http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6217e5ede23285ddfee10d2e4ba0cc2d4c046205

SUSE-SU-2016:1937

SUSE-SU-2016:2105

openSUSE-SU-2016:2184

DSA-3616

91510

1036189

https://github.com/torvalds/linux/commit/6217e5ede23285ddfee10d2e4ba0cc2d4c046205

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw named FragmentSmack     was found in the way the Linux kernel handled     reassembly of fragmented IPv4 and IPv6 packets. A     remote attacker could use this flaw to trigger time and     calculation expensive fragment reassembly algorithm by     sending specially crafted packets which could lead to a     CPU saturation and hence a denial of service on the     system.(CVE-2018-5391)Multiple out-of-bounds write     flaws were found in the way the Cherry Cymotion     keyboard driver, KYE/Genius device drivers, Logitech     device drivers, Monterey Genius KB29E keyboard driver,     Petalynx Maxter remote control driver, and Sunplus     wireless desktop driver handled HID reports with an     invalid report descriptor size. An attacker with     physical access to the system could use either of these     flaws to write data past an allocated memory     buffer.(CVE-2014-3184)The __get_data_block function in     fs/f2fs/data.c in the Linux kernel before 4.11 allows     local users to cause a denial of service (integer     overflow and loop) via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP     ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux     kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for add_callback and     remove_callback operations. This allows local users to     bypass intended access restrictions because the     xt_osf_fingers data structure is shared across all     network namespaces.(CVE-2017-17450)A denial of service     flaw was discovered in the Linux kernel, where a race     condition caused a NULL pointer dereference in the RDS     socket-creation code. A local attacker could use this     flaw to create a situation in which a NULL pointer     crashed the kernel.(CVE-2015-7990)An issue was     discovered in the Linux kernel before 4.19.9. The USB     subsystem mishandles size checks during the reading of     an extra descriptor, related to
    __usb_get_extra_descriptor in     drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in     the Linux kernel before 4.1.4 mishandles anonymous     pages, which allows local users to gain privileges or     cause a denial of service (page tainting) via a crafted     application that triggers writing to page     zero.(CVE-2015-3288)The ovl_setattr function in     fs/overlayfs/inode.c in the Linux kernel through 4.3.3     attempts to merge distinct setattr operations, which     allows local users to bypass intended access     restrictions and modify the attributes of arbitrary     overlay files via a crafted     application.(CVE-2015-8660)A flaw was found in the     Linux kernel where a local user with a shell account     can abuse the userfaultfd syscall when using hugetlbfs.
    A missing size check in hugetlb_mcopy_atomic_pte could     create an invalid inode variable, leading to a kernel     panic.(CVE-2017-15128)An integer overflow flaw was     found in the way the lzo1x_decompress_safe() function     of the Linux kernel's LZO implementation processed     Literal Runs. A local attacker could, in extremely rare     cases, use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-4608)It was found that Linux kernel's     ptrace subsystem did not properly sanitize the     address-space-control bits when the program-status word     (PSW) was being set. On IBM S/390 systems, a local,     unprivileged user could use this flaw to set     address-space-control bits to the kernel space, and     thus gain read and write access to kernel     memory.(CVE-2014-3534)A use-after-free flaw was found     in the Linux kernel's file system encryption     implementation. A local user could revoke keyring keys     being used for ext4, f2fs, or ubifs encryption, causing     a denial of service on the system.(CVE-2017-7374)The     usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)A flaw was found in the     patches used to fix the 'dirtycow' vulnerability     (CVE-2016-5195). An attacker, able to run local code,     can exploit a race condition in transparent huge pages     to modify usually read-only huge     pages.(CVE-2017-1000405)The aio_mount function in     fs/aio.c in the Linux kernel does not properly restrict     execute access, which makes it easier for local users     to bypass intended SELinux W^X policy     restrictions.(CVE-2016-10044)The Serial Attached SCSI     (SAS) implementation in the Linux kernel mishandles a     mutex within libsas. This allows local users to cause a     denial of service (deadlock) by triggering certain     error-handling code.(CVE-2017-18232)A use-after-free     vulnerability was found in tcp_xmit_retransmit_queue     and other tcp_* functions. This condition could allow     an attacker to send an incorrect selective     acknowledgment to existing connections, possibly     resetting a connection.(CVE-2016-6828)The instruction     decoder in arch/x86/kvm/emulate.c in the KVM subsystem     in the Linux kernel before 3.18-rc2 does not properly     handle invalid instructions, which allows guest OS     users to cause a denial of service (NULL pointer     dereference and host OS crash) via a crafted     application that triggers (1) an improperly fetched     instruction or (2) an instruction that occupies too     many bytes. NOTE: this vulnerability exists because of     an incomplete fix for CVE-2014-8480.(CVE-2014-8481)The     snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)The resv_map_release function in     mm/hugetlb.c in the Linux kernel, through 4.15.7,     allows local users to cause a denial of service (BUG)     via a crafted application that makes mmap system calls     and has a large pgoff argument to the remap_file_pages     system call.(CVE-2018-7740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size i1/4z block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - An integer overflow flaw was found in the way the Linux     kernel randomized the stack for processes on certain     64-bit architecture systems, such as x86-64, causing     the stack entropy to be reduced by four.(CVE-2015-1593)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes. The following feature was implemented :

  - The ext2 filesystem got reenabled and supported to allow     support for 'XIP' (Execute In Place) (FATE#320805). The     following security bugs were fixed :

  - CVE-2017-5551: The tmpfs filesystem implementation in     the Linux kernel preserved the setgid bit during a     setxattr call, which allowed local users to gain group     privileges by leveraging the existence of a setgid     program with restrictions on execute permissions     (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserved the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2017-2583: A Linux kernel built with the     Kernel-based Virtual Machine (CONFIG_KVM) support was     vulnerable to an incorrect segment selector(SS) value     error. A user/process inside guest could have used this     flaw to crash the guest resulting in DoS or potentially     escalate their privileges inside guest. (bsc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-8645: The TCP stack in the Linux kernel     mishandled skb truncation, which allowed local users to     cause a denial of service (system crash) via a crafted     application that made sendto system calls, related to     net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c     (bnc#1009969).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could enable a local     malicious application to execute arbitrary code within     the context of the kernel. This issue is rated as     Moderate because it first requires compromising a     privileged process and current compiler optimizations     restrict access to the vulnerable code. Product:
    Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935 (bnc#1014746).

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bnc#1013540).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2016-7914: The assoc_array_insert_into_terminal_node     function in lib/assoc_array.c in the Linux kernel did     not check whether a slot is a leaf, which allowed local     users to obtain sensitive information from kernel memory     or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data structures, as     demonstrated by the keyutils test suite (bnc#1010475).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via crafted fragmented packets (bnc#1008833).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misused the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel uses an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-8658: Stack-based buffer overflow in the     brcmf_cfg80211_start_ap function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a long SSID Information     Element in a command to a Netlink socket (bnc#1004462).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     by using an ABORT_TASK command to abort a device write     operation (bnc#994748).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for remote attackers to     hijack TCP sessions via a blind in-window attack     (bnc#989152).

  - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb     function in drivers/s390/char/sclp_ctl.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory by changing a certain     length value, aka a 'double fetch' vulnerability     (bnc#987542).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986362 bnc#986365).

  - CVE-2016-5828: The start_thread function in     arch/powerpc/kernel/process.c in the Linux kernel on     powerpc platforms mishandled transactional state, which     allowed local users to cause a denial of service     (invalid process state or TM Bad Thing exception, and     system crash) or possibly have unspecified other impact     by starting and suspending a transaction before an exec     system call (bnc#986569).

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3127-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

It was discovered that the compression handling code in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel did not properly check for an integer overflow. A local attacker could use this to cause a denial of service (system crash). (CVE-2014-9904)

Kirill A. Shutemov discovered that memory manager in the Linux kernel did not properly handle anonymous pages. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2015-3288)

Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash).
(CVE-2016-3961)

Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-7042).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the compression handling code in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel did not properly check for an integer overflow. A local attacker could use this to cause a denial of service (system crash). (CVE-2014-9904)

Kirill A. Shutemov discovered that memory manager in the Linux kernel did not properly handle anonymous pages. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2015-3288)

Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress hugetlbfs support in X86 paravirtualized guests. An attacker in the guest OS could cause a denial of service (guest system crash).
(CVE-2016-3961)

Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-7042).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.62 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2015-7833: The usbvision driver in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (panic) via a nonzero bInterfaceNumber value     in a USB device descriptor (bnc#950998).

  - CVE-2015-8551: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to hit BUG     conditions and cause a denial of service (NULL pointer     dereference and host OS crash) by leveraging a system     with access to a passed-through MSI or MSI-X capable     physical PCI device and a crafted sequence of     XEN_PCI_OP_* operations, aka 'Linux pciback missing     sanity checks (bnc#957990).

  - CVE-2015-8552: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to generate a     continuous stream of WARN messages and cause a denial of     service (disk consumption) by leveraging a system with     access to a passed-through MSI or MSI-X capable physical     PCI device and XEN_PCI_OP_enable_msi operations, aka     'Linux pciback missing sanity checks (bnc#957990).

  - CVE-2015-8845: The tm_reclaim_thread function in     arch/powerpc/kernel/process.c in the Linux kernel on     powerpc platforms did not ensure that TM suspend mode     exists before proceeding with a tm_reclaim call, which     allowed local users to cause a denial of service (TM Bad     Thing exception and panic) via a crafted application     (bnc#975533).

  - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in     the Linux kernel allowed local users to gain privileges     via crafted ASN.1 data (bnc#979867).

  - CVE-2016-1583: The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (stack memory consumption) via vectors involving crafted     mmap calls for /proc pathnames, leading to recursive     pagefault handling (bsc#983143).

  - CVE-2016-2053: The asn1_ber_decoder function in     lib/asn1_decoder.c in the Linux kernel allowed attackers     to cause a denial of service (panic) via an ASN.1 BER     file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in     crypto/asymmetric_keys/public_key.c (bnc#963762).

  - CVE-2016-3672: The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel did not properly     randomize the legacy base address, which made it easier     for local users to defeat the intended restrictions on     the ADDR_NO_RANDOMIZE flag, and bypass the ASLR     protection mechanism for a setuid or setgid program, by     disabling stack-consumption resource limits     (bnc#974308).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bsc#978401).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relied on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bsc#979213).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to gain privileges or cause a     denial of service (memory corruption) by leveraging     in-container root access to provide a crafted offset     value that triggers an unintended decrement     (bsc#986362).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bsc#986365).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

  - CVE-2016-5828: The start_thread function in     arch/powerpc/kernel/process.c in the Linux kernel on     powerpc platforms mishandled transactional state, which     allowed local users to cause a denial of service     (invalid process state or TM Bad Thing exception, and     system crash) or possibly have unspecified other impact     by starting and suspending a transaction an exec system     call (bsc#986569).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allowed     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.2 kernel was updated to fix various bugs and security issues.

The following security bugs were fixed :

  - CVE-2016-1583: Prevent the usage of mmap when the lower     file system does not allow it. This could have lead to     local privilege escalation when ecryptfs-utils was     installed and /sbin/mount.ecryptfs_private was setuid     (bsc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandles NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-0758: Tags with indefinite length could have     corrupted pointers in asn1_find_indefinite_length     (bsc#979867).

  - CVE-2016-2053: The asn1_ber_decoder function in     lib/asn1_decoder.c in the Linux kernel allowed attackers     to cause a denial of service (panic) via an ASN.1 BER     file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in     crypto/asymmetric_keys/public_key.c (bnc#963762).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971919 971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401 bsc#978445).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548 bsc#980363).

  - CVE-2016-3672: The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel did not properly     randomize the legacy base address, which made it easier     for local users to defeat the intended restrictions on     the ADDR_NO_RANDOMIZE flag, and bypass the ASLR     protection mechanism for a setuid or setgid program, by     disabling stack-consumption resource limits     (bnc#974308).

  - CVE-2016-4581: fs/pnode.c in the Linux kernel did not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allowed local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system calls     (bnc#979913).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2015-3288: A security flaw was found in the Linux     kernel that there was a way to arbitrary change zero     page memory. (bnc#979021).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948 974646).

  - CVE-2016-3136: The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device without two interrupt-in     endpoint descriptors (bnc#970955).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3951: Double free vulnerability in     drivers/net/usb/cdc_ncm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact by inserting a USB device with an invalid     USB descriptor (bnc#974418).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3689: The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) via a USB device without both a     master and a slave interface (bnc#971628).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2015-8830: Integer overflow in the     aio_setup_single_vector function in fs/aio.c in the     Linux kernel 4.0 allowed local users to cause a denial     of service or possibly have unspecified other impact via     a large AIO iovec. NOTE: this vulnerability exists     because of a CVE-2012-6701 regression (bnc#969354     bsc#969355).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employs a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retains certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     uses an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the     Linux kernel mishandles uid and gid mappings, which     allowed local users to gain privileges by establishing a     user namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here (bnc#959709 960561 ).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572 986573).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to gain privileges or cause a     denial of service (memory corruption) by leveraging     in-container root access to provide a crafted offset     value that triggers an unintended decrement (bnc#986362     986365 986377).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755 984764).

  - CVE-2015-6526: The perf_callchain_user_64 function in     arch/powerpc/perf/callchain.c in the Linux kernel on     ppc64 platforms allowed local users to cause a denial of     service (infinite loop) via a deep 64-bit userspace     backtrace (bnc#942702).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

The following non-security bugs were fixed :

  - ALSA: hrtimer: Handle start/stop more properly     (bsc#973378).

  - ALSA: pcm: Fix potential deadlock in OSS emulation     (bsc#968018).

  - ALSA: rawmidi: Fix race at copying & updating the     position (bsc#968018).

  - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free     (bsc#968018).

  - ALSA: seq: Fix double port list deletion (bsc#968018).

  - ALSA: seq: Fix incorrect sanity check at     snd_seq_oss_synth_cleanup() (bsc#968018).

  - ALSA: seq: Fix leak of pool buffer at concurrent writes     (bsc#968018).

  - ALSA: seq: Fix lockdep warnings due to double mutex     locks (bsc#968018).

  - ALSA: seq: Fix race at closing in virmidi driver     (bsc#968018).

  - ALSA: seq: Fix yet another races among ALSA timer     accesses (bsc#968018).

  - ALSA: timer: Call notifier in the same spinlock     (bsc#973378).

  - ALSA: timer: Code cleanup (bsc#968018).

  - ALSA: timer: Fix leftover link at closing (bsc#968018).

  - ALSA: timer: Fix link corruption due to double start or     stop (bsc#968018).

  - ALSA: timer: Fix race between stop and interrupt     (bsc#968018).

  - ALSA: timer: Fix wrong instance passed to slave     callbacks (bsc#968018).

  - ALSA: timer: Protect the whole snd_timer_close() with     open race (bsc#973378).

  - ALSA: timer: Sync timer deletion at closing the system     timer (bsc#973378).

  - ALSA: timer: Use mod_timer() for rearming the system     timer (bsc#973378).

  - Bluetooth: vhci: Fix race at creating hci device     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: fix open_timeout vs. hdev race     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: purge unhandled skbs     (bsc#971799,bsc#966849).

  - Btrfs: do not use src fd for printk (bsc#980348).

  - Refresh     patches.drivers/ALSA-hrtimer-Handle-start-stop-more-prop     erly. Fix the build error on 32bit architectures.

  - Refresh patches.xen/xen-netback-coalesce: Restore     copying of SKBs with head exceeding page size     (bsc#978469).

  - Refresh patches.xen/xen3-patch-3.14: Suppress atomic     file position updates on /proc/xen/xenbus (bsc#970275).

  - Subject: [PATCH] USB: xhci: Add broken streams quirk for     Frescologic device id 1009 (bnc#982706).

  - USB: usbip: fix potential out-of-bounds write     (bnc#975945).

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (bsc#973570).

  - backends: guarantee one time reads of shared ring     contents (bsc#957988).

  - btrfs: do not go readonly on existing qgroup items     (bsc#957052).

  - btrfs: remove error message from search ioctl for     nonexistent tree.

  - drm/i915: Fix missing backlight update during panel     disablement (bsc#941113 boo#901754).

  - enic: set netdev->vlan_features (bsc#966245).

  - ext4: fix races between buffered IO and collapse /     insert range (bsc#972174).

  - ext4: fix races between page faults and hole punching     (bsc#972174).

  - ext4: fix races of writeback with punch hole and zero     range (bsc#972174).

  - ext4: move unlocked dio protection from     ext4_alloc_file_blocks() (bsc#972174).

  - ipv4/fib: do not warn when primary address is missing if     in_dev is dead (bsc#971360).

  - ipvs: count pre-established TCP states as active     (bsc#970114).

  - net: core: Correct an over-stringent device loop     detection (bsc#945219).

  - netback: do not use last request to determine minimum Tx     credit (bsc#957988).

  - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY.

  - pciback: Save the number of MSI-X entries to be copied     later.

  - pciback: guarantee one time reads of shared ring     contents (bsc#957988).

  - series.conf: move cxgb3 patch to network drivers section

  - usb: quirk to stop runtime PM for Intel 7260     (bnc#984464).

  - x86: standardize mmap_rnd() usage (bnc#974308).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2014-9904     It was discovered that the snd_compress_check_input     function used in the ALSA subsystem does not properly     check for an integer overflow, allowing a local user to     cause a denial of service.

  - CVE-2016-5728     Pengfei Wang discovered a race condition in the MIC VOP     driver that could allow a local user to obtain sensitive     information from kernel memory or cause a denial of     service.

  - CVE-2016-5828     Cyril Bur and Michael Ellerman discovered a flaw in the     handling of Transactional Memory on powerpc systems     allowing a local user to cause a denial of service     (kernel crash) or possibly have unspecified other     impact, by starting a transaction, suspending it, and     then calling any of the exec() class system calls.

  - CVE-2016-5829     A heap-based buffer overflow vulnerability was found in     the hiddev driver, allowing a local user to cause a     denial of service or, potentially escalate their     privileges.

  - CVE-2016-6130     Pengfei Wang discovered a flaw in the S/390 character     device drivers potentially leading to information leak     with /dev/sclp.

Additionally this update fixes a regression in the ebtables facility (#828914) that was introduced in DSA-3607-1.

ID	Name	Product	Family	Severity
124828	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)	Nessus	Huawei Local Security Checks	critical
124809	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1485)	Nessus	Huawei Local Security Checks	critical
97205	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0471-1)	Nessus	SuSE Local Security Checks	high
94732	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3127-2)	Nessus	Ubuntu Local Security Checks	high
94731	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3127-1)	Nessus	Ubuntu Local Security Checks	high
93299	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2105-1)	Nessus	SuSE Local Security Checks	high
93216	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1029)	Nessus	SuSE Local Security Checks	high
93104	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)	Nessus	SuSE Local Security Checks	critical
91927	Debian DSA-3616-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2014-9904

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins