http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5

SUSE-SU-2015:1727

SUSE-SU-2015:2108

SUSE-SU-2016:0354

SUSE-SU-2016:2074

DSA-3364

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.5

[oss-security] 20150818 Re: CVE request: linux kernel:fd leak in vhost ioctl VHOST_SET_LOG_FD

76400

1033666

USN-2748-1

USN-2749-1

USN-2751-1

USN-2752-1

USN-2759-1

USN-2760-1

USN-2777-1

https://bugzilla.redhat.com/show_bug.cgi?id=1251839

https://github.com/torvalds/linux/commit/7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Use-after-free vulnerability in drivers/net/tun.c in     the Linux kernel through 3.11.1 allows local users to     gain privileges by leveraging the CAP_NET_ADMIN     capability and providing an invalid tuntap interface     name in a TUNSETIFF ioctl call.(CVE-2013-4343i1/4%0

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042i1/4%0

  - A flaw was found in the Linux kernel that     fs/ocfs2/aops.c omits use of a semaphore and     consequently has a race condition for access to the     extent tree during read operations in DIRECT mode. This     allows local users to cause a denial of service by     modifying a certain e_cpos field.(CVE-2017-18224i1/4%0

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075i1/4%0

  - In the function sbusfb_ioctl_helper() in     drivers/video/fbdev/sbuslib.c in the Linux kernel, up     to and including 4.15, an integer signedness error     allows arbitrary information leakage for the     FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC     commands.(CVE-2018-6412i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's mmap(2), madvise(2), and fallocate(2) system     calls interacted with each other while operating on     virtual memory file system files. A local user could     use this flaw to cause a denial of     service.(CVE-2014-4171i1/4%0

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1095i1/4%0

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's Stream Control Transmission Protocol     (SCTP) implementation handled simultaneous connections     between the same hosts. A remote attacker could use     this flaw to crash the system.(CVE-2014-5077i1/4%0

  - A vulnerability was found in the     fs/inode.c:inode_init_owner() function logic of the     LInux kernel that allows local users to create files     with an unintended group ownership and with group     execution and SGID permission bits set, in a scenario     where a directory is SGID and belongs to a certain     group and is writable by a user who is not a member of     this group. This can lead to excessive permissions     granted in case when they should not.(CVE-2018-13405i1/4%0

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a     use-after-free.(CVE-2019-6974i1/4%0

  - A flaw was found in the way Linux kernel allocates heap     memory to build the scattergather list from a fragment     list(skb_shinfo(skb)-i1/4zfrag_list) in the socket     buffer(skb_buff). The heap overflow occurred if     'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST'     feature are both used together. A remote user or     process could use this flaw to potentially escalate     their privilege on a system.(CVE-2017-7477i1/4%0

  - Multiple integer overflows in Alchemy LCD frame-buffer     drivers in the Linux kernel before 3.12 allow local     users to create a read-write memory mapping for the     entirety of kernel memory, and consequently gain     privileges, via crafted mmap operations, related to the     (1) au1100fb_fb_mmap function in     drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap     function in drivers/video/au1200fb.c.(CVE-2013-4511i1/4%0

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190i1/4%0

  - An issue was discovered in the Linux kernel before     4.19.3. crypto_report_one() and related functions in     crypto/crypto_user.c (the crypto user configuration     API) do not fully initialize structures that are copied     to userspace, potentially leaking sensitive memory to     user programs. NOTE: this is a CVE-2013-2547 regression     but with easier exploitability because the attacker     does not need a capability (however, the system must     have the CONFIG_CRYPTO_USER kconfig     option).(CVE-2018-19854i1/4%0

  - The userfaultfd implementation in the Linux kernel     before 4.19.7 mishandles access control for certain     UFFDIO_ ioctl calls, as demonstrated by allowing local     users to write data into holes in a tmpfs file (if the     user has read-only access to that file, and that file     contains holes), related to fs/userfaultfd.c and     mm/userfaultfd.c.(CVE-2018-18397i1/4%0

  - The TCP stack in the Linux kernel through 4.10.6     mishandles the SCM_TIMESTAMPING_OPT_STATS feature,     which allows local users to obtain sensitive     information from the kernel's internal socket data     structures or cause a denial of service (out-of-bounds     read) via crafted system calls, related to     net/core/skbuff.c and net/socket.c.(CVE-2017-7277i1/4%0

  - A flaw was found in the way the Linux kernel's vhost     driver treated userspace provided log file descriptor     when processing the VHOST_SET_LOG_FD ioctl command. The     file descriptor was never released and continued to     consume kernel memory. A privileged local user with     access to the /dev/vhost-net files could use this flaw     to create a denial-of-service attack.(CVE-2015-6252i1/4%0

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the     system.(CVE-2015-5156i1/4%0

  - The MSM QDSP6 audio driver (aka sound driver) for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, allows attackers to gain privileges or cause     a denial of service (integer overflow, and buffer     overflow or buffer over-read) via a crafted application     that performs a (1) AUDIO_EFFECTS_WRITE or (2)     AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug     CR1006609.(CVE-2016-2068i1/4%0

  - The icmp6_send function in net/ipv6/icmp.c in the Linux     kernel through 4.8.12 omits a certain check of the dst     data structure which allows remote attackers to cause a     denial of service (panic) via a fragmented IPv6     packet.(CVE-2016-9919i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel handled     IRET faults during the processing of NMIs. An     unprivileged, local user could use this flaw to crash     the system or, potentially (although highly unlikely),     escalate their privileges on the system.(CVE-2015-5157)

  - A denial of service vulnerability was found in the     WhiteHEAT USB Serial Driver (whiteheat_attach function     in drivers/usb/serial/whiteheat.c). In the driver, the     COMMAND_PORT variable was hard coded and set to 4 (5th     element). The driver assumed that the number of ports     would always be 5 and used port number 5 as the command     port. However, when using a USB device in which the     number of ports was set to a number less than 5 (for     example, 3), the driver triggered a kernel NULL-pointer     dereference. A non-privileged attacker could use this     flaw to panic the host.(CVE-2015-5257)

  - A NULL pointer dereference flaw was found in the SCTP     implementation. A local user could use this flaw to     cause a denial of service on the system by triggering a     kernel panic when creating multiple sockets in parallel     while the system did not have the SCTP module     loaded.(CVE-2015-5283)

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #AC (alignment check exception) is handled. A     privileged user inside a guest could use this flaw to     create denial of service conditions on the host     kernel.(CVE-2015-5307)

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5364)

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5366)

  - A cross-boundary flaw was discovered in the Linux     kernel software raid driver. The driver accessed a     disabled bitmap where only the first byte of the buffer     was initialized to zero. This meant that the rest of     the request (up to 4095 bytes) was left and copied into     user space. An attacker could use this flaw to read     private information from user space that would not     otherwise have been accessible.(CVE-2015-5697)

  - An integer-overflow vulnerability was found in the scsi     block-request handling code in function start_req(). A     local attacker could use specially crafted IOV requests     to overflow a counter used in bio_map_user_iov()'s page     calculation, and write past the end of the array that     contains kernel-page pointers.(CVE-2015-5707)

  - A flaw was found in the way the Linux kernel's vhost     driver treated userspace provided log file descriptor     when processing the VHOST_SET_LOG_FD ioctl command. The     file descriptor was never released and continued to     consume kernel memory. A privileged local user with     access to the /dev/vhost-net files could use this flaw     to create a denial-of-service attack.(CVE-2015-6252)

  - A flaw was found in the way the Linux kernel's perf     subsystem retrieved userlevel stack traces on PowerPC     systems. A local, unprivileged user could use this flaw     to cause a denial of service on the system by creating     a special stack layout that would force the     perf_callchain_user_64() function into an infinite     loop.(CVE-2015-6526)

  - A NULL-pointer dereference vulnerability was discovered     in the Linux kernel. The kernel's Reliable Datagram     Sockets (RDS) protocol implementation did not verify     that an underlying transport existed before creating a     connection to a remote server. A local system user     could exploit this flaw to crash the system by creating     sockets at specific times to trigger a NULL pointer     dereference.(CVE-2015-6937)

  - Multiple race conditions in the Advanced Union     Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch     patches for the Linux kernel 3.x and 4.x allow local     users to cause a denial of service (use-after-free and     BUG) or possibly gain privileges via a (1) madvise or     (2) msync system call, related to mm/madvise.c and     mm/msync.c.(CVE-2015-7312)

  - A divide-by-zero flaw was discovered in the Linux     kernel built with KVM virtualization     support(CONFIG_KVM). The flaw occurs in the KVM     module's Programmable Interval Timer(PIT) emulation,     when PIT counters for channel 1 or 2 are set to zero(0)     and a privileged user inside the guest attempts to read     these counters. A privileged guest user with access to     PIT I/O ports could exploit this issue to crash the     host kernel (denial of service).(CVE-2015-7513)

  - An out-of-bounds memory access flaw was found in the     Linux kernel's aiptek USB tablet driver (aiptek_probe()     function in drivers/input/tablet/aiptek.c). The driver     assumed that the interface always had at least one     endpoint. By using a specially crafted USB device with     no endpoints on one of its interfaces, an unprivileged     user with physical access to the system could trigger a     kernel NULL pointer dereference, causing the system to     panic.(CVE-2015-7515)

  - A NULL-pointer dereference flaw was found in the     kernel, which is caused by a race between revoking a     user-type key and reading from it. The issue could be     triggered by an unprivileged user with a local account,     causing the kernel to crash (denial of     service).(CVE-2015-7550)

  - A flaw was found in the way the Linux kernel visor     driver handles certain invalid USB device descriptors.
    The driver assumes that the device always has at least     one bulk OUT endpoint. By using a specially crafted USB     device (without a bulk OUT endpoint), an unprivileged     user with physical access could trigger a kernel     NULL-pointer dereference and cause a system panic     (denial of service).(CVE-2015-7566)

  - A race condition flaw was found in the way the Linux     kernel's IPC subsystem initialized certain fields in an     IPC object structure that were later used for     permission checking before inserting the object into a     globally visible list. A local, unprivileged user could     potentially use this flaw to elevate their privileges     on the system.(CVE-2015-7613)

  - A flaw was discovered in the Linux kernel where issuing     certain ioctl() -s commands to the '/dev/ppp' device     file could lead to a NULL pointer dereference. A     privileged user could use this flaw to cause a kernel     crash and denial of service.(CVE-2015-7799)

  - It was found that the Linux kernel's keys subsystem did     not correctly garbage collect uninstantiated keyrings.
    A local attacker could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-7872)

  - A denial of service flaw was discovered in the Linux     kernel, where a race condition caused a NULL pointer     dereference in the RDS socket-creation code. A local     attacker could use this flaw to create a situation in     which a NULL pointer crashed the kernel.(CVE-2015-7990)

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #DB (debug exception) is handled. A privileged user     inside a guest could use this flaw to create denial of     service conditions on the host kernel.(CVE-2015-8104)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially     use this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system.(CVE-2015-8215)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986995] (CVE-2017-7895)

  - ocfs2/o2net: o2net_listen_data_ready should do nothing     if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug:
    25510857]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 23750748]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki) [Orabug: 25534688]

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549845]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549845]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719676] (CVE-2017-2583)     (CVE-2017-2583)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719811] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720815] (CVE-2017-6214)

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796604] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797014] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797056]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (David Howells) [Orabug:
    25823965] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825107] (CVE-2015-5257)

  - RDS: fix race condition when sending a message on     unbound socket (Quentin Casasnovas) [Orabug: 25871048]     (CVE-2015-6937) (CVE-2015-6937)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udf: Treat symlink component of type 2 as / (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877531] (CVE-2016-7910)

  - RHEL: complement upstream workaround for CVE-2016-10142.
    (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)     (CVE-2016-10142)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25752011] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696689] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696689] (CVE-2017-2636)

  - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc     (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)

  - list: introduce list_first_entry_or_null (Jiri Pirko)     [Orabug: 25696689] (CVE-2017-2636)

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451538] (CVE-2016-8633)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463929]     (CVE-2016-3672)

  - x86 get_unmapped_area: Access mmap_legacy_base through     mm_struct member (Radu Caragea) [Orabug: 25463929]     (CVE-2016-3672)

  - sg_start_req: make sure that there's not too many     elements in iovec (Al Viro) [Orabug: 25490377]     (CVE-2015-5707)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507232] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507232] (CVE-2016-8645)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)

  - x86: bpf_jit: fix compilation of large bpf programs     (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)

  - net: fix a kernel infoleak in x25 module (Kangjie Lu)     [Orabug: 25512417] (CVE-2016-4580)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512472]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682437] (CVE-2017-6345)

  - dccp: fix freeing skb too early for IPV6_RECVPKTINFO     (Andrey Konovalov) [Orabug: 25598277] (CVE-2017-6074)

  - vfs: read file_handle only once in handle_to_path (Sasha     Levin) [Orabug: 25388709] (CVE-2015-1420)

  - crypto: algif_hash - Only export and import on sockets     with data (Herbert Xu) [Orabug: 25417807]

  - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)     [Orabug: 25462763] (CVE-2016-4482)

  - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811]     (CVE-2016-4485)

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

  - unix: avoid use-after-free in ep_remove_wait_queue     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986990] (CVE-2017-7895)

  - fnic: Update fnic driver version to 1.6.0.24 (John     Sobecki) [Orabug: 24448585]

  - xen-netfront: Rework the fix for Rx stall during OOM and     network stress (Dongli Zhang) [Orabug: 25450703]

  - xen-netfront: Fix Rx stall during network stress and OOM     (Dongli Zhang) [Orabug: 25450703]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki)

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549809]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549809]

  - VSOCK: Fix lockdep issue. (Dongli Zhang) [Orabug:
    25559937]

  - VSOCK: sock_put wasn't safe to call in interrupt context     (Dongli Zhang) [Orabug: 25559937]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 25677469]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719675] (CVE-2017-2583)     (CVE-2017-2583)

  - ext4: validate s_first_meta_bg at mount time (Eryu Guan)     [Orabug: 25719738] (CVE-2016-10208)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719810] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720813] (CVE-2017-6214)

  - lpfc cannot establish connection with targets that send     PRLI under P2P mode (Joe Jin) [Orabug: 25759083]

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796594] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797012] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797052]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (Aniket Alshi) [Orabug:
    25823962] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825105] (CVE-2015-5257)     (CVE-2015-5257)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871102] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25876655] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877530] (CVE-2016-7910)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790392] (CVE-2016-9644)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766911] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765776] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765445] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751996] (CVE-2017-7187)

Description of changes:

[2.6.39-400.295.2.el6uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995]  {CVE-2017-7895}

[2.6.39-400.295.1.el6uek]
- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed)  [Orabug: 25510857]
- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 23750748]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)  [Orabug: 25534688]
- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549845]
- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845]
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles)  [Orabug: 25549845]
- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719676]  {CVE-2017-2583} {CVE-2017-2583}
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719811]  {CVE-2017-5986}
- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 25720815]  {CVE-2017-6214}
- USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796604]   {CVE-2016-2782}
- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797014]  {CVE-2017-5669}
- vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 25797056]  {CVE-2015-6252}
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- KEYS: Remove key_type::match in favour of overriding default by match_preparse (David Howells)  [Orabug: 25823965]  {CVE-2017-2647} {CVE-2017-2647}
- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825107]  {CVE-2015-5257}
- RDS: fix race condition when sending a message on unbound socket (Quentin Casasnovas)  [Orabug: 25871048]  {CVE-2015-6937} {CVE-2015-6937}
- udf: Check path length when reading symlink (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udf: Treat symlink component of type 2 as / (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25874741]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877531]  {CVE-2016-7910}
- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas)  [Orabug: 25765786]  {CVE-2016-10142} {CVE-2016-10142}
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765448]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011]  {CVE-2017-7187}
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696689]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696689]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696689]  {CVE-2017-2636}
- list: introduce list_first_entry_or_null (Jiri Pirko)  [Orabug: 25696689]  {CVE-2017-2636}
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463929]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463929]  {CVE-2016-3672}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490377]  {CVE-2015-5707}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507232]  {CVE-2016-8645}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507330]  {CVE-2016-7425}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 25507375]  {CVE-2015-4700}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512417]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512472]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682437]  {CVE-2017-6345}
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov)  [Orabug: 25598277]  {CVE-2017-6074}
- vfs: read file_handle only once in handle_to_path (Sasha Levin) [Orabug: 25388709]  {CVE-2015-1420}
- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu)  [Orabug: 25417807]
- USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 25462763]  {CVE-2016-4482}
- net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462811]  {CVE-2016-4485}
- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat)  [Orabug: 25464000]  {CVE-2013-7446}
- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25464000]  {CVE-2013-7446}

Description of changes:

kernel-uek [3.8.13-118.18.2.el7uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986990]  {CVE-2017-7895}

[3.8.13-118.18.1.el7uek]
- fnic: Update fnic driver version to 1.6.0.24 (John Sobecki)  [Orabug: 24448585]
- xen-netfront: Rework the fix for Rx stall during OOM and network stress (Dongli Zhang)  [Orabug: 25450703]
- xen-netfront: Fix Rx stall during network stress and OOM (Dongli Zhang)  [Orabug: 25450703]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)
- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549809]
- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549809]
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles)  [Orabug: 25549809]
- VSOCK: Fix lockdep issue. (Dongli Zhang)  [Orabug: 25559937]
- VSOCK: sock_put wasn't safe to call in interrupt context (Dongli Zhang)  [Orabug: 25559937]
- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 25677469]
- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719675]  {CVE-2017-2583} {CVE-2017-2583}
- ext4: validate s_first_meta_bg at mount time (Eryu Guan)  [Orabug: 25719738]  {CVE-2016-10208}
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719810]  {CVE-2017-5986}
- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 25720813]  {CVE-2017-6214}
- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin)  [Orabug: 25759083]
- USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796594]   {CVE-2016-2782}
- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797012]  {CVE-2017-5669}
- vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 25797052]  {CVE-2015-6252}
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft)  [Orabug: 25814663]  {CVE-2017-7184}
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft)  [Orabug: 25814663]  {CVE-2017-7184}
- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Aniket Alshi)  [Orabug: 25823962]  {CVE-2017-2647} {CVE-2017-2647}
- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825105]  {CVE-2015-5257} {CVE-2015-5257}
- udf: Check path length when reading symlink (Jan Kara)  [Orabug: 25871102]  {CVE-2015-9731}
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25876655]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877530]  {CVE-2016-7910}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790392]  {CVE-2016-9644}
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766911]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765776]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765445]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751996]  {CVE-2017-7187}

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed :

  - CVE-2016-4486: Fixed 4 byte information leak in     net/core/rtnetlink.c (bsc#978822).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2016-2143: The fork implementation in the Linux     kernel on s390 platforms mishandled the case of four     page-table levels, which allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a crafted application,     related to arch/s390/include/asm/mmu_context.h and     arch/s390/include/asm/pgalloc.h (bnc#970504).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employed a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retained certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     used an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in     the Linux kernel .4.1 allowed local users to gain     privileges by triggering access to a paging structure by     a different CPU (bnc#963767).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-7515: The aiptek_probe function in     drivers/input/tablet/aiptek.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device that lacks endpoints     (bnc#956708).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272 (bnc#955354).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956709).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #AC (aka     Alignment Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#952384).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-6252: The vhost_dev_ioctl function in     drivers/vhost/vhost.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation (bnc#942367).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped (bnc#928130).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-8104: Prevent guest to host DoS caused by     infinite loop in microcode via #DB exception     (bsc#954404).

  - CVE-2015-5307: Prevent guest to host DoS caused by     infinite loop in microcode via #AC exception     (bsc#953527).

  - CVE-2015-7990: RDS: Verify the underlying transport     exists before creating a connection, preventing possible     DoS (bsc#952384).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandled IRET faults in     processing NMIs that occurred during userspace     execution, which might have allowed local users to gain     privileges by triggering an NMI (bsc#938706).

  - CVE-2015-7872: Possible crash when trying to garbage     collect an uninstantiated keyring (bsc#951440).

  - CVE-2015-0272: Prevent remote DoS using IPv6 RA with     bogus MTU by validating before applying it (bsc#944296).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bsc#945825).

  - CVE-2015-6252: The vhost_dev_ioctl function in     drivers/vhost/vhost.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via a VHOST_SET_LOG_FD ioctl call that triggered     permanent file-descriptor allocation (bsc#942367).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges.
(CVE-2015-5156)

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697)

Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252)

It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash). (CVE-2015-6937)

Ben Hutchings discovered that the Advanced Union Filesystem (aufs) for the Linux kernel did not correctly handle references of memory mapped files from an aufs mount. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2015-7312).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-7613: A flaw was found in the Linux kernel IPC     code that could lead to arbitrary code execution. The     ipc_addid() function initialized a shared object that     has unset uid/gid values. Since the fields are not     initialized, the check can falsely succeed. (bsc#948536)

  - CVE-2015-5156: When a guests KVM network devices is in a     bridge configuration the kernel can create a situation     in which packets are fragmented in an unexpected     fashion. The GRO functionality can create a situation in     which multiple SKB's are chained together in a single     packets fraglist (by design). (bsc#940776)

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel before 4.1.6 on the x86_64 platform mishandles     IRET faults in processing NMIs that occurred during     userspace execution, which might allow local users to     gain privileges by triggering an NMI (bsc#938706).

  - CVE-2015-6252: A flaw was found in the way the Linux     kernel's vhost driver treated userspace provided log     file descriptor when processing the VHOST_SET_LOG_FD     ioctl command. The file descriptor was never released     and continued to consume kernel memory. A privileged     local user with access to the /dev/vhost-net files could     use this flaw to create a denial-of-service attack     (bsc#942367).

  - CVE-2015-5697: The get_bitmap_file function in     drivers/md/md.c in the Linux kernel before 4.1.6 does     not initialize a certain bitmap data structure, which     allows local users to obtain sensitive information from     kernel memory via a GET_BITMAP_FILE ioctl call.
    (bnc#939994)

  - CVE-2015-6937: A NULL pointer dereference flaw was found     in the Reliable Datagram Sockets (RDS) implementation     allowing a local user to cause system DoS. A     verification was missing that the underlying transport     exists when a connection was created. (bsc#945825)

  - CVE-2015-5283: A NULL pointer dereference flaw was found     in SCTP implementation allowing a local user to cause     system DoS. Creation of multiple sockets in parallel     when system doesn't have SCTP module loaded can lead to     kernel panic. (bsc#947155)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-6252: Possible file descriptor leak for each     VHOST_SET_LOG_FDcommand issued, this could eventually     wasting available system resources and creating a denial     of service (bsc#942367).

  - CVE-2015-5707: Possible integer overflow in the     calculation of total number of pages in     bio_map_user_iov() (bsc#940338).

  - CVE-2015-5364: The (1) udp_recvmsg and (2) udpv6_recvmsg     functions in the Linux kernel before 4.0.6 do not     properly consider yielding a processor, which allowed     remote attackers to cause a denial of service (system     hang) via incorrect checksums within a UDP packet flood     (bsc#936831).

  - CVE-2015-5366: The (1) udp_recvmsg and (2) udpv6_recvmsg     functions in the Linux kernel before 4.0.6 provide     inappropriate -EAGAIN return values, which allowed     remote attackers to cause a denial of service (EPOLLET     epoll application read outage) via an incorrect checksum     in a UDP packet, a different vulnerability than     CVE-2015-5364 (bsc#936831).

  - CVE-2015-1420: Race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel through     3.19.1 allowed local users to bypass intended size     restrictions and trigger read operations on additional     memory locations by changing the handle_bytes value of a     file handle during the execution of this function     (bsc#915517).

  - CVE-2015-1805: The (1) pipe_read and (2) pipe_write     implementations in fs/pipe.c in the Linux kernel before     3.16 do not properly consider the side effects of failed
    __copy_to_user_inatomic and __copy_from_user_inatomic     calls, which allows local users to cause a denial of     service (system crash) or possibly gain privileges via a     crafted application, aka an 'I/O' vector array overrun.
    (bsc#933429)

  - CVE-2015-2150: Xen 3.3.x through 4.5.x and the Linux     kernel through 3.19.1 do not properly restrict access to     PCI command registers, which might allow local guest     users to cause a denial of service (non-maskable     interrupt and host crash) by disabling the (1) memory or     (2) I/O decoding for a PCI Express device and then     accessing the device, which triggers an Unsupported     Request (UR) response. (bsc#919463)

  - CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux     kernel before 3.19.2 does not prevent the TS_COMPAT flag     from reaching a user-mode task, which might allow local     users to bypass the seccomp or audit protection     mechanism via a crafted application that uses the (1)     fork or (2) close system call, as demonstrated by an     attack against seccomp before 3.16. (bsc#926240)

  - CVE-2015-4700: The bpf_int_jit_compile function in     arch/x86/net/bpf_jit_comp.c in the Linux kernel before     4.0.6 allowed local users to cause a denial of service     (system crash) by creating a packet filter and then     loading crafted BPF instructions that trigger late     convergence by the JIT compiler (bsc#935705).

  - CVE-2015-4167: The udf_read_inode function in     fs/udf/inode.c in the Linux kernel before 3.19.1 did not     validate certain length values, which allowed local     users to cause a denial of service (incorrect data     representation or integer overflow, and OOPS) via a     crafted UDF filesystem (bsc#933907).

  - CVE-2015-0777: drivers/xen/usbback/usbback.c in     linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support     patches for the Linux kernel 2.6.18), as used in the     Linux kernel 2.6.x and 3.x in SUSE Linux distributions,     allows guest OS users to obtain sensitive information     from uninitialized locations in host OS kernel memory     via unspecified vectors. (bsc#917830)

  - CVE-2014-9728: The UDF filesystem implementation in the     Linux kernel before 3.18.2 did not validate certain     lengths, which allowed local users to cause a denial of     service (buffer over-read and system crash) via a     crafted filesystem image, related to fs/udf/inode.c and     fs/udf/symlink.c (bsc#933904).

  - CVE-2014-9730: The udf_pc_to_char function in     fs/udf/symlink.c in the Linux kernel before 3.18.2     relies on component lengths that are unused, which     allowed local users to cause a denial of service (system     crash) via a crafted UDF filesystem image (bsc#933904).

  - CVE-2014-9729: The udf_read_inode function in     fs/udf/inode.c in the Linux kernel before 3.18.2 did not     ensure a certain data-structure size consistency, which     allowed local users to cause a denial of service (system     crash) via a crafted UDF filesystem image (bsc#933904).

  - CVE-2014-9731: The UDF filesystem implementation in the     Linux kernel before 3.18.2 did not ensure that space is     available for storing a symlink target's name along with     a trailing \0 character, which allowed local users to     obtain sensitive information via a crafted filesystem     image, related to fs/udf/symlink.c and fs/udf/unicode.c     (bsc#933896).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that an integer overflow error existed in the SCSI generic (sg) driver in the Linux kernel. A local attacker with write permission to a SCSI generic device could use this to cause a denial of service (system crash) or potentially escalate their privileges.
(CVE-2015-5707)

Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252)

It was discovered that the Linux kernel's perf subsystem did not bound callchain backtraces on PowerPC 64. A local attacker could use this to cause a denial of service. (CVE-2015-6526).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697)

Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service.

  - CVE-2015-8215     It was discovered that NetworkManager would set IPv6     MTUs based on the values received in IPv6 RAs (Router     Advertisements), without sufficiently validating these     values. A remote attacker could exploit this attack to     disable IPv6 connectivity. This has been mitigated by     adding validation in the kernel.

  - CVE-2015-2925     Jann Horn discovered that when a subdirectory of a     filesystem is bind-mounted into a container that has its     own user and mount namespaces, a process with     CAP_SYS_ADMIN capability in the user namespace can     access files outside of the subdirectory. The default     Debian configuration mitigated this as it does not allow     unprivileged users to create new user namespaces.

  - CVE-2015-5156     Jason Wang discovered that when a virtio_net device is     connected to a bridge in the same VM, a series of TCP     packets forwarded through the bridge may cause a heap     buffer overflow. A remote attacker could use this to     cause a denial of service (crash) or possibly for     privilege escalation.

  - CVE-2015-6252     Michael S. Tsirkin of Red Hat Engineering found that the     vhost driver leaked file descriptors passed to it with     the VHOST_SET_LOG_FD ioctl command. A privileged local     user with access to the /dev/vhost-net file, either     directly or via libvirt, could use this to cause a     denial of service (hang or crash).

  - CVE-2015-6937     It was found that the Reliable Datagram Sockets (RDS)     protocol implementation did not verify that an     underlying transport exists when creating a connection.
    Depending on how a local RDS application initialised its     sockets, a remote attacker might be able to cause a     denial of service (crash) by sending a crafted packet.

  - CVE-2015-7312     Xavier Chantry discovered that the patch provided by the     aufs project to correct behaviour of memory-mapped files     from an aufs mount introduced a race condition in the     msync() system call. Ben Hutchings found that it also     introduced a similar bug in the madvise_remove()     function. A local attacker could use this to cause a     denial of service or possibly for privilege escalation.

ID	Name	Product	Family	Severity
124984	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1531)	Nessus	Huawei Local Security Checks	high
124812	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1488)	Nessus	Huawei Local Security Checks	high
100238	OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)	Nessus	OracleVM Local Security Checks	critical
100237	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)	Nessus	OracleVM Local Security Checks	critical
100235	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)	Nessus	Oracle Linux Local Security Checks	critical
100234	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)	Nessus	Oracle Linux Local Security Checks	critical
93289	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)	Nessus	SuSE Local Security Checks	critical
87104	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:2108-1)	Nessus	SuSE Local Security Checks	high
86468	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2777-1)	Nessus	Ubuntu Local Security Checks	medium
86378	SUSE SLED12 / SLES12 Security Update : kernel-source (SUSE-SU-2015:1727-1)	Nessus	SuSE Local Security Checks	high
86290	SUSE SLED11 / SLES11 Security Update : kernel-source (SUSE-SU-2015:1678-1)	Nessus	SuSE Local Security Checks	high
86244	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2759-1)	Nessus	Ubuntu Local Security Checks	medium
86207	Ubuntu 15.04 : linux vulnerabilities (USN-2752-1)	Nessus	Ubuntu Local Security Checks	low
86206	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2751-1)	Nessus	Ubuntu Local Security Checks	low
86204	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2749-1)	Nessus	Ubuntu Local Security Checks	low
86190	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2748-1)	Nessus	Ubuntu Local Security Checks	low
86050	Debian DSA-3364-1 : linux - security update	Nessus	Debian Local Security Checks	medium

CVE-2015-6252

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins