http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=df4d92549f23e1c037e83323aff58a21b3de7fe0

openSUSE-SU-2015:1382

SUSE-SU-2015:1488

SUSE-SU-2015:1489

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.8

[oss-security] 20150203 Re: CVE request -- Linux kernel - net: DoS due to routing packets to too many different dsts/too fast

72435

1036763

USN-2545-1

USN-2546-1

USN-2562-1

USN-2563-1

https://bugzilla.redhat.com/show_bug.cgi?id=1183744

https://github.com/torvalds/linux/commit/df4d92549f23e1c037e83323aff58a21b3de7fe0

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka     GPU driver) for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, mishandles the     KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers     to gain privileges by leveraging accidental read-write     mappings, aka Qualcomm internal bug     CR988993.(CVE-2016-2067i1/4%0

  - Integer overflow in the mem_check_range function in     drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel     before 4.9.10 allows local users to cause a denial of     service (memory corruption), obtain sensitive     information from kernel memory, or possibly have     unspecified other impact via a write or read request     involving the 'RDMA protocol over infiniband' (aka Soft     RoCE) technology.(CVE-2016-8636i1/4%0

  - Heap-based buffer overflow in the     logi_dj_ll_raw_request function in     drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to     cause a denial of service (system crash) or possibly     execute arbitrary code via a crafted device that     specifies a large report size for an LED     report.(CVE-2014-3183i1/4%0

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2018-6927i1/4%0

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816i1/4%0

  - It was found that the blk_rq_map_user_iov() function in     the Linux kernel's block device implementation did not     properly restrict the type of iterator, which could     allow a local attacker to read or write to arbitrary     kernel memory locations or cause a denial of service     (use-after-free) by leveraging write access to a     /dev/sg device.(CVE-2016-9576i1/4%0

  - A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps 'rtnl_lock' spinlock for a very long time (up to     hour). This blocks many network-related operations,     including creation of new incoming ssh connections.The     problem is especially important for containers, as the     container owner has enough permissions to trigger this     and block a network access on a whole host, outside the     container.(CVE-2016-3156i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924i1/4%0

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728i1/4%0

  - net/ipv6/ip6_output.c in the Linux kernel through     3.11.4 does not properly determine the need for UDP     Fragmentation Offload (UFO) processing of small packets     after the UFO queueing of a large packet, which allows     remote attackers to cause a denial of service (memory     corruption and system crash) or possibly have     unspecified other impact via network traffic that     triggers a large response packet.(CVE-2013-4387i1/4%0

  - It was found that nfsd is missing permissions check     when setting ACL on files, this may allow a local users     to gain access to any file by setting a crafted     ACL.(CVE-2016-1237i1/4%0

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270i1/4%0

  - An issue was discovered in the Linux kernel where an     integer overflow in kernel/time/posix-timers.c in the     POSIX timer code is caused by the way the overrun     accounting works. Depending on interval and expiry time     values, the overrun can be larger than INT_MAX, but the     accounting is int based. This basically makes the     accounting values, which are visible to user space via     timer_getoverrun(2) and siginfo::si_overrun,     random.(CVE-2018-12896i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0

  - The netfilter subsystem in the Linux kernel through     4.15.7 mishandles the case of a rule blob that contains     a jump but lacks a user-defined chain, which allows     local users to cause a denial of service (NULL pointer     dereference) by leveraging the CAP_NET_RAW or     CAP_NET_ADMIN capability, related to arpt_do_table in     net/ipv4/netfilter/arp_tables.c, ipt_do_table in     net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in     net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0

  - The use of a kzalloc with an integer multiplication     allowed an integer overflow condition to be reached in     vfio_pci_intrs.c. This combined with CVE-2016-9083 may     allow an attacker to craft an attack and use     unallocated memory, potentially crashing the     machine.(CVE-2016-9084i1/4%0

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138i1/4%0

  - It was discovered that root can gain direct access to     an internal keyring, such as '.dns_resolver' in RHEL-7     or '.builtin_trusted_keys' upstream, by joining it as     its session keyring. This allows root to bypass module     signature verification by adding a new public key of     its own devising to the keyring.(CVE-2016-9604i1/4%0

  - An information leak flaw was found in the Linux     kernel's IEEE 802.11 wireless networking     implementation. When software encryption was used, a     remote attacker could use this flaw to leak up to 8     bytes of plaintext.(CVE-2014-8709i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size i1/4z block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - An integer overflow flaw was found in the way the Linux     kernel randomized the stack for processes on certain     64-bit architecture systems, such as x86-64, causing     the stack entropy to be reduced by four.(CVE-2015-1593)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[2.6.39-400.298.1.el6uek]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei)   [Orabug: 23320090]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)  [Orabug: 25102637]
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)  [Orabug: 25102637]
- RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu)  [Orabug: 25440316]
- ping: implement proper locking (Eric Dumazet)  [Orabug: 26540288] {CVE-2017-2671}
- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers)  [Orabug: 26592013]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 26675934]  {CVE-2017-7889}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das)  [Orabug: 26797307]
- xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058559]
- more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069045] {CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh)  [Orabug: 27069045]  {CVE-2017-12190}
- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli)  [Orabug: 24823234]
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren)  [Orabug: 25671723]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren)  [Orabug: 25671723]
- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403958] {CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974]  {CVE-2017-9074}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007]  {CVE-2017-9077}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643601] {CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman)  [Orabug: 26643601]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo)  [Orabug: 26643601]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han)  [Orabug: 26643652]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889]  {CVE-2017-9075}
- saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148]  {CVE-2017-8831}
- saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675148] {CVE-2017-8831}
- saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab)  [Orabug: 26675148]  {CVE-2017-8831}
- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart)  [Orabug: 26765341]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long)  [Orabug: 26988628]  {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 26643562]  {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca)  [Orabug: 27011278]  {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453]  {CVE-2017-1000111}
- mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay)  [Orabug: 26867355]
- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky)  [Orabug: 26867355]
- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson)   [Orabug: 26870958]  {CVE-2017-1000253}
- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri)  [Orabug: 26796428]  {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645562] {CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 26638926]  {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault)  [Orabug: 26586050]  {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik)  [Orabug: 26586024]  {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells)  [Orabug: 26586002]  {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202]  {CVE-2017-9242}
- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485]
- RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker)  [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914]  {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors (Jan Kara)  [Orabug: 25905722]  {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik)  [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana)  [Orabug: 25948102]  {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro)  [Orabug: 25948149]  {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin)  [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa)  [Orabug: 26032377]  {CVE-2015-1465}
- mm: larger stack guard gap, between vmas (Hugh Dickins)  [Orabug: 26326145]  {CVE-2017-1000364}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024]  {CVE-2017-7645}
- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka)  [Orabug: 25645229]
- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall)  [Orabug: 25795530]
- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin)  [Orabug: 25955028]

Description of changes:

[2.6.39-400.297.5.el6uek]
- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] - RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker)  [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914]  {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors (Jan Kara)  [Orabug: 25905722]  {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik)  [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana)  [Orabug: 25948102]  {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro)  [Orabug: 25948149]  {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin)  [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa)  [Orabug: 26032377]  {CVE-2015-1465}

The openSUSE 13.2 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-3290: A flaw was found in the way the Linux     kernels nested NMI handler and espfix64 functionalities     interacted during NMI processing. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the system.

  - CVE-2015-3212: A race condition flaw was found in the     way the Linux kernels SCTP implementation handled     Address Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a socket.

  - CVE-2015-5364: A remote denial of service (hang) via UDP     flood with incorrect package checksums was fixed.
    (bsc#936831).

  - CVE-2015-5366: A remote denial of service (unexpected     error returns) via UDP flood with incorrect package     checksums was fixed. (bsc#936831).

  - CVE-2015-4700: A local user could have created a bad     instruction in the JIT processed BPF code, leading to a     kernel crash (bnc#935705).

  - CVE-2015-1420: Race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel allowed     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function (bnc#915517).

  - CVE-2015-4692: The kvm_apic_has_events function in     arch/x86/kvm/lapic.h in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by leveraging /dev/kvm access     for an ioctl call (bnc#935542).

  - CVE-2015-4167 CVE-2014-9728 CVE-2014-9730 CVE-2014-9729     CVE-2014-9731: Various problems in the UDF filesystem     were fixed that could lead to crashes when mounting     prepared udf filesystems.

  - CVE-2015-4002: drivers/staging/ozwpan/ozusbsvc1.c in the     OZWPAN driver in the Linux kernel did not ensure that     certain length values are sufficiently large, which     allowed remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data functions     (bnc#933934).

  - CVE-2015-4003: The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel allowed remote attackers to cause a     denial of service (divide-by-zero error and system     crash) via a crafted packet (bnc#933934).

  - CVE-2015-4001: Integer signedness error in the     oz_hcd_get_desc_cnf function in     drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in     the Linux kernel allowed remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a crafted packet (bnc#933934).

  - CVE-2015-4036: A potential memory corruption in     vhost/scsi was fixed.

  - CVE-2015-2922: The ndisc_router_discovery function in     net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol     implementation in the IPv6 stack in the Linux kernel     allowed remote attackers to reconfigure a hop-limit     setting via a small hop_limit value in a Router     Advertisement (RA) message (bnc#922583).

  - CVE-2015-3636: It was found that the Linux kernels ping     socket implementation did not properly handle socket     unhashing during spurious disconnects, which could lead     to a use-after-free flaw. On x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to crash the system. On non-x86-64     architecture systems, a local user able to create ping     sockets could use this flaw to escalate their privileges     on the system.

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel used an incorrect data type in a sysctl table,     which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bnc#919007).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped.

  - CVE-2015-1465: The IPv4 implementation in the Linux     kernel did not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allowed remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of packets     (bnc#916225).

The following non-security bugs were fixed :

  - ALSA: ak411x: Fix stall in work callback (boo#934755).

  - ALSA: emu10k1: Emu10k2 32 bit DMA mode (boo#934755).

  - ALSA: emu10k1: Fix card shortname string buffer overflow     (boo#934755).

  - ALSA: emu10k1: do not deadlock in proc-functions     (boo#934755).

  - ALSA: emux: Fix mutex deadlock at unloading     (boo#934755).

  - ALSA: emux: Fix mutex deadlock in OSS emulation     (boo#934755).

  - ALSA: hda - Add AZX_DCAPS_SNOOP_OFF (and refactor snoop     setup) (boo#934755).

  - ALSA: hda - Add Conexant codecs CX20721, CX20722,     CX20723 and CX20724 (boo#934755).

  - ALSA: hda - Add common pin macros for ALC269 family     (boo#934755).

  - ALSA: hda - Add dock support for ThinkPad X250     (17aa:2226) (boo#934755).

  - ALSA: hda - Add dock support for Thinkpad T450s     (17aa:5036) (boo#934755).

  - ALSA: hda - Add headphone quirk for Lifebook E752     (boo#934755).

  - ALSA: hda - Add headset mic quirk for Dell Inspiron 5548     (boo#934755).

  - ALSA: hda - Add mute-LED mode control to Thinkpad     (boo#934755).

  - ALSA: hda - Add one more node in the EAPD supporting     candidate list (boo#934755).

  - ALSA: hda - Add pin configs for ASUS mobo with IDT     92HD73XX codec (boo#934755).

  - ALSA: hda - Add ultra dock support for Thinkpad X240     (boo#934755).

  - ALSA: hda - Add workaround for CMI8888 snoop behavior     (boo#934755).

  - ALSA: hda - Add workaround for MacBook Air 5,2 built-in     mic (boo#934755).

  - ALSA: hda - Disable runtime PM for Panther Point again     (boo#934755).

  - ALSA: hda - Do not access stereo amps for mono channel     widgets (boo#934755).

  - ALSA: hda - Fix Dock Headphone on Thinkpad X250 seen as     a Line Out (boo#934755).

  - ALSA: hda - Fix headphone pin config for Lifebook T731     (boo#934755).

  - ALSA: hda - Fix noise on AMD radeon 290x controller     (boo#934755).

  - ALSA: hda - Fix probing and stuttering on CMI8888     HD-audio controller (boo#934755).

  - ALSA: hda - One more Dell macine needs     DELL1_MIC_NO_PRESENCE quirk (boo#934755).

  - ALSA: hda - One more HP machine needs to change mute led     quirk (boo#934755).

  - ALSA: hda - Set GPIO 4 low for a few HP machines     (boo#934755).

  - ALSA: hda - Set single_adc_amp flag for CS420x codecs     (boo#934755).

  - ALSA: hda - Treat stereo-to-mono mix properly     (boo#934755).

  - ALSA: hda - change three SSID quirks to one pin quirk     (boo#934755).

  - ALSA: hda - fix 'num_steps = 0' error on ALC256     (boo#934755).

  - ALSA: hda - fix a typo by changing mute_led_nid to     cap_mute_led_nid (boo#934755).

  - ALSA: hda - fix headset mic detection problem for one     more machine (boo#934755).

  - ALSA: hda - fix mute led problem for three HP laptops     (boo#934755).

  - ALSA: hda - set proper caps for newer AMD hda audio in     KB/KV (boo#934755).

  - ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450     (boo#934755).

  - ALSA: hda/realtek - Add a fixup for another Acer Aspire     9420 (boo#934755).

  - ALSA: hda/realtek - Enable the ALC292 dock fixup on the     Thinkpad T450 (boo#934755).

  - ALSA: hda/realtek - Fix Headphone Mic does not recording     for ALC256 (boo#934755).

  - ALSA: hda/realtek - Make more stable to get pin sense     for ALC283 (boo#934755).

  - ALSA: hda/realtek - Support Dell headset mode for ALC256     (boo#934755).

  - ALSA: hda/realtek - Support HP mute led for output and     input (boo#934755).

  - ALSA: hda/realtek - move HP_LINE1_MIC1_LED quirk for     alc282 (boo#934755).

  - ALSA: hda/realtek - move HP_MUTE_LED_MIC1 quirk for     alc282 (boo#934755).

  - ALSA: hdspm - Constrain periods to 2 on older cards     (boo#934755).

  - ALSA: pcm: Do not leave PREPARED state after draining     (boo#934755).

  - ALSA: snd-usb: add quirks for Roland UA-22 (boo#934755).

  - ALSA: usb - Creative USB X-Fi Pro SB1095 volume knob     support (boo#934755).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Quickcam Fusion (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam HD-3000     (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam Studio     (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Lifecam HD-5000     sample rate (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Microsoft Lifecam     Cinema sample rate (boo#934755).

  - ALSA: usb-audio: add MAYA44 USB+ mixer control names     (boo#934755).

  - ALSA: usb-audio: do not try to get Benchmark DAC1 sample     rate (boo#934755).

  - ALSA: usb-audio: do not try to get Outlaw RR2150 sample     rate (boo#934755).

  - ALSA: usb-audio: fix missing input volume controls in     MAYA44 USB(+) (boo#934755).

  - Automatically Provide/Obsolete all subpackages of old     flavors (bnc#925567)

  - Fix kABI for ak411x structs (boo#934755).

  - Fix kABI for snd_emu10k1 struct (boo#934755).

  - HID: add ALWAYS_POLL quirk for a Logitech 0xc007     (bnc#929624).

  - HID: add HP OEM mouse to quirk ALWAYS_POLL (bnc#929624).

  - HID: add quirk for PIXART OEM mouse used by HP     (bnc#929624).

  - HID: usbhid: add always-poll quirk (bnc#929624).

  - HID: usbhid: add another mouse that needs     QUIRK_ALWAYS_POLL (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 009b (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 0103 (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 016f (bnc#929624).

  - HID: usbhid: fix PIXART optical mouse (bnc#929624).

  - HID: usbhid: more mice with ALWAYS_POLL (bnc#929624).

  - HID: usbhid: yet another mouse with ALWAYS_POLL     (bnc#929624).

  - HID: yet another buggy ELAN touchscreen (bnc#929624).

  - Input: synaptics - handle spurious release of trackstick     buttons (bnc#928693).

  - Input: synaptics - re-route tracksticks buttons on the     Lenovo 2015 series (bnc#928693).

  - Input: synaptics - remove TOPBUTTONPAD property for     Lenovos 2015 (bnc#928693).

  - Input: synaptics - retrieve the extended capabilities in     query $10 (bnc#928693).

  - NFSv4: When returning a delegation, do not reclaim an     incompatible open mode (bnc#934202).

  - Refresh patches.xen/xen-blkfront-indirect (bsc#922235).

  - Update config files: extend CONFIG_DPM_WATCHDOG_TIMEOUT     to 60 (bnc#934397)

  - arm64: mm: Remove hack in mmap randomized layout Fix     commit id and mainlined information

  - bnx2x: Fix kdump when iommu=on (bug#921769).

  - client MUST ignore EncryptionKeyLength if     CAP_EXTENDED_SECURITY is set (bnc#932348).

  - config/armv7hl: Disable AMD_XGBE_PHY The AMD XGBE     ethernet chip is only used on ARM64 systems.

  - config: disable XGBE on non-ARM hardware It is     documented as being present only on AMD SoCs.

  - cpufreq: fix a NULL pointer dereference in
    __cpufreq_governor() (bsc#924664).

  - drm/i915/bdw: PCI IDs ending in 0xb are ULT     (boo#935913).

  - drm/i915/chv: Remove Wait for a previous gfx force-off     (boo#935913).

  - drm/i915/dp: only use training pattern 3 on platforms     that support it (boo#935913).

  - drm/i915/dp: there is no audio on port A (boo#935913).

  - drm/i915/hsw: Fix workaround for server AUX channel     clock divisor (boo#935913).

  - drm/i915/vlv: remove wait for previous GFX clk disable     request (boo#935913).

  - drm/i915/vlv: save/restore the power context base reg     (boo#935913).

  - drm/i915: Add missing MacBook Pro models with dual     channel LVDS (boo#935913).

  - drm/i915: BDW Fix Halo PCI IDs marked as ULT     (boo#935913).

  - drm/i915: Ban Haswell from using RCS flips (boo#935913).

  - drm/i915: Check obj->vma_list under the struct_mutex     (boo#935913).

  - drm/i915: Correct the IOSF Dev_FN field for IOSF     transfers (boo#935913).

  - drm/i915: Dell Chromebook 11 has PWM backlight     (boo#935913).

  - drm/i915: Disable caches for Global GTT (boo#935913).

  - drm/i915: Do a dummy DPCD read before the actual read     (bnc#907714).

  - drm/i915: Do not complain about stolen conflicts on gen3     (boo#935913).

  - drm/i915: Do not leak pages when freeing userptr objects     (boo#935913).

  - drm/i915: Dont enable CS_PARSER_ERROR interrupts at all     (boo#935913).

  - drm/i915: Evict CS TLBs between batches (boo#935913).

  - drm/i915: Fix DDC probe for passive adapters     (boo#935913).

  - drm/i915: Fix and clean BDW PCH identification     (boo#935913).

  - drm/i915: Force the CS stall for invalidate flushes     (boo#935913).

  - drm/i915: Handle failure to kick out a conflicting fb     driver (boo#935913).

  - drm/i915: Ignore SURFLIVE and flip counter when the GPU     gets reset (boo#935913).

  - drm/i915: Ignore VBT backlight check on Macbook 2, 1     (boo#935913).

  - drm/i915: Invalidate media caches on gen7 (boo#935913).

  - drm/i915: Kick fbdev before vgacon (boo#935913).

  - drm/i915: Only fence tiled region of object     (boo#935913).

  - drm/i915: Only warn the first time we attempt to mmio     whilst suspended (boo#935913).

  - drm/i915: Unlock panel even when LVDS is disabled     (boo#935913).

  - drm/i915: Use IS_HSW_ULT() in a HSW specific code path     (boo#935913).

  - drm/i915: cope with large i2c transfers (boo#935913).

  - drm/i915: do not warn if backlight unexpectedly enabled     (boo#935913).

  - drm/i915: drop WaSetupGtModeTdRowDispatch:snb     (boo#935913).

  - drm/i915: save/restore GMBUS freq across suspend/resume     on gen4 (boo#935913).

  - drm/i915: vlv: fix IRQ masking when uninstalling     interrupts (boo#935913).

  - drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg     (boo#935913).

  - drm/radeon: retry dcpd fetch (bnc#931580).

  - ftrace/x86/xen: use kernel identity mapping only when     really needed (bsc#873195, bsc#886272, bsc#903727,     bsc#927725)

  - guards: Add support for an external filelist in --check     mode This will allow us to run --check without a     kernel-source.git work tree.

  - guards: Include the file name also in the 'Not found'     error

  - guards: Simplify help text

  - hyperv: Add processing of MTU reduced by the host     (bnc#919596).

  - ideapad_laptop: Lenovo G50-30 fix rfkill reports     wireless blocked (boo#939394).

  - ipv6: do not delete previously existing ECMP routes if     add fails (bsc#930399).

  - ipv6: fix ECMP route replacement (bsc#930399).

  - ipv6: replacing a rt6_info needs to purge possible     propagated rt6_infos too (bsc#930399).

  - kABI: protect linux/slab.h include in of/address.

  - kabi/severities: ignore already-broken but acceptable     kABI changes - SYSTEM_TRUSTED_KEYRING=n change removed     system_trusted_keyring - Commits 3688875f852 and     ea5ed8c70e9 changed iov_iter_get_pages prototype - KVM     changes are intermodule dependencies

  - kabi: Fix CRC for dma_get_required_mask.

  - kabi: add kABI reference files

  - libata: Blacklist queued TRIM on Samsung SSD 850 Pro     (bsc#926156).

  - libata: Blacklist queued TRIM on all Samsung 800-series     (bnc#930599).

  - net: ppp: Do not call bpf_prog_create() in ppp_lock     (bnc#930488).

  - rpm/kernel-obs-qa.spec.in: Do not fail if the kernel     versions do not match

  - rt2x00: do not align payload on modern H/W (bnc#932844).

  - rtlwifi: rtl8192cu: Fix kernel deadlock (bnc#927786).

  - thermal: step_wise: Revert optimization (boo#925961).

  - tty: Fix pty master poll() after slave closes v2     (bsc#937138). arm64: mm: Remove hack in mmap randomize     layout (bsc#937033)

  - udf: Remove repeated loads blocksize (bsc#933907).

  - usb: core: Fix USB 3.0 devices lost in NOTATTACHED state     after a hub port reset (bnc#937226).

  - x86, apic: Handle a bad TSC more gracefully     (boo#935530).

  - x86/PCI: Use host bridge _CRS info on Foxconn     K8M890-8237A (bnc#907092).

  - x86/PCI: Use host bridge _CRS info on systems with >32     bit addressing (bnc#907092).

  - x86/microcode/amd: Do not overwrite final patch levels     (bsc#913996).

  - x86/microcode/amd: Extract current patch level read to a     function (bsc#913996).

  - x86/mm: Improve AMD Bulldozer ASLR workaround     (bsc#937032).

  - xenbus: add proper handling of XS_ERROR from Xenbus for     transactions.

  - xhci: Calculate old endpoints correctly on device reset     (bnc#938976).

The SUSE Linux Enterprise 12 kernel was updated to version 3.12.43 to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM     subsystem in the Linux kernel through 3.17.2 did not     properly perform RIP changes, which allowed guest OS     users to cause a denial of service (guest OS crash) via     a crafted application (bsc#899192).

  - CVE-2014-8086: Race condition in the     ext4_file_write_iter function in fs/ext4/file.c in the     Linux kernel through 3.17 allowed local users to cause a     denial of service (file unavailability) via a     combination of a write action and an F_SETFL fcntl     operation for the O_DIRECT flag (bsc#900881).

  - CVE-2014-8159: The InfiniBand (IB) implementation did     not properly restrict use of User Verbs for registration     of memory regions, which allowed local users to access     arbitrary physical memory locations, and consequently     cause a denial of service (system crash) or gain     privileges, by leveraging permissions on a uverbs device     under /dev/infiniband/ (bsc#914742).

  - CVE-2015-1465: The IPv4 implementation in the Linux     kernel before 3.18.8 did not properly consider the     length of the Read-Copy Update (RCU) grace period for     redirecting lookups in the absence of caching, which     allowed remote attackers to cause a denial of service     (memory consumption or system crash) via a flood of     packets (bsc#916225).

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel before 3.19 used an incorrect data type in a     sysctl table, which allowed local users to obtain     potentially sensitive information from kernel memory or     possibly have unspecified other impact by accessing a     sysctl entry (bsc#919007).

  - CVE-2015-2042: net/rds/sysctl.c in the Linux kernel     before 3.19 used an incorrect data type in a sysctl     table, which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bsc#919018).

  - CVE-2015-2666: Fixed a flaw that allowed crafted     microcode to overflow the kernel stack (bsc#922944).

  - CVE-2015-2830: Fixed int80 fork from 64-bit tasks     mishandling (bsc#926240).

  - CVE-2015-2922: Fixed possible denial of service (DoS)     attack against IPv6 network stacks due to improper     handling of Router Advertisements (bsc#922583).

  - CVE-2015-3331: Fixed buffer overruns in RFC4106     implementation using AESNI (bsc#927257).

  - CVE-2015-3332: Fixed TCP Fast Open local DoS     (bsc#928135).

  - CVE-2015-3339: Fixed race condition flaw between the     chown() and execve() system calls which could have lead     to local privilege escalation (bsc#928130).

  - CVE-2015-3636: Fixed use-after-free in ping sockets     which could have lead to local privilege escalation     (bsc#929525).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Sun Baoliang discovered a use after free flaw in the Linux kernel's SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system. (CVE-2015-1421)

Marcelo Leitner discovered a flaw in the Linux kernel's routing of packets to too many different dsts/too fast. A remote attacker can exploit this flaw to cause a denial of service (system crash).
(CVE-2015-1465)

An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel's handling of userspace configuration of the link layer control (LLC). A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting the Reliable Datagram Sockets (RDS) settings. A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2042).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in the automatic loading of modules in the crypto subsystem of the Linux kernel. A local user could exploit this flaw to load installed kernel modules, increasing the attack surface and potentially using this to gain administrative privileges.
(CVE-2013-7421)

A flaw was discovered in the crypto subsystem when screening module names for automatic module loading if the name contained a valid crypto module name, eg. vfat(aes). A local user could exploit this flaw to load installed kernel modules, increasing the attack surface and potentially using this to gain administrative privileges.
(CVE-2014-9644)

Sun Baoliang discovered a use after free flaw in the Linux kernel's SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system. (CVE-2015-1421)

Marcelo Leitner discovered a flaw in the Linux kernel's routing of packets to too many different dsts/too fast. A remote attacker can exploit this flaw to cause a denial of service (system crash).
(CVE-2015-1465).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update should fix the adjtimex issues seen on 32bit systems with 3.18.5-100 The 3.18.5 stable update contains a number of important fixes across the tree. The 3.18.4 stable update contains a number new features and drivers as well as several important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update should fix the adjtimex issues seen on 32bit systems with 3.18.5-200 The 3.18.5 stable update contains a number of important fixes across the tree. The 3.18.4 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124975	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1522)	Nessus	Huawei Local Security Checks	high
124809	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1485)	Nessus	Huawei Local Security Checks	critical
105145	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
102061	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3597)	Nessus	Oracle Linux Local Security Checks	high
85432	openSUSE Security Update : the Linux Kernel (openSUSE-2015-543)	Nessus	SuSE Local Security Checks	high
84227	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2015:1071-1)	Nessus	SuSE Local Security Checks	high
82662	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2563-1)	Nessus	Ubuntu Local Security Checks	critical
82661	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2562-1)	Nessus	Ubuntu Local Security Checks	critical
82073	Ubuntu 14.10 : linux vulnerabilities (USN-2546-1)	Nessus	Ubuntu Local Security Checks	critical
82072	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2545-1)	Nessus	Ubuntu Local Security Checks	critical
81219	Fedora 20 : kernel-3.18.5-101.fc20 (2015-1672)	Nessus	Fedora Local Security Checks	high
81192	Fedora 21 : kernel-3.18.5-201.fc21 (2015-1657)	Nessus	Fedora Local Security Checks	high

CVE-2015-1465

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins