http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f2af21aae11972fa924374ddcf52e88347cf5a8

RHSA-2015:1778

RHSA-2015:1787

[oss-security] 20150223 CVE-2015-0275 -- Linux kernel: fs: ext4: fallocate zero range page size > block size BUG()

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

75139

1034454

[linux-ext4] 20150218 [PATCH] ext4: Allocate entire range in zero range

https://bugzilla.redhat.com/show_bug.cgi?id=1193907

https://github.com/torvalds/linux/commit/0f2af21aae11972fa924374ddcf52e88347cf5a8

https://support.f5.com/csp/article/K05211147

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update also fixes several bugs. Refer to the following Knowledgebase article for further information :

https://access.redhat.com/articles/1614563

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

The kernel-rt packages have been upgraded to version 3.10.0-229.13.1, which provides a number of bug fixes and enhancements over the previous version, including :

* Fix regression in scsi_send_eh_cmnd()

* boot hangs at 'Console: switching to colour dummy device 80x25'

* Update tcp stack to 3.17 kernel

* Missing some code from patch '(...) Fix VGA switcheroo problem related to hotplug'

* ksoftirqd high CPU usage due to stray tasklet from ioatdma driver

* During Live Partition Mobility (LPM) testing, RHEL 7.1 LPARs will crash in kmem_cache_alloc

(BZ#1253809)

This update also fixes the following bug :

* The hwlat_detector.ko module samples the clock and records any intervals between reads that exceed a specified threshold. However, the module previously tracked the maximum interval seen for the 'inner' interval but did not record when the 'outer' interval was greater. A patch has been applied to fix this bug, and hwlat_detector.ko now correctly records if the outer interval is the maximal interval encountered during the run. (BZ#1252365)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and fixes the following issues :

* Fix regression in scsi_send_eh_cmnd()

* boot hangs at 'Console: switching to colour dummy device 80x25'

* Update tcp stack to 3.17 kernel

* ksoftirqd high CPU usage due to stray tasklet from ioatdma driver

(BZ#1245345)

This update also fixes the following bugs :

* The configuration option CONFIG_RTC_HCTOSYS was disabled on the realtime kernel causing the RTC clock to be adjusted with the UTC time even if the system is configured to set the RTC to the local time. By enabling the CONFIG_RTC_HCTOSYS configuration option, when the system is configured to use local time, RTC will correctly update with the local time and not try to use another timezone. (BZ#1248047)

* In the realtime kernel, if a rt_mutex was taken while in interrupt context the normal priority inheritance protocol would falsely identify a deadlock and trigger a kernel crash. The patch that added the rt_mutex in this interrupt context was reverted. (BZ#1250649)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2015:1778 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update also fixes several bugs. Refer to the following Knowledgebase article for further information :

https://access.redhat.com/articles/1614563

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-0275)

Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system. (CVE-2015-3636)

A memory corruption flaw was discovered in the Linux kernel's scsi subsystem. A local attacker could potentially exploit this flaw to cause a denial of service (system crash). (CVE-2015-4036).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-0275)

Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system. (CVE-2015-3636).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Linux kernel was updated to fix bugs and security issues :

Following security issues were fixed: CVE-2015-2830: A flaw was found in the way the Linux kernels 32-bit emulation implementation handled forking or closing of a task with an int80 entry. A local user could have potentially used this flaw to escalate their privileges on the system.

CVE-2015-2042: A kernel information leak in rds sysctl files was fixed.

CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0275: A BUG_ON in ext4 was fixed which could be triggered by local users.

CVE-2015-2666: A buffer overflow when loading microcode files into the kernel could be used by the administrator to execute code in the kernel, bypassing secure boot measures.

  - CVE-2015-1421: Use-after-free vulnerability in the     sctp_assoc_update function in net/sctp/associola.c in     the Linux kernel allowed remote attackers to cause a     denial of service (slab corruption and panic) or     possibly have unspecified other impact by triggering an     INIT collision that leads to improper handling of     shared-key data.

  - CVE-2015-2150: XSA-120: Guests were permitted to modify     all bits of the PCI command register of passed through     cards, which could lead to Host system crashes.

  - CVE-2015-0777: The XEN usb backend could leak     information to the guest system due to copying     uninitialized memory.

  - CVE-2015-1593: A integer overflow reduced the     effectiveness of the stack randomization on 64-bit     systems.

  - CVE-2014-9419: The __switch_to function in     arch/x86/kernel/process_64.c in the Linux kernel did not     ensure that Thread Local Storage (TLS) descriptors are     loaded before proceeding with other steps, which made it     easier for local users to bypass the ASLR protection     mechanism via a crafted application that reads a TLS     base address.

  - CVE-2014-9428: The batadv_frag_merge_packets function in     net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel used an incorrect     length field during a calculation of an amount of     memory, which allowed remote attackers to cause a denial     of service (mesh-node system crash) via fragmented     packets.

  - CVE-2014-8160:
    net/netfilter/nf_conntrack_proto_generic.c in the Linux     kernel generated incorrect conntrack entries during     handling of certain iptables rule sets for the SCTP,     DCCP, GRE, and UDP-Lite protocols, which allowed remote     attackers to bypass intended access restrictions via     packets with disallowed port numbers.

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key.

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel did not restrict the     number of Rock Ridge continuation entries, which allowed     local users to cause a denial of service (infinite loop,     and system crash or hang) via a crafted iso9660 image.

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel did not     validate a length value in the Extensions Reference (ER)     System Use Field, which allowed local users to obtain     sensitive information from kernel memory via a crafted     iso9660 image.

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel did not properly     choose memory locations for the vDSO area, which made it     easier for local users to bypass the ASLR protection     mechanism by guessing a location at the end of a PMD.

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through did not properly maintain the     semantics of rename_lock, which allowed local users to     cause a denial of service (deadlock and system hang) via     a crafted application.

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel used an     improper paravirt_enabled setting for KVM guest kernels,     which made it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that     reads a 16-bit value.

Following bugs were fixed :

  - powerpc/pci: Fix IO space breakage after     of_pci_range_to_resource() change (bnc#922542).

  - cifs: fix use-after-free bug in find_writable_file     (bnc#909477).

  - usb: Do not allow usb_alloc_streams on unconfigured     devices (bsc#920581).

  - fuse: honour max_read and max_write in direct_io mode     (bnc#918954).

  - switch iov_iter_get_pages() to passing maximal number of     pages (bnc#918954).

  - bcache: fix a livelock in btree lock v2 (bnc#910440)     (bnc#910440). Updated because another version went     upstream

  - drm/i915: Initialise userptr mmu_notifier serial to 1     (bnc#918970).

  - NFS: Don't try to reclaim delegation open state if     recovery failed (boo#909634).

  - NFSv4: Ensure that we call FREE_STATEID when NFSv4.x     stateids are revoked (boo#909634).

  - NFSv4: Fix races between nfs_remove_bad_delegation() and     delegation return (boo#909634).

  - NFSv4: Ensure that we remove NFSv4.0 delegations when     state has expired (boo#909634).

  - Fixing lease renewal (boo#909634).

  - bcache: Fix a bug when detaching (bsc#908582).

  - fix a leak in bch_cached_dev_run() (bnc#910440).

  - bcache: unregister reboot notifier when bcache fails to     register a block device (bnc#910440).

  - bcache: fix a livelock in btree lock (bnc#910440).

  - bcache: [BUG] clear BCACHE_DEV_UNLINK_DONE flag when     attaching a backing device (bnc#910440).

  - bcache: Add a cond_resched() call to gc (bnc#910440).

  - storvsc: ring buffer failures may result in I/O freeze     (bnc#914175).

  - ALSA: seq-dummy: remove deadlock-causing events on close     (boo#916608).

  - ALSA: pcm: Zero-clear reserved fields of PCM status     ioctl in compat mode (boo#916608).

  - ALSA: bebob: Uninitialized id returned by     saffirepro_both_clk_src_get (boo#916608).

  - ALSA: hda - Fix built-in mic on Compaq Presario CQ60     (bnc#920604).

  - ALSA: hda - Fix regression of HD-audio controller     fallback modes (bsc#921313).

  - [media] sound: Update au0828 quirks table (boo#916608).

  - [media] sound: simplify au0828 quirk table (boo#916608).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Webcam C210 (boo#916608).

  - ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam     rPAC (boo#916608).

  - ALSA: usb-audio: Add ctrl message delay quirk for     Marantz/Denon devices (boo#916608).

  - ALSA: usb-audio: Fix memory leak in FTU quirk     (boo#916608).

  - ALSA: usb-audio: Fix device_del() sysfs warnings at     disconnect (boo#916608).

  - ALSA: hda - Add new GPU codec ID 0x10de0072 to snd-hda     (boo#916608).

  - ALSA: hda - Fix wrong gpio_dir & gpio_mask hint setups     for IDT/STAC codecs (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC298     (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC256     (boo#916608).

  - ALSA: hda/realtek - Add new Dell desktop for ALC3234     headset mode (boo#916608).

  - ALSA: hda - Add EAPD fixup for ASUS Z99He laptop     (boo#916608).

  - ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad     S210 (boo#916608).

  - ALSA: hda/realtek - Add headset Mic support for new Dell     machine (boo#916608).

  - ALSA: hda_intel: Add DeviceIDs for Sunrise Point-LP     (boo#916608).

  - ALSA: hda_intel: Add Device IDs for Intel Sunrise Point     PCH (boo#916608).

  - ALSA: hda - add codec ID for Braswell display audio     codec (boo#916608).

  - ALSA: hda - add PCI IDs for Intel Braswell (boo#916608).

  - ALSA: hda - Add dock support for Thinkpad T440     (17aa:2212) (boo#916608).

  - ALSA: hda - Set up GPIO for Toshiba Satellite S50D     (bnc#915858).

  - rpm/kernel-binary.spec.in: Fix build if there is no
    *.crt file

  - mm, vmscan: prevent kswapd livelock due to     pfmemalloc-throttled process being killed (VM     Functionality bnc#910150).

  - Input: evdev - fix EVIOCG{type} ioctl (bnc#904899).

  - mnt: Implicitly add MNT_NODEV on remount when it was     implicitly added by mount (bsc#907988).

  - Btrfs: fix scrub race leading to use-after-free     (bnc#915456).

  - Btrfs: fix setup_leaf_for_split() to avoid leaf     corruption (bnc#915454).

  - Btrfs: fix fsync log replay for inodes with a mix of     regular refs and extrefs (bnc#915425).

  - Btrfs: fix fsync when extend references are added to an     inode (bnc#915425).

  - Btrfs: fix directory inconsistency after fsync log     replay (bnc#915425).

  - Btrfs: make xattr replace operations atomic     (bnc#913466).

  - Btrfs: fix directory recovery from fsync log     (bnc#895797).

  - Btrfs: simplify insert_orphan_item (boo#926385).

  - Btrfs: set proper message level for skinny metadata.

  - Btrfs: make sure we wait on logged extents when fsycning     two subvols.

  - Btrfs: fix lost return value due to variable shadowing.

  - Btrfs: fix leak of path in btrfs_find_item.

  - Btrfs: fix fsync data loss after adding hard link to     inode.

  - Btrfs: fix fs corruption on transaction abort if device     supports discard.

  - Btrfs: fix data loss in the fast fsync path.

  - Btrfs: don't delay inode ref updates during log replay.

  - Btrfs: do not move em to modified list when unpinning.

  - Btrfs:__add_inode_ref: out of bounds memory read when     looking for extended ref.

  - Btrfs: fix inode eviction infinite loop after cloning     into it (boo#905088).

  - bcache: add mutex lock for bch_is_open (bnc#908612).

  - bcache: Correct printing of btree_gc_max_duration_ms     (bnc#908610).

  - bcache: fix crash with incomplete cache set     (bnc#908608).

  - bcache: fix memory corruption in init error path     (bnc#908606).

  - bcache: Fix more early shutdown bugs (bnc#908605).

  - bcache: fix use-after-free in btree_gc_coalesce()     (bnc#908604).

  - bcache: Fix an infinite loop in journal replay     (bnc#908603).

  - bcache: fix typo in bch_bkey_equal_header (bnc#908598).

  - bcache: Make sure to pass GFP_WAIT to mempool_alloc()     (bnc#908596).

  - bcache: fix crash on shutdown in passthrough mode     (bnc#908594).

  - bcache: fix lockdep warnings on shutdown (bnc#908593).

  - bcache allocator: send discards with correct size     (bnc#908592).

  - bcache: Fix to remove the rcu_sched stalls (bnc#908589).

  - bcache: Fix a journal replay bug (bnc#908588).

  - Update x86_64 config files: CONFIG_SENSORS_NCT6683=m The     nct6683 driver is already enabled on i386 and history     suggests that it not being enabled on x86_64 is by     mistake.

  - rpm/kernel-binary.spec.in: Own the modules directory in     the devel package (bnc#910322)

  - Revert 'iwlwifi: mvm: treat EAPOLs like mgmt frames wrt     rate' (bnc#900811).

  - mm: free compound page with correct order (bnc#913695).

  - drm/i915: More cautious with pch fifo underruns     (boo#907039).

  - Refresh patches.arch/arm64-0039-generic-pci.patch (fix     PCI bridge support)

  - x86/microcode/intel: Fish out the stashed microcode for     the BSP (bsc#903589).

  - x86, microcode: Reload microcode on resume (bsc#903589).

  - x86, microcode: Don't initialize microcode code on     paravirt (bsc#903589).

  - x86, microcode, intel: Drop unused parameter     (bsc#903589).

  - x86, microcode, AMD: Do not use smp_processor_id() in     preemtible context (bsc#903589).

  - x86, microcode: Update BSPs microcode on resume     (bsc#903589).

  - x86, microcode, AMD: Fix ucode patch stashing on 32-bit     (bsc#903589).

  - x86, microcode: Fix accessing dis_ucode_ldr on 32-bit     (bsc#903589).

  - x86, microcode, AMD: Fix early ucode loading on 32-bit     (bsc#903589).

  - Bluetooth: Add support for Broadcom BCM20702A0 variants     firmware download (bnc#911311).

  - drm/radeon: fix sad_count check for dce3 (bnc#911356).

  - drm/i915: Don't call intel_prepare_page_flip() multiple     times on gen2-4 (bnc#911835).

  - udf: Check component length before reading it.

  - udf: Check path length when reading symlink.

  - udf: Verify symlink size before loading it.

  - udf: Verify i_size when loading inode.

  - arm64: Enable DRM

  - arm64: Enable generic PHB driver (bnc#912061).

  - ACPI / video: Add some Samsung models to     disable_native_backlight list (boo#905681).

  - asus-nb-wmi: Add another wapf=4 quirk (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550VB     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the U32U (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CC     (boo#911438).

  - asus-nb-wmi: Constify asus_quirks DMI table     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CL     (boo#911438).

  - asus-nb-wmi.c: Rename x401u quirk to wapf4 (boo#911438).

  - asus-nb-wmi: Add ASUSTeK COMPUTER INC. X200CA     (boo#911438).

  - WAPF 4 for ASUSTeK COMPUTER INC. X75VBP WLAN ON     (boo#911438).

  - Input: synaptics - gate forcepad support by DMI check     (bnc#911578).

  - ext4: introduce aging to extent status tree     (bnc#893428).

  - ext4: cleanup flag definitions for extent status tree     (bnc#893428).

  - ext4: limit number of scanned extents in status tree     shrinker (bnc#893428).

  - ext4: move handling of list of shrinkable inodes into     extent status code (bnc#893428).

  - ext4: change LRU to round-robin in extent status tree     shrinker (bnc#893428).

  - ext4: cache extent hole in extent status tree for     ext4_da_map_blocks() (bnc#893428).

  - ext4: fix block reservation for bigalloc filesystems     (bnc#893428).

  - ext4: track extent status tree shrinker delay statictics     (bnc#893428).

  - ext4: improve extents status tree trace point     (bnc#893428).

  - rpm/kernel-binary.spec.in: Provide name-version-release     for kgraft packages (bnc#901925)

  - rpm/kernel-binary.spec.in: Fix including the secure boot     cert in /etc/uefi/certs

  - doc/README.SUSE: update Solid Driver team contacts

  - rpm/kernel-binary.spec.in: Do not sign firmware files     (bnc#867199)

  - Port module signing changes from SLE11-SP3 (fate#314508)

  - doc/README.PATCH-POLICY.SUSE: add patch policy / best     practices document after installation.

  - Update config files. (boo#925479) Do not set     CONFIG_SYSTEM_TRUSTED_KEYRING until we need it in future     openSUSE version: e.g. MODULE_SIG, IMA, PKCS7(new),     KEXEC_BZIMAGE_VERIFY_SIG(new)

  - Input: xpad - use proper endpoint type (bnc#926397).

  - md: don't require sync_min to be a multiple of     chunk_size (bnc#910500).

The 3.18.9 stable update contains a number of important fixes across the tree. Update to the latest stable upstream release, Linux v3.18.8.
Numerous fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream stable release, Linux v3.18.8. Numerous bugfixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
86702	RHEL 7 : kernel (RHSA-2015:1778)	Nessus	Red Hat Local Security Checks	high
86511	CentOS 7 : kernel (CESA-2015:1778)	Nessus	CentOS Local Security Checks	high
85980	RHEL 7 : kernel-rt (RHSA-2015:1788)	Nessus	Red Hat Local Security Checks	high
85979	RHEL 6 : kernel-rt (RHSA-2015:1787)	Nessus	Red Hat Local Security Checks	high
85960	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
85958	Oracle Linux 7 : kernel (ELSA-2015-1778)	Nessus	Oracle Linux Local Security Checks	high
84125	Ubuntu 15.04 : linux vulnerabilities (USN-2638-1)	Nessus	Ubuntu Local Security Checks	high
84124	Ubuntu 14.10 : linux vulnerabilities (USN-2637-1)	Nessus	Ubuntu Local Security Checks	medium
84123	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2636-1)	Nessus	Ubuntu Local Security Checks	high
84122	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2635-1)	Nessus	Ubuntu Local Security Checks	medium
82756	openSUSE Security Update : Linux Kernel (openSUSE-2015-302)	Nessus	SuSE Local Security Checks	critical
81863	Fedora 20 : kernel-3.18.9-100.fc20 (2015-3594)	Nessus	Fedora Local Security Checks	critical
81717	Fedora 21 : kernel-3.18.8-201.fc21 (2015-3011)	Nessus	Fedora Local Security Checks	critical

CVE-2015-0275

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins