http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db27ebb111e9f69efece08e4cb6a34ff980f8896

SUSE-SU-2015:1478

DSA-3237

[oss-security] 20150220 CVE-2015-2042 - Linux kernel - incorrect data type in rds_sysctl_rds_table

72730

USN-2560-1

USN-2561-1

USN-2562-1

USN-2563-1

USN-2564-1

USN-2565-1

https://bugzilla.redhat.com/show_bug.cgi?id=1195355

https://github.com/torvalds/linux/commit/db27ebb111e9f69efece08e4cb6a34ff980f8896

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - net/llc/sysctl_net_llc.c in the Linux kernel before 3.19     uses an incorrect data type in a sysctl table, which     allows local users to obtain potentially sensitive     information from kernel memory or possibly have     unspecified other impact by accessing a sysctl entry.
    (CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses an     incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry. (CVE-2015-2042)

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service (out-of-     bounds access) or possibly have unspecified other impact     by sending a XFRM_MSG_MIGRATE netlink message. This flaw     is present in the Linux kernel since an introduction of     XFRM_MSG_MIGRATE in 2.6.21-rc1, up to 4.13-rc3.
    (CVE-2017-11600)

  - A flaw was found in the Linux kernel's skcipher     component, which affects the skcipher_recvmsg function.
    Attackers using a specific input can lead to a privilege     escalation. (CVE-2017-13215)

  - The Linux kernel is vulerable to a use-after-free flaw     when Transformation User configuration     interface(CONFIG_XFRM_USER) compile-time configuration     were enabled. This vulnerability occurs while closing a     xfrm netlink socket in xfrm_dump_policy_done. A     user/process could abuse this flaw to potentially     escalate their privileges on a system. (CVE-2017-16939)

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allows attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call. An     unprivileged local user could use this flaw to induce     kernel memory corruption on the system, leading to a     crash. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2017-8890)

  - An address corruption flaw was discovered in the Linux     kernel built with hardware breakpoint     (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a     h/w breakpoint via 'modify_user_hw_breakpoint' routine,     an unprivileged user/process could use this flaw to     crash the system kernel resulting in DoS OR to     potentially escalate privileges on a the system.
    (CVE-2018-1000199)

  - The do_get_mempolicy() function in mm/mempolicy.c in the     Linux kernel allows local users to hit a use-after-free     bug via crafted system calls and thus cause a denial of     service (DoS) or possibly have unspecified other impact.
    Due to the nature of the flaw, privilege escalation     cannot be fully ruled out. (CVE-2018-10675)

  - A flaw was found in the Linux kernel's implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory. (CVE-2018-1068)

  - A Floating Point Unit (FPU) state information leakage     flaw was found in the way the Linux kernel saved and     restored the FPU state during task switch. Linux kernels     that follow the Lazy FPU Restore scheme are vulnerable     to the FPU state information leakage issue. An     unprivileged local attacker could use this flaw to read     FPU state bits by conducting targeted cache side-channel     attacks, similar to the Meltdown vulnerability disclosed     earlier this year. (CVE-2018-3665)

  - A flaw was found in the way the Linux kernel handled     exceptions delivered after a stack switch operation via     Mov SS or Pop SS instructions. During the stack switch     operation, the processor did not deliver interrupts and     exceptions, rather they are delivered once the first     instruction after the stack switch is executed. An     unprivileged system user could use this flaw to crash     the system kernel resulting in the denial of service.
    (CVE-2018-8897)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The IPv6 SCTP implementation in net/sctp/ipv6.c in the     Linux kernel through 3.11.1 uses data structures and     function calls that do not trigger an intended     configuration of IPsec encryption, which allows remote     attackers to obtain sensitive information by sniffing     the network.(CVE-2013-4350i1/4%0

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel allows local users to cause a denial of service     (stack-based buffer overflow) or possibly have     unspecified other impacts via a large command size in     an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds     write access in the sg_write function.(CVE-2017-7187i1/4%0

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection     fault).(CVE-2019-3701i1/4%0

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses     an incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry.(CVE-2015-2042i1/4%0

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allows attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call. An     unprivileged local user could use this flaw to induce     kernel memory corruption on the system, leading to a     crash. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-8890i1/4%0

  - The overlayfs implementation in the linux (aka Linux     kernel) package before 3.19.0-21.21 in Ubuntu through     15.04 does not properly check permissions for file     creation in the upper filesystem directory, which     allows local users to obtain root access by leveraging     a configuration in which overlayfs is permitted in an     arbitrary mount namespace.(CVE-2015-1328i1/4%0

  - The xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.16.3 allows local users to cause a denial of     service (xfs_ilock_attr_map_shared invalid pointer     dereference) via a crafted xfs image.(CVE-2018-10322i1/4%0

  - In the flush_tmregs_to_thread function in     arch/powerpc/kernel/ptrace.c in the Linux kernel before     4.13.5, a guest kernel crash can be triggered from     unprivileged userspace during a core dump on a POWER     host due to a missing processor feature check and an     erroneous use of transactional memory (TM) instructions     in the core dump path, leading to a denial of     service.(CVE-2018-1091i1/4%0

  - ** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in     the Linux kernel before 4.16 allows local users to     cause a denial of service (ata qc leak) by triggering     certain failure conditions. NOTE: a third party     disputes the relevance of this report because the     failure can only occur for physically proximate     attackers who unplug SAS Host Bus Adapter     cables.(CVE-2018-10021i1/4%0

  - A use-after-free flaw was discovered in the Linux     kernel's tty subsystem, which allows for the disclosure     of uncontrolled memory location and possible kernel     panic. The information leak is caused by a race     condition when attempting to set and read the tty line     discipline. A local attacker could use the TIOCSETD     (via tty_set_ldisc ) to switch to a new line discipline     a concurrent call to a TIOCGETD ioctl performing a read     on a given tty could then access previously allocated     memory. Up to 4 bytes could be leaked when querying the     line discipline or the kernel could panic with a     NULL-pointer dereference.(CVE-2016-0723i1/4%0

  - An out-of-bounds read flaw was found in the way the     Logitech Unifying receiver driver handled HID reports     with an invalid device_index value. An attacker with     physical access to the system could use this flaw to     crash the system or, potentially, escalate their     privileges on the system.(CVE-2014-3182i1/4%0

  - arch/x86/kvm/emulate.c in the Linux kernel through     4.9.3 allows local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt.(CVE-2017-2584i1/4%0

  - A flaw was found in the way the Linux kernel handled     IRET faults during the processing of NMIs. An     unprivileged, local user could use this flaw to crash     the system or, potentially (although highly unlikely),     escalate their privileges on the     system.(CVE-2015-5157i1/4%0

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895i1/4%0

  - A use-after-free vulnerability in sys_ioprio_get() was     found due to get_task_ioprio() accessing the     task-i1/4zio_context without holding the task lock and     could potentially race with exit_io_context(), leading     to a use-after-free.(CVE-2016-7911i1/4%0

  - A flaw was found in the Linux kernel which is related     to the user namespace lazily unmounting file systems.
    The fs_pin struct has two members (m_list and s_list)     which are usually initialized on use in the     pin_insert_group function. However, these members might     go unmodified in this case, the system panics when it     attempts to destroy or free them. This flaw could be     used to launch a denial-of-service     attack.(CVE-2015-4178i1/4%0

  - A flaw was found in the Linux kernel's implementation     of raw_sendmsg allowing a local attacker to panic the     kernel or possibly leak kernel addresses. A local     attacker, with the privilege of creating raw sockets,     can abuse a possible race condition when setting the     socket option to allow the kernel to automatically     create ip header values and thus potentially escalate     their privileges.(CVE-2017-17712i1/4%0

  - A flaw was discovered in the F2FS filesystem code in     fs/f2fs/super.c in the Linux kernel. A denial of     service, due to an out-of-bounds memory access, can     occur upon encountering an abnormal bitmap size when     mounting a crafted f2fs image.(CVE-2018-13096i1/4%0

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's madvise MADV_WILLNEED functionality     handled page table locking. A local, unprivileged user     could use this flaw to crash the     system.(CVE-2014-8173i1/4%0

  - An out-of-bounds heap memory access leading to a Denial     of Service, heap disclosure, or further impact was     found in setsockopt(). The function call is normally     restricted to root, however some processes with     cap_sys_admin may also be able to trigger this flaw in     privileged container environments.(CVE-2016-4998i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that the Linux kernel's implementation of     vectored pipe read and write functionality did not take     into account the I/O vectors that were already     processed when retrying after a failed atomic access     operation, potentially resulting in memory corruption     due to an I/O vector array overrun. A local,     unprivileged user could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-1805)

  - net/llc/sysctl_net_llc.c in the Linux kernel before     3.19 uses an incorrect data type in a sysctl table,     which allows local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry.(CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses     an incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry.(CVE-2015-2042)

  - Xen 3.3.x through 4.5.x and the Linux kernel through     3.19.1 do not properly restrict access to PCI command     registers, which might allow local guest OS users to     cause a denial of service (non-maskable interrupt and     host crash) by disabling the (1) memory or (2) I/O     decoding for a PCI Express device and then accessing     the device, which triggers an Unsupported Request (UR)     response.(CVE-2015-2150)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672)

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830)

  - It was found that the Linux kernel's TCP/IP protocol     suite implementation for IPv6 allowed the Hop Limit     value to be set to a smaller value than the default     one. An attacker on a local network could use this flaw     to prevent systems on that network from sending or     receiving network packets.(CVE-2015-2922)

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212)

  - mm/memory.c in the Linux kernel before 4.1.4 mishandles     anonymous pages, which allows local users to gain     privileges or cause a denial of service (page tainting)     via a crafted application that triggers writing to page     zero.(CVE-2015-3288)

  - A flaw was found in the way the Linux kernel's nested     NMI handler and espfix64 functionalities interacted     during NMI processing. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the system.(CVE-2015-3290)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - A buffer overflow flaw was found in the way the Linux     kernel's Intel AES-NI instructions optimized version of     the RFC4106 GCM mode decryption functionality handled     fragmented packets. A remote attacker could use this     flaw to crash, or potentially escalate their privileges     on, a system over a connection with an active AES-GCM     mode IPSec security association.(CVE-2015-3331)

  - A race condition flaw was found between the chown and     execve system calls. When changing the owner of a     setuid user binary to root, the race condition could     momentarily make the binary setuid root. A local,     unprivileged user could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-3339)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - An inode data validation error was found in Linux     kernels built with UDF file system (CONFIG_UDF_FS)     support. An attacker able to mount a     corrupted/malicious UDF file system image could cause     the kernel to crash.(CVE-2015-4167)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - A flaw was discovered in the kernel's collect_mounts     function. If the kernel's audit subsystem called     collect_mounts to audit an unmounted path, it could     panic the system. With this flaw, an unprivileged user     could call umount(MNT_DETACH) to launch a     denial-of-service attack.(CVE-2015-4177)

  - A DoS flaw was found for a Linux kernel built for the     x86 architecture which had the KVM virtualization     support(CONFIG_KVM) enabled. The kernel would be     vulnerable to a NULL pointer dereference flaw in Linux     kernel's kvm_apic_has_events() function while doing an     ioctl. An unprivileged user able to access the     '/dev/kvm' device could use this flaw to crash the     system kernel.(CVE-2015-4692)

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.1 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2016-0728: A reference leak in keyring handling with     join_session_keyring() could lead to local attackers     gain root privileges. (bsc#962075).

  - CVE-2015-7550: A local user could have triggered a race     between read and revoke in keyctl (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2014-8989: The Linux kernel did not properly     restrict dropping of supplemental group memberships in     certain namespace scenarios, which allowed local users     to bypass intended file permissions by leveraging a     POSIX ACL containing an entry for the group category     that is more restrictive than the entry for the other     category, aka a 'negative groups' issue, related to     kernel/groups.c, kernel/uid16.c, and     kernel/user_namespace.c (bnc#906545).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandles IRET faults in     processing NMIs that occurred during userspace     execution, which might allow local users to gain     privileges by triggering an NMI (bnc#937969).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel through     4.2.3 did not ensure that certain slot numbers are     valid, which allowed local users to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #DB (aka Debug)     exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #AC (aka Alignment     Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key     (bnc#912202).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2015-6937 (bnc#952384     953052).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-7885: The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 did not initialize a certain structure     member, which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951627).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8767: A case can occur when sctp_accept() is     called by the user during a heartbeat timeout event     after the 4-way handshake. Since sctp_assoc_migrate()     changes both assoc->base.sk and assoc->ep, the     bh_sock_lock in sctp_generate_heartbeat_event() will be     taken with the listening socket but released with the     new association socket. The result is a deadlock on any     future attempts to take the listening socket lock.
    (bsc#961509)

  - CVE-2015-8575: Validate socket address length in     sco_sock_bind() to prevent information leak     (bsc#959399).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

The following non-security bugs were fixed :

  - ALSA: hda - Disable 64bit address for Creative HDA     controllers (bnc#814440).

  - ALSA: hda - Fix noise problems on Thinkpad T440s     (boo#958504).

  - Input: aiptek - fix crash on detecting device without     endpoints (bnc#956708).

  - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y     (boo#956934).

  - KVM: x86: update masterclock values on TSC writes     (bsc#961739).

  - NFS: Fix a NULL pointer dereference of migration     recovery ops for v4.2 client (bsc#960839).

  - apparmor: allow SYS_CAP_RESOURCE to be sufficient to     prlimit another task (bsc#921949).

  - blktap: also call blkif_disconnect() when frontend     switched to closed (bsc#952976).

  - blktap: refine mm tracking (bsc#952976).

  - cdrom: Random writing support for BD-RE media     (bnc#959568).

  - genksyms: Handle string literals with spaces in     reference files (bsc#958510).

  - ipv4: Do not increase PMTU with Datagram Too Big message     (bsc#955224).

  - ipv6: distinguish frag queues by device for multicast     and link-local packets (bsc#955422).

  - ipv6: fix tunnel error handling (bsc#952579).

  - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

  - uas: Add response iu handling (bnc#954138).

  - usbvision fix overflow of interfaces array (bnc#950998).

  - x86/evtchn: make use of PHYSDEVOP_map_pirq.

  - xen/pciback: Do not allow MSI-X ops if     PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

The SUSE Linux Enterprise Server 11 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2015-5707: An integer overflow in the SCSI generic     driver could be potentially used by local attackers to     crash the kernel or execute code.

  - CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux     kernel did not prevent the TS_COMPAT flag from reaching     a user-mode task, which might have allowed local users     to bypass the seccomp or audit protection mechanism via     a crafted application that uses the (1) fork or (2)     close system call, as demonstrated by an attack against     seccomp before 3.16 (bnc#926240).

  - CVE-2015-0777: drivers/xen/usbback/usbback.c in the     Linux kernel allowed guest OS users to obtain sensitive     information from uninitialized locations in host OS     kernel memory via unspecified vectors (bnc#917830).

  - CVE-2015-2150: Xen and the Linux kernel did not properly     restrict access to PCI command registers, which might     have allowed local guest users to cause a denial of     service (non-maskable interrupt and host crash) by     disabling the (1) memory or (2) I/O decoding for a PCI     Express device and then accessing the device, which     triggers an Unsupported Request (UR) response     (bnc#919463).

  - CVE-2015-5364: A remote denial of service (hang) via UDP     flood with incorrect package checksums was fixed.
    (bsc#936831).

  - CVE-2015-5366: A remote denial of service (unexpected     error returns) via UDP flood with incorrect package     checksums was fixed. (bsc#936831).

  - CVE-2015-1420: CVE-2015-1420: Race condition in the     handle_to_path function in fs/fhandle.c in the Linux     kernel allowed local users to bypass intended size     restrictions and trigger read operations on additional     memory locations by changing the handle_bytes value of a     file handle during the execution of this function     (bnc#915517).

  - CVE-2015-4700: A local user could have created a bad     instruction in the JIT processed BPF code, leading to a     kernel crash (bnc#935705).

  - CVE-2015-1805: The (1) pipe_read and (2) pipe_write     implementations in fs/pipe.c in the Linux kernel did not     properly consider the side effects of failed
    __copy_to_user_inatomic and __copy_from_user_inatomic     calls, which allowed local users to cause a denial of     service (system crash) or possibly gain privileges via a     crafted application, aka an 'I/O vector array overrun'     (bnc#933429).

  - CVE-2015-3331: The __driver_rfc4106_decrypt function in     arch/x86/crypto/aesni-intel_glue.c in the Linux kernel     did not properly determine the memory locations used for     encrypted data, which allowed context-dependent     attackers to cause a denial of service (buffer overflow     and system crash) or possibly execute arbitrary code by     triggering a crypto API call, as demonstrated by use of     a libkcapi test program with an AF_ALG(aead) socket     (bnc#927257).

  - CVE-2015-2922: The ndisc_router_discovery function in     net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol     implementation in the IPv6 stack in the Linux kernel     allowed remote attackers to reconfigure a hop-limit     setting via a small hop_limit value in a Router     Advertisement (RA) message (bnc#922583).

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel used an incorrect data type in a sysctl table,     which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bnc#919007).

  - CVE-2015-3636: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel did not initialize a     certain list data structure during an unhash operation,     which allowed local users to gain privileges or cause a     denial of service (use-after-free and system crash) by     leveraging the ability to make a SOCK_DGRAM socket     system call for the IPPROTO_ICMP or IPPROTO_ICMPV6     protocol, and then making a connect system call after a     disconnect (bnc#929525).

  - CVE-2014-8086: Race condition in the     ext4_file_write_iter function in fs/ext4/file.c in the     Linux kernel allowed local users to cause a denial of     service (file unavailability) via a combination of a     write action and an F_SETFL fcntl operation for the     O_DIRECT flag (bnc#900881).

  - CVE-2014-8159: The InfiniBand (IB) implementation in the     Linux kernel did not properly restrict use of User Verbs     for registration of memory regions, which allowed local     users to access arbitrary physical memory locations, and     consequently cause a denial of service (system crash) or     gain privileges, by leveraging permissions on a uverbs     device under /dev/infiniband/ (bnc#914742).

  - CVE-2014-9683: Off-by-one error in the     ecryptfs_decode_from_filename function in     fs/ecryptfs/crypto.c in the eCryptfs subsystem in the     Linux kernel allowed local users to cause a denial of     service (buffer overflow and system crash) or possibly     gain privileges via a crafted filename (bnc#918333).

  - CVE-2015-2042: net/rds/sysctl.c in the Linux kernel used     an incorrect data type in a sysctl table, which allowed     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry (bnc#919018).

  - CVE-2015-1421: Use-after-free vulnerability in the     sctp_assoc_update function in net/sctp/associola.c in     the Linux kernel allowed remote attackers to cause a     denial of service (slab corruption and panic) or     possibly have unspecified other impact by triggering an     INIT collision that leads to improper handling of     shared-key data (bnc#915577).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues.

The following vulnerabilities have been fixed :

CVE-2015-3636: A missing sk_nulls_node_init() in ping_unhash() inside the ipv4 stack can cause crashes if a disconnect is followed by another connect() attempt. (bnc#929525)

CVE-2015-3339: Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped. (bnc#928130)

CVE-2015-3331: The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket. (bnc#927257)

CVE-2015-2922: The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. (bnc#922583)

CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. (bnc#926240)

CVE-2015-2150: XSA-120: Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
(bnc#919463)

CVE-2015-2042: net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.
(bnc#919018)

CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.
(bnc#919007)

CVE-2015-1421: Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.
(bnc#915577)

CVE-2015-0777: drivers/xen/usbback/usbback.c in 1 -2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors. (bnc#917830)

CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. (bnc#918333)

CVE-2014-9529: Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. (bnc#912202)

CVE-2014-9419: The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. (bnc#911326)

CVE-2014-8159: The InfiniBand (IB) implementation in the Linux kernel does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/. (bnc#914742)

CVE-2014-8086: Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag.
(bnc#900881)

Also 

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The linux-2.6 update issued as DLA-246-1 caused regressions. This update corrects the defective patches applied in that update causing these problems. For reference the original advisory text follows.

This update fixes the CVEs described below.

CVE-2011-5321

Jiri Slaby discovered that tty_driver_lookup_tty() may leak a reference to the tty driver. A local user could use this flaw to crash the system.

CVE-2012-6689

Pablo Neira Ayuso discovered that non-root user-space processes can send forged Netlink notifications to other processes. A local user could use this flaw for denial of service or privilege escalation.

CVE-2014-3184

Ben Hawkes discovered that various HID drivers may over-read the report descriptor buffer, possibly resulting in a crash if a HID with a crafted descriptor is plugged in.

CVE-2014-8159

It was found that the Linux kernel's InfiniBand/RDMA subsystem did not properly sanitize input parameters while registering memory regions from user space via the (u)verbs API. A local user with access to a /dev/infiniband/uverbsX device could use this flaw to crash the system or, potentially, escalate their privileges on the system.

CVE-2014-9683

Dmitry Chernenkov discovered that eCryptfs writes past the end of the allocated buffer during encrypted filename decoding, resulting in local denial of service.

CVE-2014-9728 / CVE-2014-9729 / CVE-2014-9730 / CVE-2014-9731 / CVE-2015-4167

Carl Henrik Lunde discovered that the UDF implementation is missing several necessary length checks. A local user that can mount devices could use these various flaws to crash the system, to leak information from the kernel, or possibly for privilege escalation.

CVE-2015-1805

Red Hat discovered that the pipe iovec read and write implementations may iterate over the iovec twice but will modify the iovec such that the second iteration accesses the wrong memory. A local user could use this flaw to crash the system or possibly for privilege escalation.
This may also result in data corruption and information leaks in pipes between non-malicious processes.

CVE-2015-2041

Sasha Levin discovered that the LLC subsystem exposed some variables as sysctls with the wrong type. On a 64-bit kernel, this possibly allows privilege escalation from a process with CAP_NET_ADMIN capability; it also results in a trivial information leak.

CVE-2015-2042

Sasha Levin discovered that the RDS subsystem exposed some variables as sysctls with the wrong type. On a 64-bit kernel, this results in a trivial information leak.

CVE-2015-2830

Andrew Lutomirski discovered that when a 64-bit task on an amd64 kernel makes a fork(2) or clone(2) system call using int $0x80, the 32-bit compatibility flag is set (correctly) but is not cleared on return. As a result, both seccomp and audit will misinterpret the following system call by the task(s), possibly leading to a violation of security policy.

CVE-2015-2922

Modio AB discovered that the IPv6 subsystem would process a router advertisement that specifies no route but only a hop limit, which would then be applied to the interface that received it. This can result in loss of IPv6 connectivity beyond the local network.

This may be mitigated by disabling processing of IPv6 router advertisements if they are not needed: sysctl net.ipv6.conf.default.accept_ra=0 sysctl net.ipv6.conf.<interface>.accept_ra=0

CVE-2015-3339

It was found that the execve(2) system call can race with inode attribute changes made by chown(2). Although chown(2) clears the setuid/setgid bits of a file if it changes the respective owner ID, this race condition could result in execve(2) setting effective uid/gid to the new owner ID, a privilege escalation.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze12.

For the oldstable distribution (wheezy), these problems were fixed in linux version 3.2.68-1+deb7u1 or earlier, except for CVE-2015-1805 and CVE-2015-4167 which will be fixed soon.

For the stable distribution (jessie), these problems were fixed in linux version 3.16.7-ckt11-1 or earlier, except for CVE-2015-4167 which will be fixed later.

We recommend that you upgrade your linux-2.6 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 kernel was updated to version 3.12.43 to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM     subsystem in the Linux kernel through 3.17.2 did not     properly perform RIP changes, which allowed guest OS     users to cause a denial of service (guest OS crash) via     a crafted application (bsc#899192).

  - CVE-2014-8086: Race condition in the     ext4_file_write_iter function in fs/ext4/file.c in the     Linux kernel through 3.17 allowed local users to cause a     denial of service (file unavailability) via a     combination of a write action and an F_SETFL fcntl     operation for the O_DIRECT flag (bsc#900881).

  - CVE-2014-8159: The InfiniBand (IB) implementation did     not properly restrict use of User Verbs for registration     of memory regions, which allowed local users to access     arbitrary physical memory locations, and consequently     cause a denial of service (system crash) or gain     privileges, by leveraging permissions on a uverbs device     under /dev/infiniband/ (bsc#914742).

  - CVE-2015-1465: The IPv4 implementation in the Linux     kernel before 3.18.8 did not properly consider the     length of the Read-Copy Update (RCU) grace period for     redirecting lookups in the absence of caching, which     allowed remote attackers to cause a denial of service     (memory consumption or system crash) via a flood of     packets (bsc#916225).

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel before 3.19 used an incorrect data type in a     sysctl table, which allowed local users to obtain     potentially sensitive information from kernel memory or     possibly have unspecified other impact by accessing a     sysctl entry (bsc#919007).

  - CVE-2015-2042: net/rds/sysctl.c in the Linux kernel     before 3.19 used an incorrect data type in a sysctl     table, which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bsc#919018).

  - CVE-2015-2666: Fixed a flaw that allowed crafted     microcode to overflow the kernel stack (bsc#922944).

  - CVE-2015-2830: Fixed int80 fork from 64-bit tasks     mishandling (bsc#926240).

  - CVE-2015-2922: Fixed possible denial of service (DoS)     attack against IPv6 network stacks due to improper     handling of Router Advertisements (bsc#922583).

  - CVE-2015-3331: Fixed buffer overruns in RFC4106     implementation using AESNI (bsc#927257).

  - CVE-2015-3332: Fixed TCP Fast Open local DoS     (bsc#928135).

  - CVE-2015-3339: Fixed race condition flaw between the     chown() and execve() system calls which could have lead     to local privilege escalation (bsc#928130).

  - CVE-2015-3636: Fixed use-after-free in ping sockets     which could have lead to local privilege escalation     (bsc#929525).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2014-8159     It was found that the Linux kernel's InfiniBand/RDMA     subsystem did not properly sanitize input parameters     while registering memory regions from user space via the     (u)verbs API. A local user with access to a     /dev/infiniband/uverbsX device could use this flaw to     crash the system or, potentially, escalate their     privileges on the system.

  - CVE-2014-9715     It was found that the netfilter connection tracking     subsystem used too small a type as an offset within each     connection's data structure, following a bug fix in     Linux 3.2.33 and 3.6. In some configurations, this would     lead to memory corruption and crashes (even without     malicious traffic). This could potentially also result     in violation of the netfilter policy or remote code     execution.

  This can be mitigated by disabling connection tracking   accounting:sysctl net.netfilter.nf_conntrack_acct=0

  - CVE-2015-2041     Sasha Levin discovered that the LLC subsystem exposed     some variables as sysctls with the wrong type. On a     64-bit kernel, this possibly allows privilege escalation     from a process with CAP_NET_ADMIN capability; it also     results in a trivial information leak.

  - CVE-2015-2042     Sasha Levin discovered that the RDS subsystem exposed     some variables as sysctls with the wrong type. On a     64-bit kernel, this results in a trivial information     leak.

  - CVE-2015-2150     Jan Beulich discovered that Xen guests are currently     permitted to modify all of the (writable) bits in the     PCI command register of devices passed through to them.
    This in particular allows them to disable memory and I/O     decoding on the device unless the device is an SR-IOV     virtual function, which can result in denial of service     to the host.

  - CVE-2015-2830     Andrew Lutomirski discovered that when a 64-bit task on     an amd64 kernel makes a fork(2) or clone(2) system call     using int $0x80, the 32-bit compatibility flag is set     (correctly) but is not cleared on return. As a result,     both seccomp and audit will misinterpret the following     system call by the task(s), possibly leading to a     violation of security policy.

  - CVE-2015-2922     Modio AB discovered that the IPv6 subsystem would     process a router advertisement that specifies no route     but only a hop limit, which would then be applied to the     interface that received it. This can result in loss of     IPv6 connectivity beyond the local network.

  This may be mitigated by disabling processing of IPv6 router   advertisements if they are not needed:sysctl   net.ipv6.conf.default.accept_ra=0sysctl   net.ipv6.conf.<interface>.accept_ra=0

  - CVE-2015-3331     Stephan Mueller discovered that the optimised     implementation of RFC4106 GCM for x86 processors that     support AESNI miscalculated buffer addresses in some     cases. If an IPsec tunnel is configured to use this mode     (also known as AES-GCM-ESP) this can lead to memory     corruption and crashes (even without malicious traffic).
    This could potentially also result in remote code     execution.

  - CVE-2015-3332     Ben Hutchings discovered that the TCP Fast Open feature     regressed in Linux 3.16.7-ckt9, resulting in a kernel     BUG when it is used. This can be used as a local denial     of service.

  - CVE-2015-3339     It was found that the execve(2) system call can race     with inode attribute changes made by chown(2). Although     chown(2) clears the setuid/setgid bits of a file if it     changes the respective owner ID, this race condition     could result in execve(2) setting effective uid/gid to     the new owner ID, a privilege escalation.

The Linux kernel was updated to fix bugs and security issues :

Following security issues were fixed: CVE-2015-2830: A flaw was found in the way the Linux kernels 32-bit emulation implementation handled forking or closing of a task with an int80 entry. A local user could have potentially used this flaw to escalate their privileges on the system.

CVE-2015-2042: A kernel information leak in rds sysctl files was fixed.

CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0275: A BUG_ON in ext4 was fixed which could be triggered by local users.

CVE-2015-2666: A buffer overflow when loading microcode files into the kernel could be used by the administrator to execute code in the kernel, bypassing secure boot measures.

  - CVE-2015-1421: Use-after-free vulnerability in the     sctp_assoc_update function in net/sctp/associola.c in     the Linux kernel allowed remote attackers to cause a     denial of service (slab corruption and panic) or     possibly have unspecified other impact by triggering an     INIT collision that leads to improper handling of     shared-key data.

  - CVE-2015-2150: XSA-120: Guests were permitted to modify     all bits of the PCI command register of passed through     cards, which could lead to Host system crashes.

  - CVE-2015-0777: The XEN usb backend could leak     information to the guest system due to copying     uninitialized memory.

  - CVE-2015-1593: A integer overflow reduced the     effectiveness of the stack randomization on 64-bit     systems.

  - CVE-2014-9419: The __switch_to function in     arch/x86/kernel/process_64.c in the Linux kernel did not     ensure that Thread Local Storage (TLS) descriptors are     loaded before proceeding with other steps, which made it     easier for local users to bypass the ASLR protection     mechanism via a crafted application that reads a TLS     base address.

  - CVE-2014-9428: The batadv_frag_merge_packets function in     net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel used an incorrect     length field during a calculation of an amount of     memory, which allowed remote attackers to cause a denial     of service (mesh-node system crash) via fragmented     packets.

  - CVE-2014-8160:
    net/netfilter/nf_conntrack_proto_generic.c in the Linux     kernel generated incorrect conntrack entries during     handling of certain iptables rule sets for the SCTP,     DCCP, GRE, and UDP-Lite protocols, which allowed remote     attackers to bypass intended access restrictions via     packets with disallowed port numbers.

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key.

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel did not restrict the     number of Rock Ridge continuation entries, which allowed     local users to cause a denial of service (infinite loop,     and system crash or hang) via a crafted iso9660 image.

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel did not     validate a length value in the Extensions Reference (ER)     System Use Field, which allowed local users to obtain     sensitive information from kernel memory via a crafted     iso9660 image.

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel did not properly     choose memory locations for the vDSO area, which made it     easier for local users to bypass the ASLR protection     mechanism by guessing a location at the end of a PMD.

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through did not properly maintain the     semantics of rename_lock, which allowed local users to     cause a denial of service (deadlock and system hang) via     a crafted application.

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel used an     improper paravirt_enabled setting for KVM guest kernels,     which made it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that     reads a 16-bit value.

Following bugs were fixed :

  - powerpc/pci: Fix IO space breakage after     of_pci_range_to_resource() change (bnc#922542).

  - cifs: fix use-after-free bug in find_writable_file     (bnc#909477).

  - usb: Do not allow usb_alloc_streams on unconfigured     devices (bsc#920581).

  - fuse: honour max_read and max_write in direct_io mode     (bnc#918954).

  - switch iov_iter_get_pages() to passing maximal number of     pages (bnc#918954).

  - bcache: fix a livelock in btree lock v2 (bnc#910440)     (bnc#910440). Updated because another version went     upstream

  - drm/i915: Initialise userptr mmu_notifier serial to 1     (bnc#918970).

  - NFS: Don't try to reclaim delegation open state if     recovery failed (boo#909634).

  - NFSv4: Ensure that we call FREE_STATEID when NFSv4.x     stateids are revoked (boo#909634).

  - NFSv4: Fix races between nfs_remove_bad_delegation() and     delegation return (boo#909634).

  - NFSv4: Ensure that we remove NFSv4.0 delegations when     state has expired (boo#909634).

  - Fixing lease renewal (boo#909634).

  - bcache: Fix a bug when detaching (bsc#908582).

  - fix a leak in bch_cached_dev_run() (bnc#910440).

  - bcache: unregister reboot notifier when bcache fails to     register a block device (bnc#910440).

  - bcache: fix a livelock in btree lock (bnc#910440).

  - bcache: [BUG] clear BCACHE_DEV_UNLINK_DONE flag when     attaching a backing device (bnc#910440).

  - bcache: Add a cond_resched() call to gc (bnc#910440).

  - storvsc: ring buffer failures may result in I/O freeze     (bnc#914175).

  - ALSA: seq-dummy: remove deadlock-causing events on close     (boo#916608).

  - ALSA: pcm: Zero-clear reserved fields of PCM status     ioctl in compat mode (boo#916608).

  - ALSA: bebob: Uninitialized id returned by     saffirepro_both_clk_src_get (boo#916608).

  - ALSA: hda - Fix built-in mic on Compaq Presario CQ60     (bnc#920604).

  - ALSA: hda - Fix regression of HD-audio controller     fallback modes (bsc#921313).

  - [media] sound: Update au0828 quirks table (boo#916608).

  - [media] sound: simplify au0828 quirk table (boo#916608).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Webcam C210 (boo#916608).

  - ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam     rPAC (boo#916608).

  - ALSA: usb-audio: Add ctrl message delay quirk for     Marantz/Denon devices (boo#916608).

  - ALSA: usb-audio: Fix memory leak in FTU quirk     (boo#916608).

  - ALSA: usb-audio: Fix device_del() sysfs warnings at     disconnect (boo#916608).

  - ALSA: hda - Add new GPU codec ID 0x10de0072 to snd-hda     (boo#916608).

  - ALSA: hda - Fix wrong gpio_dir & gpio_mask hint setups     for IDT/STAC codecs (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC298     (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC256     (boo#916608).

  - ALSA: hda/realtek - Add new Dell desktop for ALC3234     headset mode (boo#916608).

  - ALSA: hda - Add EAPD fixup for ASUS Z99He laptop     (boo#916608).

  - ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad     S210 (boo#916608).

  - ALSA: hda/realtek - Add headset Mic support for new Dell     machine (boo#916608).

  - ALSA: hda_intel: Add DeviceIDs for Sunrise Point-LP     (boo#916608).

  - ALSA: hda_intel: Add Device IDs for Intel Sunrise Point     PCH (boo#916608).

  - ALSA: hda - add codec ID for Braswell display audio     codec (boo#916608).

  - ALSA: hda - add PCI IDs for Intel Braswell (boo#916608).

  - ALSA: hda - Add dock support for Thinkpad T440     (17aa:2212) (boo#916608).

  - ALSA: hda - Set up GPIO for Toshiba Satellite S50D     (bnc#915858).

  - rpm/kernel-binary.spec.in: Fix build if there is no
    *.crt file

  - mm, vmscan: prevent kswapd livelock due to     pfmemalloc-throttled process being killed (VM     Functionality bnc#910150).

  - Input: evdev - fix EVIOCG(type) ioctl (bnc#904899).

  - mnt: Implicitly add MNT_NODEV on remount when it was     implicitly added by mount (bsc#907988).

  - Btrfs: fix scrub race leading to use-after-free     (bnc#915456).

  - Btrfs: fix setup_leaf_for_split() to avoid leaf     corruption (bnc#915454).

  - Btrfs: fix fsync log replay for inodes with a mix of     regular refs and extrefs (bnc#915425).

  - Btrfs: fix fsync when extend references are added to an     inode (bnc#915425).

  - Btrfs: fix directory inconsistency after fsync log     replay (bnc#915425).

  - Btrfs: make xattr replace operations atomic     (bnc#913466).

  - Btrfs: fix directory recovery from fsync log     (bnc#895797).

  - Btrfs: simplify insert_orphan_item (boo#926385).

  - Btrfs: set proper message level for skinny metadata.

  - Btrfs: make sure we wait on logged extents when fsycning     two subvols.

  - Btrfs: fix lost return value due to variable shadowing.

  - Btrfs: fix leak of path in btrfs_find_item.

  - Btrfs: fix fsync data loss after adding hard link to     inode.

  - Btrfs: fix fs corruption on transaction abort if device     supports discard.

  - Btrfs: fix data loss in the fast fsync path.

  - Btrfs: don't delay inode ref updates during log replay.

  - Btrfs: do not move em to modified list when unpinning.

  - Btrfs:__add_inode_ref: out of bounds memory read when     looking for extended ref.

  - Btrfs: fix inode eviction infinite loop after cloning     into it (boo#905088).

  - bcache: add mutex lock for bch_is_open (bnc#908612).

  - bcache: Correct printing of btree_gc_max_duration_ms     (bnc#908610).

  - bcache: fix crash with incomplete cache set     (bnc#908608).

  - bcache: fix memory corruption in init error path     (bnc#908606).

  - bcache: Fix more early shutdown bugs (bnc#908605).

  - bcache: fix use-after-free in btree_gc_coalesce()     (bnc#908604).

  - bcache: Fix an infinite loop in journal replay     (bnc#908603).

  - bcache: fix typo in bch_bkey_equal_header (bnc#908598).

  - bcache: Make sure to pass GFP_WAIT to mempool_alloc()     (bnc#908596).

  - bcache: fix crash on shutdown in passthrough mode     (bnc#908594).

  - bcache: fix lockdep warnings on shutdown (bnc#908593).

  - bcache allocator: send discards with correct size     (bnc#908592).

  - bcache: Fix to remove the rcu_sched stalls (bnc#908589).

  - bcache: Fix a journal replay bug (bnc#908588).

  - Update x86_64 config files: CONFIG_SENSORS_NCT6683=m The     nct6683 driver is already enabled on i386 and history     suggests that it not being enabled on x86_64 is by     mistake.

  - rpm/kernel-binary.spec.in: Own the modules directory in     the devel package (bnc#910322)

  - Revert 'iwlwifi: mvm: treat EAPOLs like mgmt frames wrt     rate' (bnc#900811).

  - mm: free compound page with correct order (bnc#913695).

  - drm/i915: More cautious with pch fifo underruns     (boo#907039).

  - Refresh patches.arch/arm64-0039-generic-pci.patch (fix     PCI bridge support)

  - x86/microcode/intel: Fish out the stashed microcode for     the BSP (bsc#903589).

  - x86, microcode: Reload microcode on resume (bsc#903589).

  - x86, microcode: Don't initialize microcode code on     paravirt (bsc#903589).

  - x86, microcode, intel: Drop unused parameter     (bsc#903589).

  - x86, microcode, AMD: Do not use smp_processor_id() in     preemtible context (bsc#903589).

  - x86, microcode: Update BSPs microcode on resume     (bsc#903589).

  - x86, microcode, AMD: Fix ucode patch stashing on 32-bit     (bsc#903589).

  - x86, microcode: Fix accessing dis_ucode_ldr on 32-bit     (bsc#903589).

  - x86, microcode, AMD: Fix early ucode loading on 32-bit     (bsc#903589).

  - Bluetooth: Add support for Broadcom BCM20702A0 variants     firmware download (bnc#911311).

  - drm/radeon: fix sad_count check for dce3 (bnc#911356).

  - drm/i915: Don't call intel_prepare_page_flip() multiple     times on gen2-4 (bnc#911835).

  - udf: Check component length before reading it.

  - udf: Check path length when reading symlink.

  - udf: Verify symlink size before loading it.

  - udf: Verify i_size when loading inode.

  - arm64: Enable DRM

  - arm64: Enable generic PHB driver (bnc#912061).

  - ACPI / video: Add some Samsung models to     disable_native_backlight list (boo#905681).

  - asus-nb-wmi: Add another wapf=4 quirk (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550VB     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the U32U (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CC     (boo#911438).

  - asus-nb-wmi: Constify asus_quirks DMI table     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CL     (boo#911438).

  - asus-nb-wmi.c: Rename x401u quirk to wapf4 (boo#911438).

  - asus-nb-wmi: Add ASUSTeK COMPUTER INC. X200CA     (boo#911438).

  - WAPF 4 for ASUSTeK COMPUTER INC. X75VBP WLAN ON     (boo#911438).

  - Input: synaptics - gate forcepad support by DMI check     (bnc#911578).

  - ext4: introduce aging to extent status tree     (bnc#893428).

  - ext4: cleanup flag definitions for extent status tree     (bnc#893428).

  - ext4: limit number of scanned extents in status tree     shrinker (bnc#893428).

  - ext4: move handling of list of shrinkable inodes into     extent status code (bnc#893428).

  - ext4: change LRU to round-robin in extent status tree     shrinker (bnc#893428).

  - ext4: cache extent hole in extent status tree for     ext4_da_map_blocks() (bnc#893428).

  - ext4: fix block reservation for bigalloc filesystems     (bnc#893428).

  - ext4: track extent status tree shrinker delay statictics     (bnc#893428).

  - ext4: improve extents status tree trace point     (bnc#893428).

  - rpm/kernel-binary.spec.in: Provide name-version-release     for kgraft packages (bnc#901925)

  - rpm/kernel-binary.spec.in: Fix including the secure boot     cert in /etc/uefi/certs

  - doc/README.SUSE: update Solid Driver team contacts

  - rpm/kernel-binary.spec.in: Do not sign firmware files     (bnc#867199)

  - Port module signing changes from SLE11-SP3 (fate#314508)

  - doc/README.PATCH-POLICY.SUSE: add patch policy / best     practices document after installation.

  - Update config files. (boo#925479) Do not set     CONFIG_SYSTEM_TRUSTED_KEYRING until we need it in future     openSUSE version: e.g. MODULE_SIG, IMA, PKCS7(new),     KEXEC_BZIMAGE_VERIFY_SIG(new)

  - Input: xpad - use proper endpoint type (bnc#926397).

  - md: don't require sync_min to be a multiple of     chunk_size (bnc#910500).

An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel's handling of userspace configuration of the link layer control (LLC). A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting the Reliable Datagram Sockets (RDS) settings. A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2042).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Sun Baoliang discovered a use after free flaw in the Linux kernel's SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system. (CVE-2015-1421)

Marcelo Leitner discovered a flaw in the Linux kernel's routing of packets to too many different dsts/too fast. A remote attacker can exploit this flaw to cause a denial of service (system crash).
(CVE-2015-1465)

An integer overflow was discovered in the stack randomization feature of the Linux kernel on 64 bit platforms. A local attacker could exploit this flaw to bypass the Address Space Layout Randomization (ASLR) protection mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel's handling of userspace configuration of the link layer control (LLC). A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting the Reliable Datagram Sockets (RDS) settings. A local user could exploit this flaw to read data from other sysctl settings.
(CVE-2015-2042).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.19.3 rebase contains improved hardware support, a number of new features, and many important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.19.1 rebase contains improved hardware support, a number of new features, and many important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127192	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0028)	Nessus	NewStart CGSL Local Security Checks	high
127146	NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)	Nessus	NewStart CGSL Local Security Checks	critical
124972	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519)	Nessus	Huawei Local Security Checks	high
124811	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1487)	Nessus	Huawei Local Security Checks	high
88545	openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)	Nessus	SuSE Local Security Checks	critical
85764	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:1478-1)	Nessus	SuSE Local Security Checks	critical
84545	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:1174-1)	Nessus	SuSE Local Security Checks	critical
84252	Debian DLA-246-2 : linux-2.6 regression update	Nessus	Debian Local Security Checks	high
84227	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2015:1071-1)	Nessus	SuSE Local Security Checks	high
83065	Debian DSA-3237-1 : linux - security update	Nessus	Debian Local Security Checks	high
82756	openSUSE Security Update : Linux Kernel (openSUSE-2015-302)	Nessus	SuSE Local Security Checks	critical
82696	Ubuntu 14.10 : linux vulnerabilities (USN-2565-1)	Nessus	Ubuntu Local Security Checks	medium
82695	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2564-1)	Nessus	Ubuntu Local Security Checks	medium
82662	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2563-1)	Nessus	Ubuntu Local Security Checks	critical
82661	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2562-1)	Nessus	Ubuntu Local Security Checks	critical
82660	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2560-1)	Nessus	Ubuntu Local Security Checks	medium
82630	Fedora 20 : kernel-3.19.3-100.fc20 (2015-5024)	Nessus	Fedora Local Security Checks	medium
81991	Fedora 21 : kernel-3.19.1-201.fc21 (2015-4059)	Nessus	Fedora Local Security Checks	medium

CVE-2015-2042

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins