Linux kernel before 3.16.2 allowed physically proximate     attackers to cause a denial of service (out-of-bounds     write) via a crafted device that provides a small report     descriptor, related to (1) drivers/hid/hid-cherry.c, (2)     drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4)     drivers/hid/hid-monterey.c, (5)     drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c. (bnc#896390). (CVE-2014-3184)

  - Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response. (bnc#896391). (CVE-2014-3185)

  - Buffer overflow in the picolcd_raw_event function in     devices/hid/hid-picolcd_core.c in the PicoLCD HID device     driver in the Linux kernel through 3.16.3, as used in     Android on Nexus 7 devices, allowed physically proximate     attackers to cause a denial of service (system crash) or     possibly execute arbitrary code via a crafted device     that sends a large report. (bnc#896392). (CVE-2014-3186)

  - The kvm_iommu_map_pages function in virt/kvm/iommu.c in     the Linux kernel through 3.16.1 miscalculated the number     of pages during the handling of a mapping failure, which     allowed guest OS users to (1) cause a denial of service     (host OS memory corruption) or possibly have unspecified     other impact by triggering a large gfn value or (2)     cause a denial of service (host OS memory consumption)     by triggering a small gfn value that leads to     permanently pinned pages. (bnc#892782). (CVE-2014-3601)

  - The WRMSR processing functionality in the KVM subsystem     in the Linux kernel through 3.17.2 did not properly     handle the writing of a non-canonical address to a     model-specific register, which allowed guest OS users to     cause a denial of service (host OS crash) by leveraging     guest OS privileges, related to the wrmsr_interception     function in arch/x86/kvm/svm.c and the handle_wrmsr     function in arch/x86/kvm/vmx.c. (bnc#899192).
    (CVE-2014-3610)

  - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux     kernel through 3.17.2 did not have an exit handler for     the INVVPID instruction, which allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application. (bnc#899192). (CVE-2014-3646)

  - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux     kernel through 3.17.2 did not properly perform RIP     changes, which allowed guest OS users to cause a denial     of service (guest OS crash) via a crafted application.
    (bnc#899192). (CVE-2014-3647)

  - The SCTP implementation in the Linux kernel through     3.17.2 allowed remote attackers to cause a denial of     service (system crash) via a malformed ASCONF chunk,     related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c. (bnc#902346, bnc#902349).
    (CVE-2014-3673)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing is     enabled and the sep CPU feature flag is set, allowed     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000. (bnc#883724).
    (CVE-2014-4508)

  - * DISPUTED * Multiple integer overflows in the     lzo1x_decompress_safe function in     lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor     in the Linux kernel before 3.15.2 allowed     context-dependent attackers to cause a denial of service     (memory corruption) via a crafted Literal Run. NOTE: the     author of the LZO algorithms says: The Linux kernel is     not affected; media hype. (bnc#883948). (CVE-2014-4608)

  - kernel/trace/trace_syscalls.c in the Linux kernel     through 3.17.2 did not properly handle private syscall     numbers during use of the ftrace subsystem, which     allowed local users to gain privileges or cause a denial     of service (invalid pointer dereference) via a crafted     application. (bnc#904013). (CVE-2014-7826)

  - An SCTP server doing ASCONF would panic on malformed     INIT ping-of-death. (bnc#905100). (CVE-2014-7841)

  - The ieee80211_fragment function in net/mac80211/tx.c in     the Linux kernel before 3.13.5 did not properly maintain     a certain tail pointer, which allowed remote attackers     to obtain sensitive cleartext information by reading     packets. (bnc#904700). (CVE-2014-8709)

  - A local user with write access could have used this flaw     to crash the kernel or elevate privileges (bnc#905522).
    The following non-security bugs have been fixed:.
    (CVE-2014-8884)

  - Build the KOTD against the SP3 Update project

  - HID: fix kabi breakage.

  - NFS: Provide stub nfs_fscache_wait_on_invalidate() for     when CONFIG_NFS_FSCACHE=n.

  - NFS: fix inverted test for delegation in     nfs4_reclaim_open_state. (bnc#903331)

  - NFS: remove incorrect Lock reclaim failed! warning.
    (bnc#903331)

  - NFSv4: nfs4_open_done first must check that GETATTR     decoded a file type. (bnc#899574)

  - PCI: pciehp: Clear Data Link Layer State Changed during     init. (bnc#898295)

  - PCI: pciehp: Enable link state change notifications.
    (bnc#898295)

  - PCI: pciehp: Handle push button event asynchronously.
    (bnc#898295)

  - PCI: pciehp: Make check_link_active() non-static.
    (bnc#898295)

  - PCI: pciehp: Use link change notifications for hot-plug     and removal. (bnc#898295)

  - PCI: pciehp: Use per-slot workqueues to avoid deadlock.
    (bnc#898295)

  - PCI: pciehp: Use symbolic constants, not hard-coded     bitmask. (bnc#898295)

  - PM / hibernate: Iterate over set bits instead of PFNs in     swsusp_free(). (bnc#860441)

  - be2net: Fix invocation of be_close() after be_clear().
    (bnc#895468)

  - block: Fix bogus partition statistics reports.
    (bnc#885077 / bnc#891211)

  - block: Fix computation of merged request priority.

  - btrfs: Fix wrong device size when we are resizing the     device.

  - btrfs: Return right extent when fiemap gives unaligned     offset and len.

  - btrfs: abtract out range locking in clone ioctl().

  - btrfs: always choose work from prio_head first.

  - btrfs: balance delayed inode updates.

  - btrfs: cache extent states in defrag code path.

  - btrfs: check file extent type before anything else.
    (bnc#897694)

  - btrfs: clone, do not create invalid hole extent map.

  - btrfs: correctly determine if blocks are shared in     btrfs_compare_trees.

  - btrfs: do not bug_on if we try to cow a free space cache     inode.

  - btrfs: ensure btrfs_prev_leaf does not miss 1 item.

  - btrfs: ensure readers see new data after a clone     operation.

  - btrfs: fill_holes: Fix slot number passed to     hole_mergeable() call.

  - btrfs: filter invalid arg for btrfs resize.

  - btrfs: fix EINVAL checks in btrfs_clone.

  - btrfs: fix EIO on reading file after ioctl clone works     on it.

  - btrfs: fix a crash of clone with inline extents split.

  - btrfs: fix crash of compressed writes. (bnc#898375)

  - btrfs: fix crash when starting transaction.

  - btrfs: fix deadlock with nested trans handles.

  - btrfs: fix hang on error (such as ENOSPC) when writing     extent pages.

  - btrfs: fix leaf corruption after __btrfs_drop_extents.

  - btrfs: fix race between balance recovery and root     deletion.

  - btrfs: fix wrong extent mapping for DirectIO.

  - btrfs: handle a missing extent for the first file     extent.

  - btrfs: limit delalloc pages outside of     find_delalloc_range. (bnc#898375)

  - btrfs: read lock extent buffer while walking backrefs.

  - btrfs: remove unused wait queue in struct extent_buffer.

  - btrfs: replace EINVAL with ERANGE for resize when     ULLONG_MAX.

  - btrfs: replace error code from btrfs_drop_extents.

  - btrfs: unlock extent and pages on error in     cow_file_range.

  - btrfs: unlock inodes in correct order in clone ioctl.

  - btrfs_ioctl_clone: Move clone code into its own     function.

  - cifs: delay super block destruction until all     cifsFileInfo objects are gone. (bnc#903653)

  - drm/i915: Flush the PTEs after updating them before     suspend. (bnc#901638)

  - drm/i915: Undo gtt scratch pte unmapping again.
    (bnc#901638)

  - ext3: return 32/64-bit dir name hash according to usage     type. (bnc#898554)

  - ext4: return 32/64-bit dir name hash according to usage     type. (bnc#898554)

  - fix: use after free of xfs workqueues. (bnc#894895)

  - fs: add new FMODE flags: FMODE_32bithash and     FMODE_64bithash. (bnc#898554)

  - futex: Ensure get_futex_key_refs() always implies a     barrier (bnc#851603 (futex scalability series)).

  - futex: Fix a race condition between REQUEUE_PI and task     death (bnc#851603 (futex scalability series)).

  - ipv6: add support of peer address. (bnc#896415)

  - ipv6: fix a refcnt leak with peer addr. (bnc#896415)

  - megaraid_sas: Disable fastpath writes for non-RAID0.
    (bnc#897502)

  - mm: change __remove_pages() to call     release_mem_region_adjustable(). (bnc#891790)

  - netxen: Fix link event handling. (bnc#873228)

  - netxen: fix link notification order. (bnc#873228)

  - nfsd: rename int access to int may_flags in nfsd_open().
    (bnc#898554)

  - nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes).
    (bnc#898554)

  - ocfs2: fix NULL pointer dereference in     ocfs2_duplicate_clusters_by_page. (bnc#899843)

  - powerpc: Add smp_mb() to arch_spin_is_locked()     (bsc#893758).

  - powerpc: Add smp_mb()s to arch_spin_unlock_wait()     (bsc#893758).

  - powerpc: Add support for the optimised lockref     implementation (bsc#893758).

  - powerpc: Implement arch_spin_is_locked() using     arch_spin_value_unlocked() (bsc#893758).

  - refresh patches.xen/xen-blkback-multi-page-ring     (bnc#897708)).

  - remove filesize checks for sync I/O journal commit.
    (bnc#800255)

  - resource: add __adjust_resource() for internal use.
    (bnc#891790)

  - resource: add release_mem_region_adjustable().
    (bnc#891790)

  - revert PM / Hibernate: Iterate over set bits instead of     PFNs in swsusp_free(). (bnc#860441)

  - rpm/mkspec: Generate specfiles according to Factory     requirements.

  - rpm/mkspec: Generate a per-architecture per-package
    _constraints file

  - sched: Fix unreleased llc_shared_mask bit during CPU     hotplug. (bnc#891368)

  - scsi_dh_alua: disable ALUA handling for non-disk     devices. (bnc#876633)

  - usb: Do not re-read descriptors for wired devices in     usb_authorize_device(). (bnc#904358)

  - usbback: Do not access request fields in shared ring     more than once.

  - usbhid: add another mouse that needs QUIRK_ALWAYS_POLL.
    (bnc#888607)

  - vfs,proc: guarantee unique inodes in /proc. (bnc#868049)

  - x86, cpu hotplug: Fix stack frame warning     incheck_irq_vectors_for_cpu_disable(). (bnc#887418)

  - x86, ioremap: Speed up check for RAM pages (Boot time     optimisations (bnc#895387)).

  - x86: Add check for number of available vectors before     CPU down. (bnc#887418)

  - x86: optimize resource lookups for ioremap (Boot time     optimisations (bnc#895387)).

  - x86: use optimized ioresource lookup in ioremap function     (Boot time optimisations (bnc#895387)).

  - xfs: Do not free EFIs before the EFDs are committed     (bsc#755743).

  - xfs: Do not reference the EFI after it is freed     (bsc#755743).

  - xfs: fix cil push sequence after log recovery     (bsc#755743).

  - zcrypt: support for extended number of ap domains     (bnc#894058, LTC#117041).

  - zcrypt: toleration of new crypto adapter hardware     (bnc#894058, LTC#117041).

The openSUSE 13.1 kernel was updated to fix security issues and bugs :

Security issues fixed: CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility signal handling was fixed, which could be used by local attackers to crash the machine or execute code.

CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.

CVE-2014-8133: Insufficient validation of TLS register usage could leak information from the kernel stack to userspace.

CVE-2014-0181: The Netlink implementation in the Linux kernel through 3.14.1 did not provide a mechanism for authorizing socket operations based on the opener of a socket, which allowed local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. (bsc#875051)

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.

CVE-2014-3688: The SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.

CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter.

CVE-2014-7975: The do_umount function in fs/namespace.c in the Linux kernel did not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allowed local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call.

CVE-2014-8884: Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.

CVE-2014-3673: The SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c.

CVE-2014-3186: Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.

CVE-2014-7841: The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel, when ASCONF is used, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.

CVE-2014-4611: Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715.

CVE-2014-4608: Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run.

CVE-2014-8709: The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets.

CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.

CVE-2014-3184: The report_fixup functions in the HID subsystem in the Linux kernel might have allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.

CVE-2014-3182: Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.

CVE-2014-3181: Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.

CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.

CVE-2013-7263: The Linux kernel updated certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. This update fixes the leak of the port number when using ipv6 sockets. (bsc#853040).

CVE-2013-2898: Fixed potential kernel caller confusion via past-end-of-heap-allocation read in sensor-hub HID driver.

CVE-2013-2891: Fixed 16 byte past-end-of-heap-alloc zeroing in steelseries HID driver.

VE-2014-6410: The __udf_read_inode function in fs/udf/inode.c in the Linux kernel did not restrict the amount of ICB indirection, which allowed physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.

CVE-2014-5471: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.

CVE-2014-5472: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.

CVE-2014-0206: Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a large head value.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.

CVE-2014-5206: The do_remount function in fs/namespace.c in the Linux kernel did not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allowed local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a 'mount -o remount' command within a user namespace.

CVE-2014-5207: fs/namespace.c in the Linux kernel did not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allowed local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a 'mount -o remount' command within a user namespace.

CVE-2014-1739: The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.

CVE-2014-4943: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel allowed local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.

CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel, when SCTP authentication is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

Also the following bugs were fixed :

  - KEYS: Fix stale key registration at error path     (bnc#908163).

  - parport: parport_pc, do not remove parent devices early     (bnc#856659).

  - xfs: fix directory hash ordering bug.

  - xfs: mark all internal workqueues as freezable     (bnc#899785).

  - [media] uvc: Fix destruction order in uvc_delete()     (bnc#897736).

  - cfq-iosched: Fix wrong children_weight calculation     (bnc#893429).

  - target/rd: Refactor rd_build_device_space +     rd_release_device_space (bnc#882639).

  - Btrfs: Fix memory corruption by ulist_add_merge() on     32bit arch (bnc#887046).

  - usb: pci-quirks: Prevent Sony VAIO t-series from     switching usb ports (bnc#864375).

  - xhci: Switch only Intel Lynx Point-LP ports to EHCI on     shutdown (bnc#864375).

  - xhci: Switch Intel Lynx Point ports to EHCI on shutdown     (bnc#864375).

  - ALSA: hda - Fix broken PM due to incomplete i915     initialization (bnc#890114).

  - netbk: Don't destroy the netdev until the vif is shut     down (bnc#881008).

  - swiotlb: don't assume PA 0 is invalid (bnc#865882).

  - PM / sleep: Fix request_firmware() error at resume     (bnc#873790).

  - usbcore: don't log on consecutive debounce failures of     the same port (bnc#818966).

The openSUSE 12.3 kernel was updated to fix security issues :

This will be the final kernel update for openSUSE 13.2 during its lifetime, which ends January 4th 2015.

CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility signal handling was fixed, which could be used by local attackers to crash the machine or execute code.

CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.

CVE-2014-8133: Insufficient validation of TLS register usage could leak information from the kernel stack to userspace.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.

CVE-2014-8884: Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.

CVE-2014-3186: Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report.

CVE-2014-7841: The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel, when ASCONF is used, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.

CVE-2014-4608: Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run.

CVE-2014-8709: The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets.

CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.

CVE-2014-3184: The report_fixup functions in the HID subsystem in the Linux kernel might have allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c.

CVE-2014-3182: Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.

CVE-2014-3181: Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event.

CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application.

CVE-2013-7263: The Linux kernel updated certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. This update fixes the leak of the port number when using ipv6 sockets. (bsc#853040).

CVE-2014-6410: The __udf_read_inode function in fs/udf/inode.c in the Linux kernel did not restrict the amount of ICB indirection, which allowed physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode.

CVE-2014-5471: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry.

CVE-2014-5472: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.

CVE-2014-4943: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel allowed local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.

CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel, when SCTP authentication is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2013-2888, CVE-2013-2889, CVE-2013-2890, CVE-2013-2891, CVE-2013-2892, CVE-2013-2893, CVE-2013-2894, CVE-2013-2895, CVE-2013-2896, CVE-2013-2897, CVE-2013-2898, CVE-2013-2899: Multiple issues in the Human Interface Device (HID) subsystem in the Linux kernel allowed physically proximate attackers to cause a denial of service or system crash via (heap-based out-of-bounds write) via a crafted device. (Not separately listed.)

Other bugfixes :

  - xfs: mark all internal workqueues as freezable     (bnc#899785).

  - target/rd: Refactor rd_build_device_space +     rd_release_device_space (bnc#882639)

  - Enable CONFIG_ATH9K_HTC for armv7hl/omap2plus config     (bnc#890624)

  - swiotlb: don't assume PA 0 is invalid (bnc#865882).

  - drm/i915: Apply alignment restrictions on scanout     surfaces for VT-d (bnc#818561).

  - tg3: Change nvram command timeout value to 50ms     (bnc#768714).

  - tg3: Override clock, link aware and link idle mode     during NVRAM dump (bnc#768714).

  - tg3: Set the MAC clock to the fastest speed during boot     code load (bnc#768714).

An information leak in the Linux kernel was discovered that could leak the high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine (KVM) paravirt guests. A user in the guest OS could exploit this leak to obtain information that could potentially be used to aid in attacking the kernel. (CVE-2014-8134)

A flaw in the handling of malformed ASCONF chunks by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel was discovered. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3673)

A flaw in the handling of duplicate ASCONF chunks by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel was discovered. A remote attacker could exploit this flaw to cause a denial of service (panic). (CVE-2014-3687)

It was discovered that excessive queuing by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel can cause memory pressure. A remote attacker could exploit this flaw to cause a denial of service. (CVE-2014-3688)

A NULL pointer dereference flaw was discovered in the the Linux kernel's SCTP implementation when ASCONF is used. A remote attacker could exploit this flaw to cause a denial of service (system crash) via a malformed INIT chunk. (CVE-2014-7841)

Jouni Malinen reported a flaw in the handling of fragmentation in the mac8Linux subsystem of the kernel. A remote attacker could exploit this flaw to obtain potential sensitive cleartext information by reading packets. (CVE-2014-8709)

A stack buffer overflow was discovered in the ioctl command handling for the Technotrend/Hauppauge USB DEC devices driver. A local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges. (CVE-2014-8884)

Andy Lutomirski discovered that the Linux kernel does not properly handle faults associated with the Stack Segment (SS) register on the x86 architecture. A local attacker could exploit this flaw to cause a denial of service (panic). (CVE-2014-9090).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
85198	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
85097	Oracle Linux 6 : kernel (ELSA-2015-1272)	Nessus	Oracle Linux Local Security Checks	high
85010	CentOS 6 : kernel (CESA-2015:1272)	Nessus	CentOS Local Security Checks	medium
84936	RHEL 6 : kernel (RHSA-2015:1272)	Nessus	Red Hat Local Security Checks	medium
83708	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0652-1)	Nessus	SuSE Local Security Checks	high
83696	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0481-1)	Nessus	SuSE Local Security Checks	high
82254	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
82101	Debian DLA-118-1 : linux-2.6 security update	Nessus	Debian Local Security Checks	high
81885	CentOS 7 : kernel (CESA-2015:0290)	Nessus	CentOS Local Security Checks	high
81873	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3015)	Nessus	Oracle Linux Local Security Checks	medium
81872	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3014)	Nessus	Oracle Linux Local Security Checks	high
81626	RHEL 7 : kernel (RHSA-2015:0290)	Nessus	Red Hat Local Security Checks	high
80250	SuSE 11.3 Security Update : Linux kernel (SAT Patch Number 10103)	Nessus	SuSE Local Security Checks	high
80249	SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 10037 / 10040)	Nessus	SuSE Local Security Checks	high
80152	openSUSE Security Update : the Linux Kernel (openSUSE-SU-2014:1677-1)	Nessus	SuSE Local Security Checks	high
80150	openSUSE Security Update : the Linux Kernel (openSUSE-SU-2014:1669-1)	Nessus	SuSE Local Security Checks	high
80029	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-2442-1)	Nessus	Ubuntu Local Security Checks	high
80028	Ubuntu 10.04 LTS : linux vulnerabilities (USN-2441-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2014-8709

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins