http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c9b92530a723ac5ef8e352885a1862b18f31b2f5

SUSE-SU-2015:2339

SUSE-SU-2015:2350

SUSE-SU-2016:2074

RHSA-2016:0855

1034559

https://bugzilla.redhat.com/show_bug.cgi?id=1259222

https://bugzilla.suse.com/show_bug.cgi?id=956709

https://github.com/torvalds/linux/commit/c9b92530a723ac5ef8e352885a1862b18f31b2f5

https://security-tracker.debian.org/tracker/CVE-2015-7509

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed :

  - CVE-2016-4486: Fixed 4 byte information leak in     net/core/rtnetlink.c (bsc#978822).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2016-2143: The fork implementation in the Linux     kernel on s390 platforms mishandled the case of four     page-table levels, which allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a crafted application,     related to arch/s390/include/asm/mmu_context.h and     arch/s390/include/asm/pgalloc.h (bnc#970504).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employed a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retained certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     used an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in     the Linux kernel .4.1 allowed local users to gain     privileges by triggering access to a paging structure by     a different CPU (bnc#963767).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-7515: The aiptek_probe function in     drivers/input/tablet/aiptek.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device that lacks endpoints     (bnc#956708).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272 (bnc#955354).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956709).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #AC (aka     Alignment Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#952384).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-6252: The vhost_dev_ioctl function in     drivers/vhost/vhost.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation (bnc#942367).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped (bnc#928130).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - IPoIB: increase send queue size to 4 times (Ajaykumar     Hotchandani) 

  - IB/ipoib: Change send workqueue size for CM mode     (Ajaykumar Hotchandani) [Orabug: 22287489]

  - Avoid 60sec timeout when receiving rtpg sense code     06/00/00 (John Sobecki) [Orabug: 22336257]

  - stop recursive fault in print_context_stack after stack     overflow (John Sobecki) [Orabug: 23174777]

  - IB/security: Restrict use of the write interface (Jason     Gunthorpe) [Orabug: 23287131] (CVE-2016-4565)

  - net: add validation for the socket syscall protocol     argument (Hannes Frederic Sowa) [Orabug: 23267976]     (CVE-2015-8543) (CVE-2015-8543)

  - ipv6: addrconf: validate new MTU before applying it     (Marcelo Leitner) [Orabug: 23263251] (CVE-2015-8215)

  - ext4: avoid hang when mounting non-journal filesystems     with orphan list (Theodore Ts'o) [Orabug: 23262219]     (CVE-2015-7509)

  - ext4: make orphan functions be no-op in no-journal mode     (Anatol Pomozov) [Orabug: 23262219] (CVE-2015-7509)

  - unix: properly account for FDs passed over unix sockets     (willy tarreau) [Orabug: 23262265] (CVE-2013-4312)     (CVE-2013-4312)

  - sctp: Prevent soft lockup when sctp_accept is called     during a timeout event (Karl Heiss) [Orabug: 23222773]     (CVE-2015-8767)

  - [SUNRPC]: avoid race between xs_reset_transport and     xs_tcp_setup_socket (Wengang Wang)

  - x86_64: expand kernel stack to 16K (Minchan Kim)     [Orabug: 20920074]

  - qla2xxx: fix wrongly report 'PCI EEH busy' when     get_thermal_temp (Vaughan Cao) [Orabug: 21108318]

  - RDS/IB: VRPC DELAY / OSS RECONNECT CAUSES 5 MINUTE STALL     ON PORT FAILURE (Venkat Venkatsubra) [Orabug: 21465077]

  - RDS: Fix the atomicity for congestion map update     (Wengang Wang) 

  - RDS: introduce generic [clear,set]_bit_le (Wengang Wang)     [Orabug: 22118109]

  - cifs: allow socket to clear and app threads to set     tcpStatus CifsNeedReconnect (John Sobecki) [Orabug:
    22203554]

  - mlx4_vnic: Enable LRO for mlx4_vnic net devices. (Ashish     Samant) 

  - mlx4_vnic: Add correct typecasting to pointers. (Ashish     Samant) 

  - veth: don&rsquo t modify ip_summed  doing so treats     packets with bad checksums as good. (Vijay Pandurangan)     [Orabug: 22804574]

Security Fix(es) :

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case of     a local denial of service, an attacker must have access     to the MMIO area or be able to access an I/O port.
    Please note that on certain systems, HPET is mapped to     userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way. (CVE-2010-5313,     CVE-2014-7842, Moderate)

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the system.
    (CVE-2013-4312, Moderate)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio- net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality was     enabled in a bridged network configuration. An attacker     on the local network could potentially use this flaw to     crash the system, or, although unlikely, elevate their     privileges on the system. (CVE-2015-5156, Moderate)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially use     this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system. (CVE-2015-8215, Moderate)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's network subsystem handled socket creation     with an invalid protocol identifier. A local user could     use this flaw to crash the system. (CVE-2015-8543,     Moderate)

  - It was found that the espfix functionality does not work     for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses. (CVE-2014-8134, Low)

  - A flaw was found in the way the Linux kernel's ext4 file     system driver handled non-journal file systems with an     orphan list. An attacker with physical access to the     system could use this flaw to crash the system or,     although unlikely, escalate their privileges on the     system. (CVE-2015-7509, Low)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's ext4 file system driver handled certain     corrupted file system images. An attacker with physical     access to the system could use this flaw to crash the     system. (CVE-2015-8324, Low)

Notes :

  - Problems have been reported with this kernel and     VirtualBox. More info is available in the notes for the     VirtualBox ticket here: <a     href='https://www.virtualbox.org/ticket/14866'     target='_blank'>https://www.virtualbox.org/ticket/14866<     /a>

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-3567 advisory.

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-3566 advisory.

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-0855 advisory.

  - The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper     paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)

  - The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support     a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of     service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
    (CVE-2015-5156)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956707).

  - CVE-2015-7515: An out of bounds memory access in the     aiptek USB driver could be used by physical local     attackers to crash the kernel (bnc#956708).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-7566: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#961512).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8550: Optimizations introduced by the compiler     could have lead to double fetch vulnerabilities,     potentially possibly leading to arbitrary code execution     in backend (bsc#957988). (bsc#957988 XSA-155).

  - CVE-2015-8551: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to hit BUG     conditions and cause a denial of service (NULL pointer     dereference and host OS crash) by leveraging a system     with access to a passed-through MSI or MSI-X capable     physical PCI device and a crafted sequence of     XEN_PCI_OP_* operations, aka 'Linux pciback missing     sanity checks (bnc#957990).

  - CVE-2015-8552: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to generate a     continuous stream of WARN messages and cause a denial of     service (disk consumption) by leveraging a system with     access to a passed-through MSI or MSI-X capable physical     PCI device and XEN_PCI_OP_enable_msi operations, aka     'Linux pciback missing sanity checks (bnc#957990).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     do not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8812: A flaw was found in the CXGB3 kernel     driver when the network was considered congested. The     kernel would incorrectly misinterpret the congestion as     an error condition and incorrectly free/clean up the     skb. When the device would then send the skb's queued,     these structures would be referenced and may panic the     system or allow an attacker to escalate privileges in a     use-after-free scenario.(bsc#966437).

  - CVE-2015-8816: A malicious USB device could cause kernel     crashes in the in hub_activate() function (bnc#968010).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: A race in invalidating paging structures     that were not in use locally could have lead to     disclosoure of information or arbitrary code exectution     (bnc#963767).

  - CVE-2016-2143: On zSeries a fork of a large process     could have caused memory corruption due to incorrect     page table handling. (bnc#970504, LTC#138810).

  - CVE-2016-2184: A malicious USB device could cause kernel     crashes in the alsa usb-audio device driver     (bsc#971125).

  - CVE-2016-2185: A malicious USB device could cause kernel     crashes in the usb_driver_claim_interface function     (bnc#971124).

  - CVE-2016-2186: A malicious USB device could cause kernel     crashes in the powermate device driver (bnc#970958).

  - CVE-2016-2384: A double free on the ALSA umidi object     was fixed. (bsc#966693).

  - CVE-2016-2543: A missing NULL check at remove_events     ioctl in the ALSA seq driver was fixed. (bsc#967972).

  - CVE-2016-2544: Fix race at timer setup and close in the     ALSA seq driver was fixed. (bsc#967973).

  - CVE-2016-2545: A double unlink of active_list in the     ALSA timer driver was fixed. (bsc#967974).

  - CVE-2016-2546: A race among ALSA timer ioctls was fixed     (bsc#967975).

  - CVE-2016-2547,CVE-2016-2548: The ALSA slave timer list     handling was hardened against hangs and races.
    (CVE-2016-2547,CVE-2016-2548,bsc#968011,bsc#968012).

  - CVE-2016-2549: A stall in ALSA hrtimer handling was     fixed (bsc#968013).

  - CVE-2016-2782: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#968670).

  - CVE-2016-3137: A malicious USB device could cause kernel     crashes in the cypress_m8 device driver (bnc#970970).

  - CVE-2016-3139: A malicious USB device could cause kernel     crashes in the wacom device driver (bnc#970909).

  - CVE-2016-3140: A malicious USB device could cause kernel     crashes in the digi_acceleport device driver     (bnc#970892).

  - CVE-2016-3156: A quadratic algorithm could lead to long     kernel ipv4 hangs when removing a device with a large     number of addresses. (bsc#971360).

  - CVE-2016-3955: A remote buffer overflow in the usbip     driver could be used by authenticated attackers to crash     the kernel. (bsc#975945)

  - CVE-2016-2847: A local user could exhaust kernel memory     by pushing lots of data into pipes. (bsc#970948).

  - CVE-2016-2188: A malicious USB device could cause kernel     crashes in the iowarrior device driver (bnc#970956).

  - CVE-2016-3138: A malicious USB device could cause kernel     crashes in the cdc-acm device driver (bnc#970911).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-7509: Mounting ext4 filesystems in no-journal     mode could hav lead to a system crash (bsc#956709).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #AC (aka     Alignment Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2015-7990: RDS: There was no verification that an     underlying transport exists when creating a connection,     causing usage of a NULL pointer (bsc#952384).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandled IRET faults in     processing NMIs that occurred during userspace     execution, which might have allowed local users to gain     privileges by triggering an NMI (bnc#938706).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-0272: Missing checks allowed remote attackers     to cause a denial of service (IPv6 traffic disruption)     via a crafted MTU value in an IPv6 Router Advertisement     (RA) message, a different vulnerability than     CVE-2015-8215 (bnc#944296).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
93289	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)	Nessus	SuSE Local Security Checks	critical
91743	OracleVM 3.2 : kernel-uek (OVMSA-2016-0060)	Nessus	OracleVM Local Security Checks	high
91643	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20160510)	Nessus	Scientific Linux Local Security Checks	high
91293	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3567)	Nessus	Oracle Linux Local Security Checks	high
91292	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3566)	Nessus	Oracle Linux Local Security Checks	high
91210	Oracle Linux 6 : kernel (ELSA-2016-0855)	Nessus	Oracle Linux Local Security Checks	high
91170	CentOS 6 : kernel (CESA-2016:0855)	Nessus	CentOS Local Security Checks	high
91077	RHEL 6 : kernel (RHSA-2016:0855)	Nessus	Red Hat Local Security Checks	high
90884	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:1203-1)	Nessus	SuSE Local Security Checks	critical
87651	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:2339-1)	Nessus	SuSE Local Security Checks	medium

CVE-2015-7509

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

high

high

high

high

high

critical

medium