http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e237ec37ec154564f8690c5bd1795339955eeef9

SUSE-SU-2015:1224

SUSE-SU-2015:1324

openSUSE-SU-2015:1382

SUSE-SU-2015:1592

SUSE-SU-2015:1611

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.2

[oss-security] 20150602 CVE request Linux kernel: fs: udf heap overflow in __udf_adinicb_readpage

74964

https://bugzilla.redhat.com/show_bug.cgi?id=1228229

https://github.com/torvalds/linux/commit/e237ec37ec154564f8690c5bd1795339955eeef9

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size > block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - An integer overflow flaw was found in the way the Linux     kernel randomized the stack for processes on certain     64-bit architecture systems, such as x86-64, causing     the stack entropy to be reduced by four.(CVE-2015-1593)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The hid_input_field() function in     'drivers/hid/hid-core.c' in the Linux kernel before 4.6     allows physically proximate attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read) by connecting a     device.(CVE-2016-7915)

  - The Linux kernel, before version 4.14.2, is vulnerable     to a deadlock caused by     fs/ocfs2/file.c:ocfs2_setattr(), as the function does     not wait for DIO requests before locking the inode.
    This can be exploited by local users to cause a     subsequent denial of service.(CVE-2017-18204)

  - The vmw_gb_surface_define_ioctl function (accessible     via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.11.4 defines a backup_handle variable     but does not give it an initial value. If one attempts     to create a GB surface, with a previously allocated DMA     buffer to be used as a backup buffer, the backup_handle     variable does not get written to and is then later     returned to user space, allowing local users to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.(CVE-2017-9605)

  - Use-after-free vulnerability in the nfqnl_zcopy     function in net/netfilter/nfnetlink_queue_core.c in the     Linux kernel through 3.13.6 allows attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation. NOTE: the     affected code was moved to the skb_zerocopy function in     net/core/skbuff.c before the vulnerability was     announced.(CVE-2014-2568)

  - It was found that the Linux kernel's ISO file system     implementation did not correctly limit the traversal of     Rock Ridge extension Continuation Entries (CE). An     attacker with physical access to the system could use     this flaw to trigger an infinite loop in the kernel,     resulting in a denial of service.(CVE-2014-9420)

  - An integer overflow vulnerability was found in the     ring_buffer_resize() calculations in which a privileged     user can adjust the size of the ringbuffer message     size. These calculations can create an issue where the     kernel memory allocator will not allocate the correct     count of pages yet expect them to be usable. This can     lead to the ftrace() output to appear to corrupt kernel     memory and possibly be used for privileged escalation     or more likely kernel panic.(CVE-2016-9754)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - In was found that in the Linux kernel, in     vmw_surface_define_ioctl() function in     'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a     'num_sizes' parameter is assigned a user-controlled     value which is not checked if it is zero. This is used     in a call to kmalloc() and later leads to dereferencing     ZERO_SIZE_PTR, which in turn leads to a GPF and     possibly to a kernel panic.(CVE-2017-7261)

  - A race condition flaw was found in the way the Linux     kernel keys management subsystem performed key garbage     collection. A local attacker could attempt accessing a     key while it was being garbage collected, which would     cause the system to crash.(CVE-2014-9529)

  - A flaw was found in the Linux kernel's implementation     of i8042 serial ports. An attacker could cause a kernel     panic if they are able to add and remove devices as the     module is loaded.(CVE-2017-18079)

  - drivers/hid/hid-pl.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_PANTHERLORD is enabled, allows physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2892)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - A divide-by-zero vulnerability was found in a way the     kernel processes TCP connections. The error can occur     if a connection starts another cwnd reduction phase by     setting tp->prior_cwnd to the current cwnd (0) in     tcp_init_cwnd_reduction(). A remote, unauthenticated     attacker could use this flaw to crash the kernel     (denial of service).(CVE-2016-2070)

  - The adjust_branches function in kernel/bpf/verifier.c     in the Linux kernel before 4.5 does not consider the     delta in the backward-jump case, which allows local     users to obtain sensitive information from kernel     memory by creating a packet filter and then loading     crafted BPF instructions.(CVE-2016-2383)

  - System using the infiniband support module ib_srpt were     vulnerable to a denial of service by system crash by a     local attacker who is able to abort writes to a device     using this initiator.(CVE-2016-6327)

  - A security flaw was found in the Linux kernel in the     mark_source_chains() function in     'net/ipv4/netfilter/ip_tables.c'. It is possible for a     user-supplied 'ipt_entry' structure to have a large     'next_offset' field. This field is not bounds checked     prior to writing to a counter value at the supplied     offset.(CVE-2016-3134)

  - An out-of-bounds access issue was discovered in     yurex_read() in drivers/usb/misc/yurex.c in the Linux     kernel. A local attacker could use user access     read/writes with incorrect bounds checking in the yurex     USB driver to crash the kernel or potentially escalate     privileges.(CVE-2018-16276)

  - drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux     kernel before 4.5.3 allows local users to cause a     denial of service (kernel memory write operation) or     possibly have unspecified other impact via a crafted     number of planes in a VIDIOC_DQBUF ioctl     call.(CVE-2016-4568)

  - The usb_serial_console_disconnect function in     drivers/usb/serial/console.c in the Linux kernel,     before 4.13.8, allows local users to cause a denial of     service (use-after-free and system crash) or possibly     have unspecified other impact via a crafted USB device,     related to disconnection and failed     setup.(CVE-2017-16525)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4 image.
    (CVE-2018-1094)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.1 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2016-0728: A reference leak in keyring handling with     join_session_keyring() could lead to local attackers     gain root privileges. (bsc#962075).

  - CVE-2015-7550: A local user could have triggered a race     between read and revoke in keyctl (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2014-8989: The Linux kernel did not properly     restrict dropping of supplemental group memberships in     certain namespace scenarios, which allowed local users     to bypass intended file permissions by leveraging a     POSIX ACL containing an entry for the group category     that is more restrictive than the entry for the other     category, aka a 'negative groups' issue, related to     kernel/groups.c, kernel/uid16.c, and     kernel/user_namespace.c (bnc#906545).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandles IRET faults in     processing NMIs that occurred during userspace     execution, which might allow local users to gain     privileges by triggering an NMI (bnc#937969).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel through     4.2.3 did not ensure that certain slot numbers are     valid, which allowed local users to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #DB (aka Debug)     exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #AC (aka Alignment     Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key     (bnc#912202).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2015-6937 (bnc#952384     953052).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-7885: The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 did not initialize a certain structure     member, which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951627).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8767: A case can occur when sctp_accept() is     called by the user during a heartbeat timeout event     after the 4-way handshake. Since sctp_assoc_migrate()     changes both assoc->base.sk and assoc->ep, the     bh_sock_lock in sctp_generate_heartbeat_event() will be     taken with the listening socket but released with the     new association socket. The result is a deadlock on any     future attempts to take the listening socket lock.
    (bsc#961509)

  - CVE-2015-8575: Validate socket address length in     sco_sock_bind() to prevent information leak     (bsc#959399).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

The following non-security bugs were fixed :

  - ALSA: hda - Disable 64bit address for Creative HDA     controllers (bnc#814440).

  - ALSA: hda - Fix noise problems on Thinkpad T440s     (boo#958504).

  - Input: aiptek - fix crash on detecting device without     endpoints (bnc#956708).

  - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y     (boo#956934).

  - KVM: x86: update masterclock values on TSC writes     (bsc#961739).

  - NFS: Fix a NULL pointer dereference of migration     recovery ops for v4.2 client (bsc#960839).

  - apparmor: allow SYS_CAP_RESOURCE to be sufficient to     prlimit another task (bsc#921949).

  - blktap: also call blkif_disconnect() when frontend     switched to closed (bsc#952976).

  - blktap: refine mm tracking (bsc#952976).

  - cdrom: Random writing support for BD-RE media     (bnc#959568).

  - genksyms: Handle string literals with spaces in     reference files (bsc#958510).

  - ipv4: Do not increase PMTU with Datagram Too Big message     (bsc#955224).

  - ipv6: distinguish frag queues by device for multicast     and link-local packets (bsc#955422).

  - ipv6: fix tunnel error handling (bsc#952579).

  - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

  - uas: Add response iu handling (bnc#954138).

  - usbvision fix overflow of interfaces array (bnc#950998).

  - x86/evtchn: make use of PHYSDEVOP_map_pirq.

  - xen/pciback: Do not allow MSI-X ops if     PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-6252: Possible file descriptor leak for each     VHOST_SET_LOG_FDcommand issued, this could eventually     wasting available system resources and creating a denial     of service (bsc#942367).

  - CVE-2015-5707: Possible integer overflow in the     calculation of total number of pages in     bio_map_user_iov() (bsc#940338).

  - CVE-2015-5364: The (1) udp_recvmsg and (2) udpv6_recvmsg     functions in the Linux kernel before 4.0.6 do not     properly consider yielding a processor, which allowed     remote attackers to cause a denial of service (system     hang) via incorrect checksums within a UDP packet flood     (bsc#936831).

  - CVE-2015-5366: The (1) udp_recvmsg and (2) udpv6_recvmsg     functions in the Linux kernel before 4.0.6 provide     inappropriate -EAGAIN return values, which allowed     remote attackers to cause a denial of service (EPOLLET     epoll application read outage) via an incorrect checksum     in a UDP packet, a different vulnerability than     CVE-2015-5364 (bsc#936831).

  - CVE-2015-1420: Race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel through     3.19.1 allowed local users to bypass intended size     restrictions and trigger read operations on additional     memory locations by changing the handle_bytes value of a     file handle during the execution of this function     (bsc#915517).

  - CVE-2015-1805: The (1) pipe_read and (2) pipe_write     implementations in fs/pipe.c in the Linux kernel before     3.16 do not properly consider the side effects of failed
    __copy_to_user_inatomic and __copy_from_user_inatomic     calls, which allows local users to cause a denial of     service (system crash) or possibly gain privileges via a     crafted application, aka an 'I/O' vector array overrun.
    (bsc#933429)

  - CVE-2015-2150: Xen 3.3.x through 4.5.x and the Linux     kernel through 3.19.1 do not properly restrict access to     PCI command registers, which might allow local guest     users to cause a denial of service (non-maskable     interrupt and host crash) by disabling the (1) memory or     (2) I/O decoding for a PCI Express device and then     accessing the device, which triggers an Unsupported     Request (UR) response. (bsc#919463)

  - CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux     kernel before 3.19.2 does not prevent the TS_COMPAT flag     from reaching a user-mode task, which might allow local     users to bypass the seccomp or audit protection     mechanism via a crafted application that uses the (1)     fork or (2) close system call, as demonstrated by an     attack against seccomp before 3.16. (bsc#926240)

  - CVE-2015-4700: The bpf_int_jit_compile function in     arch/x86/net/bpf_jit_comp.c in the Linux kernel before     4.0.6 allowed local users to cause a denial of service     (system crash) by creating a packet filter and then     loading crafted BPF instructions that trigger late     convergence by the JIT compiler (bsc#935705).

  - CVE-2015-4167: The udf_read_inode function in     fs/udf/inode.c in the Linux kernel before 3.19.1 did not     validate certain length values, which allowed local     users to cause a denial of service (incorrect data     representation or integer overflow, and OOPS) via a     crafted UDF filesystem (bsc#933907).

  - CVE-2015-0777: drivers/xen/usbback/usbback.c in     linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support     patches for the Linux kernel 2.6.18), as used in the     Linux kernel 2.6.x and 3.x in SUSE Linux distributions,     allows guest OS users to obtain sensitive information     from uninitialized locations in host OS kernel memory     via unspecified vectors. (bsc#917830)

  - CVE-2014-9728: The UDF filesystem implementation in the     Linux kernel before 3.18.2 did not validate certain     lengths, which allowed local users to cause a denial of     service (buffer over-read and system crash) via a     crafted filesystem image, related to fs/udf/inode.c and     fs/udf/symlink.c (bsc#933904).

  - CVE-2014-9730: The udf_pc_to_char function in     fs/udf/symlink.c in the Linux kernel before 3.18.2     relies on component lengths that are unused, which     allowed local users to cause a denial of service (system     crash) via a crafted UDF filesystem image (bsc#933904).

  - CVE-2014-9729: The udf_read_inode function in     fs/udf/inode.c in the Linux kernel before 3.18.2 did not     ensure a certain data-structure size consistency, which     allowed local users to cause a denial of service (system     crash) via a crafted UDF filesystem image (bsc#933904).

  - CVE-2014-9731: The UDF filesystem implementation in the     Linux kernel before 3.18.2 did not ensure that space is     available for storing a symlink target's name along with     a trailing \0 character, which allowed local users to     obtain sensitive information via a crafted filesystem     image, related to fs/udf/symlink.c and fs/udf/unicode.c     (bsc#933896).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-5707: An integer overflow in the SCSI generic     driver could be potentially used by local attackers to     crash the kernel or execute code (bsc#940338).

  - CVE-2015-5364: A remote denial of service (hang) via UDP     flood with incorrect package checksums was fixed.
    (bsc#936831).

  - CVE-2015-5366: A remote denial of service (unexpected     error returns) via UDP flood with incorrect package     checksums was fixed. (bsc#936831).

  - CVE-2015-1420: A race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel allowed     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function (bnc#915517).

  - CVE-2015-4700: A local user could have created a bad     instruction in the JIT processed BPF code, leading to a     kernel crash (bnc#935705).

  - CVE-2015-4167: The UDF filesystem in the Linux kernel     was vulnerable to a crash which could occur while     fetching inode information from a corrupted/malicious     udf file system image. (bsc#933907).

  - CVE-2014-9728 CVE-2014-9729 CVE-2014-9730 CVE-2014-9731:
    Various issues in handling UDF filesystems in the Linux     kernel allowed the corruption of kernel memory and other     issues. An attacker able to mount a corrupted/malicious     UDF file system image could cause the kernel to crash.
    (bsc#933904 bsc#933896)

  - CVE-2015-2150: The Linux kernel did not properly     restrict access to PCI command registers, which might     have allowed local guest users to cause a denial of     service (non-maskable interrupt and host crash) by     disabling the (1) memory or (2) I/O decoding for a PCI     Express device and then accessing the device, which     triggers an Unsupported Request (UR) response     (bsc#919463).

  - CVE-2015-0777: drivers/xen/usbback/usbback.c as used in     the Linux kernel 2.6.x and 3.x in SUSE Linux     distributions, allowed guest OS users to obtain     sensitive information from uninitialized locations in     host OS kernel memory via unspecified vectors     (bnc#917830).

  - CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux     kernel did not prevent the TS_COMPAT flag from reaching     a user-mode task, which might have allowed local users     to bypass the seccomp or audit protection mechanism via     a crafted application that uses the (1) fork or (2)     close system call, as demonstrated by an attack against     seccomp before 3.16 (bnc#926240).

  - CVE-2015-1805: The Linux kernels implementation of     vectored pipe read and write functionality did not take     into account the I/O vectors that were already processed     when retrying after a failed atomic access operation,     potentially resulting in memory corruption due to an I/O     vector array overrun. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the system. (bsc#933429).

Also 

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.2 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-3290: A flaw was found in the way the Linux     kernels nested NMI handler and espfix64 functionalities     interacted during NMI processing. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the system.

  - CVE-2015-3212: A race condition flaw was found in the     way the Linux kernels SCTP implementation handled     Address Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a socket.

  - CVE-2015-5364: A remote denial of service (hang) via UDP     flood with incorrect package checksums was fixed.
    (bsc#936831).

  - CVE-2015-5366: A remote denial of service (unexpected     error returns) via UDP flood with incorrect package     checksums was fixed. (bsc#936831).

  - CVE-2015-4700: A local user could have created a bad     instruction in the JIT processed BPF code, leading to a     kernel crash (bnc#935705).

  - CVE-2015-1420: Race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel allowed     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function (bnc#915517).

  - CVE-2015-4692: The kvm_apic_has_events function in     arch/x86/kvm/lapic.h in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by leveraging /dev/kvm access     for an ioctl call (bnc#935542).

  - CVE-2015-4167 CVE-2014-9728 CVE-2014-9730 CVE-2014-9729     CVE-2014-9731: Various problems in the UDF filesystem     were fixed that could lead to crashes when mounting     prepared udf filesystems.

  - CVE-2015-4002: drivers/staging/ozwpan/ozusbsvc1.c in the     OZWPAN driver in the Linux kernel did not ensure that     certain length values are sufficiently large, which     allowed remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data functions     (bnc#933934).

  - CVE-2015-4003: The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel allowed remote attackers to cause a     denial of service (divide-by-zero error and system     crash) via a crafted packet (bnc#933934).

  - CVE-2015-4001: Integer signedness error in the     oz_hcd_get_desc_cnf function in     drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in     the Linux kernel allowed remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a crafted packet (bnc#933934).

  - CVE-2015-4036: A potential memory corruption in     vhost/scsi was fixed.

  - CVE-2015-2922: The ndisc_router_discovery function in     net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol     implementation in the IPv6 stack in the Linux kernel     allowed remote attackers to reconfigure a hop-limit     setting via a small hop_limit value in a Router     Advertisement (RA) message (bnc#922583).

  - CVE-2015-3636: It was found that the Linux kernels ping     socket implementation did not properly handle socket     unhashing during spurious disconnects, which could lead     to a use-after-free flaw. On x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to crash the system. On non-x86-64     architecture systems, a local user able to create ping     sockets could use this flaw to escalate their privileges     on the system.

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel used an incorrect data type in a sysctl table,     which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bnc#919007).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped.

  - CVE-2015-1465: The IPv4 implementation in the Linux     kernel did not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allowed remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of packets     (bnc#916225).

The following non-security bugs were fixed :

  - ALSA: ak411x: Fix stall in work callback (boo#934755).

  - ALSA: emu10k1: Emu10k2 32 bit DMA mode (boo#934755).

  - ALSA: emu10k1: Fix card shortname string buffer overflow     (boo#934755).

  - ALSA: emu10k1: do not deadlock in proc-functions     (boo#934755).

  - ALSA: emux: Fix mutex deadlock at unloading     (boo#934755).

  - ALSA: emux: Fix mutex deadlock in OSS emulation     (boo#934755).

  - ALSA: hda - Add AZX_DCAPS_SNOOP_OFF (and refactor snoop     setup) (boo#934755).

  - ALSA: hda - Add Conexant codecs CX20721, CX20722,     CX20723 and CX20724 (boo#934755).

  - ALSA: hda - Add common pin macros for ALC269 family     (boo#934755).

  - ALSA: hda - Add dock support for ThinkPad X250     (17aa:2226) (boo#934755).

  - ALSA: hda - Add dock support for Thinkpad T450s     (17aa:5036) (boo#934755).

  - ALSA: hda - Add headphone quirk for Lifebook E752     (boo#934755).

  - ALSA: hda - Add headset mic quirk for Dell Inspiron 5548     (boo#934755).

  - ALSA: hda - Add mute-LED mode control to Thinkpad     (boo#934755).

  - ALSA: hda - Add one more node in the EAPD supporting     candidate list (boo#934755).

  - ALSA: hda - Add pin configs for ASUS mobo with IDT     92HD73XX codec (boo#934755).

  - ALSA: hda - Add ultra dock support for Thinkpad X240     (boo#934755).

  - ALSA: hda - Add workaround for CMI8888 snoop behavior     (boo#934755).

  - ALSA: hda - Add workaround for MacBook Air 5,2 built-in     mic (boo#934755).

  - ALSA: hda - Disable runtime PM for Panther Point again     (boo#934755).

  - ALSA: hda - Do not access stereo amps for mono channel     widgets (boo#934755).

  - ALSA: hda - Fix Dock Headphone on Thinkpad X250 seen as     a Line Out (boo#934755).

  - ALSA: hda - Fix headphone pin config for Lifebook T731     (boo#934755).

  - ALSA: hda - Fix noise on AMD radeon 290x controller     (boo#934755).

  - ALSA: hda - Fix probing and stuttering on CMI8888     HD-audio controller (boo#934755).

  - ALSA: hda - One more Dell macine needs     DELL1_MIC_NO_PRESENCE quirk (boo#934755).

  - ALSA: hda - One more HP machine needs to change mute led     quirk (boo#934755).

  - ALSA: hda - Set GPIO 4 low for a few HP machines     (boo#934755).

  - ALSA: hda - Set single_adc_amp flag for CS420x codecs     (boo#934755).

  - ALSA: hda - Treat stereo-to-mono mix properly     (boo#934755).

  - ALSA: hda - change three SSID quirks to one pin quirk     (boo#934755).

  - ALSA: hda - fix 'num_steps = 0' error on ALC256     (boo#934755).

  - ALSA: hda - fix a typo by changing mute_led_nid to     cap_mute_led_nid (boo#934755).

  - ALSA: hda - fix headset mic detection problem for one     more machine (boo#934755).

  - ALSA: hda - fix mute led problem for three HP laptops     (boo#934755).

  - ALSA: hda - set proper caps for newer AMD hda audio in     KB/KV (boo#934755).

  - ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450     (boo#934755).

  - ALSA: hda/realtek - Add a fixup for another Acer Aspire     9420 (boo#934755).

  - ALSA: hda/realtek - Enable the ALC292 dock fixup on the     Thinkpad T450 (boo#934755).

  - ALSA: hda/realtek - Fix Headphone Mic does not recording     for ALC256 (boo#934755).

  - ALSA: hda/realtek - Make more stable to get pin sense     for ALC283 (boo#934755).

  - ALSA: hda/realtek - Support Dell headset mode for ALC256     (boo#934755).

  - ALSA: hda/realtek - Support HP mute led for output and     input (boo#934755).

  - ALSA: hda/realtek - move HP_LINE1_MIC1_LED quirk for     alc282 (boo#934755).

  - ALSA: hda/realtek - move HP_MUTE_LED_MIC1 quirk for     alc282 (boo#934755).

  - ALSA: hdspm - Constrain periods to 2 on older cards     (boo#934755).

  - ALSA: pcm: Do not leave PREPARED state after draining     (boo#934755).

  - ALSA: snd-usb: add quirks for Roland UA-22 (boo#934755).

  - ALSA: usb - Creative USB X-Fi Pro SB1095 volume knob     support (boo#934755).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Quickcam Fusion (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam HD-3000     (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam Studio     (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Lifecam HD-5000     sample rate (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Microsoft Lifecam     Cinema sample rate (boo#934755).

  - ALSA: usb-audio: add MAYA44 USB+ mixer control names     (boo#934755).

  - ALSA: usb-audio: do not try to get Benchmark DAC1 sample     rate (boo#934755).

  - ALSA: usb-audio: do not try to get Outlaw RR2150 sample     rate (boo#934755).

  - ALSA: usb-audio: fix missing input volume controls in     MAYA44 USB(+) (boo#934755).

  - Automatically Provide/Obsolete all subpackages of old     flavors (bnc#925567)

  - Fix kABI for ak411x structs (boo#934755).

  - Fix kABI for snd_emu10k1 struct (boo#934755).

  - HID: add ALWAYS_POLL quirk for a Logitech 0xc007     (bnc#929624).

  - HID: add HP OEM mouse to quirk ALWAYS_POLL (bnc#929624).

  - HID: add quirk for PIXART OEM mouse used by HP     (bnc#929624).

  - HID: usbhid: add always-poll quirk (bnc#929624).

  - HID: usbhid: add another mouse that needs     QUIRK_ALWAYS_POLL (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 009b (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 0103 (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 016f (bnc#929624).

  - HID: usbhid: fix PIXART optical mouse (bnc#929624).

  - HID: usbhid: more mice with ALWAYS_POLL (bnc#929624).

  - HID: usbhid: yet another mouse with ALWAYS_POLL     (bnc#929624).

  - HID: yet another buggy ELAN touchscreen (bnc#929624).

  - Input: synaptics - handle spurious release of trackstick     buttons (bnc#928693).

  - Input: synaptics - re-route tracksticks buttons on the     Lenovo 2015 series (bnc#928693).

  - Input: synaptics - remove TOPBUTTONPAD property for     Lenovos 2015 (bnc#928693).

  - Input: synaptics - retrieve the extended capabilities in     query $10 (bnc#928693).

  - NFSv4: When returning a delegation, do not reclaim an     incompatible open mode (bnc#934202).

  - Refresh patches.xen/xen-blkfront-indirect (bsc#922235).

  - Update config files: extend CONFIG_DPM_WATCHDOG_TIMEOUT     to 60 (bnc#934397)

  - arm64: mm: Remove hack in mmap randomized layout Fix     commit id and mainlined information

  - bnx2x: Fix kdump when iommu=on (bug#921769).

  - client MUST ignore EncryptionKeyLength if     CAP_EXTENDED_SECURITY is set (bnc#932348).

  - config/armv7hl: Disable AMD_XGBE_PHY The AMD XGBE     ethernet chip is only used on ARM64 systems.

  - config: disable XGBE on non-ARM hardware It is     documented as being present only on AMD SoCs.

  - cpufreq: fix a NULL pointer dereference in
    __cpufreq_governor() (bsc#924664).

  - drm/i915/bdw: PCI IDs ending in 0xb are ULT     (boo#935913).

  - drm/i915/chv: Remove Wait for a previous gfx force-off     (boo#935913).

  - drm/i915/dp: only use training pattern 3 on platforms     that support it (boo#935913).

  - drm/i915/dp: there is no audio on port A (boo#935913).

  - drm/i915/hsw: Fix workaround for server AUX channel     clock divisor (boo#935913).

  - drm/i915/vlv: remove wait for previous GFX clk disable     request (boo#935913).

  - drm/i915/vlv: save/restore the power context base reg     (boo#935913).

  - drm/i915: Add missing MacBook Pro models with dual     channel LVDS (boo#935913).

  - drm/i915: BDW Fix Halo PCI IDs marked as ULT     (boo#935913).

  - drm/i915: Ban Haswell from using RCS flips (boo#935913).

  - drm/i915: Check obj->vma_list under the struct_mutex     (boo#935913).

  - drm/i915: Correct the IOSF Dev_FN field for IOSF     transfers (boo#935913).

  - drm/i915: Dell Chromebook 11 has PWM backlight     (boo#935913).

  - drm/i915: Disable caches for Global GTT (boo#935913).

  - drm/i915: Do a dummy DPCD read before the actual read     (bnc#907714).

  - drm/i915: Do not complain about stolen conflicts on gen3     (boo#935913).

  - drm/i915: Do not leak pages when freeing userptr objects     (boo#935913).

  - drm/i915: Dont enable CS_PARSER_ERROR interrupts at all     (boo#935913).

  - drm/i915: Evict CS TLBs between batches (boo#935913).

  - drm/i915: Fix DDC probe for passive adapters     (boo#935913).

  - drm/i915: Fix and clean BDW PCH identification     (boo#935913).

  - drm/i915: Force the CS stall for invalidate flushes     (boo#935913).

  - drm/i915: Handle failure to kick out a conflicting fb     driver (boo#935913).

  - drm/i915: Ignore SURFLIVE and flip counter when the GPU     gets reset (boo#935913).

  - drm/i915: Ignore VBT backlight check on Macbook 2, 1     (boo#935913).

  - drm/i915: Invalidate media caches on gen7 (boo#935913).

  - drm/i915: Kick fbdev before vgacon (boo#935913).

  - drm/i915: Only fence tiled region of object     (boo#935913).

  - drm/i915: Only warn the first time we attempt to mmio     whilst suspended (boo#935913).

  - drm/i915: Unlock panel even when LVDS is disabled     (boo#935913).

  - drm/i915: Use IS_HSW_ULT() in a HSW specific code path     (boo#935913).

  - drm/i915: cope with large i2c transfers (boo#935913).

  - drm/i915: do not warn if backlight unexpectedly enabled     (boo#935913).

  - drm/i915: drop WaSetupGtModeTdRowDispatch:snb     (boo#935913).

  - drm/i915: save/restore GMBUS freq across suspend/resume     on gen4 (boo#935913).

  - drm/i915: vlv: fix IRQ masking when uninstalling     interrupts (boo#935913).

  - drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg     (boo#935913).

  - drm/radeon: retry dcpd fetch (bnc#931580).

  - ftrace/x86/xen: use kernel identity mapping only when     really needed (bsc#873195, bsc#886272, bsc#903727,     bsc#927725)

  - guards: Add support for an external filelist in --check     mode This will allow us to run --check without a     kernel-source.git work tree.

  - guards: Include the file name also in the 'Not found'     error

  - guards: Simplify help text

  - hyperv: Add processing of MTU reduced by the host     (bnc#919596).

  - ideapad_laptop: Lenovo G50-30 fix rfkill reports     wireless blocked (boo#939394).

  - ipv6: do not delete previously existing ECMP routes if     add fails (bsc#930399).

  - ipv6: fix ECMP route replacement (bsc#930399).

  - ipv6: replacing a rt6_info needs to purge possible     propagated rt6_infos too (bsc#930399).

  - kABI: protect linux/slab.h include in of/address.

  - kabi/severities: ignore already-broken but acceptable     kABI changes - SYSTEM_TRUSTED_KEYRING=n change removed     system_trusted_keyring - Commits 3688875f852 and     ea5ed8c70e9 changed iov_iter_get_pages prototype - KVM     changes are intermodule dependencies

  - kabi: Fix CRC for dma_get_required_mask.

  - kabi: add kABI reference files

  - libata: Blacklist queued TRIM on Samsung SSD 850 Pro     (bsc#926156).

  - libata: Blacklist queued TRIM on all Samsung 800-series     (bnc#930599).

  - net: ppp: Do not call bpf_prog_create() in ppp_lock     (bnc#930488).

  - rpm/kernel-obs-qa.spec.in: Do not fail if the kernel     versions do not match

  - rt2x00: do not align payload on modern H/W (bnc#932844).

  - rtlwifi: rtl8192cu: Fix kernel deadlock (bnc#927786).

  - thermal: step_wise: Revert optimization (boo#925961).

  - tty: Fix pty master poll() after slave closes v2     (bsc#937138). arm64: mm: Remove hack in mmap randomize     layout (bsc#937033)

  - udf: Remove repeated loads blocksize (bsc#933907).

  - usb: core: Fix USB 3.0 devices lost in NOTATTACHED state     after a hub port reset (bnc#937226).

  - x86, apic: Handle a bad TSC more gracefully     (boo#935530).

  - x86/PCI: Use host bridge _CRS info on Foxconn     K8M890-8237A (bnc#907092).

  - x86/PCI: Use host bridge _CRS info on systems with >32     bit addressing (bnc#907092).

  - x86/microcode/amd: Do not overwrite final patch levels     (bsc#913996).

  - x86/microcode/amd: Extract current patch level read to a     function (bsc#913996).

  - x86/mm: Improve AMD Bulldozer ASLR workaround     (bsc#937032).

  - xenbus: add proper handling of XS_ERROR from Xenbus for     transactions.

  - xhci: Calculate old endpoints correctly on device reset     (bnc#938976).

The SUSE Linux Enterprise 12 kernel was updated to 3.12.44 to receive various security and bugfixes.

These features were added :

  - mpt2sas: Added Reply Descriptor Post Queue (RDPQ) Array     support (bsc#854824).

  - mpt3sas: Bump mpt3sas driver version to 04.100.00.00     (bsc#854817).

Following security bugs were fixed :

  - CVE-2015-1805: iov overrun for failed atomic copy could     have lead to DoS or privilege escalation (bsc#933429).

  - CVE-2015-3212: A race condition in the way the Linux     kernel handled lists of associations in SCTP sockets     could have lead to list corruption and kernel panics     (bsc#936502).

  - CVE-2015-4036: DoS via memory corruption in vhost/scsi     driver (bsc#931988).

  - CVE-2015-4167: Linux kernel built with the UDF file     system(CONFIG_UDF_FS) support was vulnerable to a crash.
    It occurred while fetching inode information from a     corrupted/malicious udf file system image (bsc#933907).

  - CVE-2015-4692: DoS via NULL pointer dereference in     kvm_apic_has_events function (bsc#935542).

  - CVE-2015-5364: Remote DoS via flood of UDP packets with     invalid checksums (bsc#936831).

  - CVE-2015-5366: Remote DoS of EPOLLET epoll applications     via flood of UDP packets with invalid checksums     (bsc#936831).

Security issues already fixed in the previous update but not referenced by CVE :

  - CVE-2014-9728: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9729: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9730: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9731: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to     information leakage (bsc#933896).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The linux-2.6 update issued as DLA-246-1 caused regressions. This update corrects the defective patches applied in that update causing these problems. For reference the original advisory text follows.

This update fixes the CVEs described below.

CVE-2011-5321

Jiri Slaby discovered that tty_driver_lookup_tty() may leak a reference to the tty driver. A local user could use this flaw to crash the system.

CVE-2012-6689

Pablo Neira Ayuso discovered that non-root user-space processes can send forged Netlink notifications to other processes. A local user could use this flaw for denial of service or privilege escalation.

CVE-2014-3184

Ben Hawkes discovered that various HID drivers may over-read the report descriptor buffer, possibly resulting in a crash if a HID with a crafted descriptor is plugged in.

CVE-2014-8159

It was found that the Linux kernel's InfiniBand/RDMA subsystem did not properly sanitize input parameters while registering memory regions from user space via the (u)verbs API. A local user with access to a /dev/infiniband/uverbsX device could use this flaw to crash the system or, potentially, escalate their privileges on the system.

CVE-2014-9683

Dmitry Chernenkov discovered that eCryptfs writes past the end of the allocated buffer during encrypted filename decoding, resulting in local denial of service.

CVE-2014-9728 / CVE-2014-9729 / CVE-2014-9730 / CVE-2014-9731 / CVE-2015-4167

Carl Henrik Lunde discovered that the UDF implementation is missing several necessary length checks. A local user that can mount devices could use these various flaws to crash the system, to leak information from the kernel, or possibly for privilege escalation.

CVE-2015-1805

Red Hat discovered that the pipe iovec read and write implementations may iterate over the iovec twice but will modify the iovec such that the second iteration accesses the wrong memory. A local user could use this flaw to crash the system or possibly for privilege escalation.
This may also result in data corruption and information leaks in pipes between non-malicious processes.

CVE-2015-2041

Sasha Levin discovered that the LLC subsystem exposed some variables as sysctls with the wrong type. On a 64-bit kernel, this possibly allows privilege escalation from a process with CAP_NET_ADMIN capability; it also results in a trivial information leak.

CVE-2015-2042

Sasha Levin discovered that the RDS subsystem exposed some variables as sysctls with the wrong type. On a 64-bit kernel, this results in a trivial information leak.

CVE-2015-2830

Andrew Lutomirski discovered that when a 64-bit task on an amd64 kernel makes a fork(2) or clone(2) system call using int $0x80, the 32-bit compatibility flag is set (correctly) but is not cleared on return. As a result, both seccomp and audit will misinterpret the following system call by the task(s), possibly leading to a violation of security policy.

CVE-2015-2922

Modio AB discovered that the IPv6 subsystem would process a router advertisement that specifies no route but only a hop limit, which would then be applied to the interface that received it. This can result in loss of IPv6 connectivity beyond the local network.

This may be mitigated by disabling processing of IPv6 router advertisements if they are not needed: sysctl net.ipv6.conf.default.accept_ra=0 sysctl net.ipv6.conf.<interface>.accept_ra=0

CVE-2015-3339

It was found that the execve(2) system call can race with inode attribute changes made by chown(2). Although chown(2) clears the setuid/setgid bits of a file if it changes the respective owner ID, this race condition could result in execve(2) setting effective uid/gid to the new owner ID, a privilege escalation.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze12.

For the oldstable distribution (wheezy), these problems were fixed in linux version 3.2.68-1+deb7u1 or earlier, except for CVE-2015-1805 and CVE-2015-4167 which will be fixed soon.

For the stable distribution (jessie), these problems were fixed in linux version 3.16.7-ckt11-1 or earlier, except for CVE-2015-4167 which will be fixed later.

We recommend that you upgrade your linux-2.6 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124809	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1485)	Nessus	Huawei Local Security Checks	critical
124796	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1472)	Nessus	Huawei Local Security Checks	high
88545	openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)	Nessus	SuSE Local Security Checks	critical
86290	SUSE SLED11 / SLES11 Security Update : kernel-source (SUSE-SU-2015:1678-1)	Nessus	SuSE Local Security Checks	high
86121	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:1611-1)	Nessus	SuSE Local Security Checks	high
85432	openSUSE Security Update : the Linux Kernel (openSUSE-2015-543)	Nessus	SuSE Local Security Checks	high
85180	SUSE SLED12 / SLES12 Security Update : SUSE Linux Enterprise 12 kernel (SUSE-SU-2015:1324-1)	Nessus	SuSE Local Security Checks	high
84252	Debian DLA-246-2 : linux-2.6 regression update	Nessus	Debian Local Security Checks	high

CVE-2014-9730

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins