http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94f9cd81436c85d8c3a318ba92e236ede73752fc

FEDORA-2016-2f25d12c51

FEDORA-2016-5d43766e33

openSUSE-SU-2016:1008

[oss-security] 20160127 CVE Request: Linux: NULL pointer dereference netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html

USN-2889-1

USN-2889-2

USN-2890-1

USN-2890-2

USN-2890-3

https://bugzilla.redhat.com/show_bug.cgi?id=1300731

https://github.com/torvalds/linux/commit/94f9cd81436c85d8c3a318ba92e236ede73752fc

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with     CAP_SYS_ADMIN capability) can directly perform the     ioctl operations for dm device creation and removal and     this would typically be outside the direct control of     the unprivileged attacker.(CVE-2017-18203i1/4%0

  - The batadv_frag_merge_packets function in     net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel through 3.18.1 uses     an incorrect length field during a calculation of an     amount of memory, which allows remote attackers to     cause a denial of service (mesh-node system crash) via     fragmented packets.(CVE-2014-9428i1/4%0

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940i1/4%0

  - The Linux kernel before 3.12, when UDP Fragmentation     Offload (UFO) is enabled, does not properly initialize     certain data structures, which allows local users to     cause a denial of service (memory corruption and system     crash) or possibly gain privileges via a crafted     application that uses the UDP_CORK option in a     setsockopt system call and sends both short and long     packets, related to the ip_ufo_append_data function in     net/ipv4/ip_output.c and the ip6_ufo_append_data     function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's Datagram Congestion Control Protocol (DCCP)     implementation freed SKB (socket buffer) resources for     a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO     option is set on the socket. A local, unprivileged user     could use this flaw to alter the kernel memory,     allowing them to escalate their privileges on the     system.(CVE-2017-6074i1/4%0

  - A NULL-pointer dereference vulnerability was found in     the Linux kernel's TCP stack, in     net/netfilter/nf_nat_redirect.c in the     nf_nat_redirect_ipv4() function. A remote,     unauthenticated user could exploit this flaw to create     a system crash (denial of service).(CVE-2015-8787i1/4%0

  - A use-after-free flaw was found in the CXGB3 kernel     driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as     an error condition and incorrectly freed or cleaned up     the socket buffer (skb). When the device then sent the     skb's queued data, these structures were referenced. A     local attacker could use this flaw to panic the system     (denial of service) or, with a local account, escalate     their privileges.(CVE-2015-8812i1/4%0

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5364i1/4%0

  - The timer_create syscall implementation in     kernel/time/posix-timers.c in the Linux kernel doesn't     properly validate the sigevent-i1/4zsigev_notify field,     which leads to out-of-bounds access in the show_timer     function.(CVE-2017-18344i1/4%0

  - A flaw was discovered in the way the Linux kernel dealt     with paging structures. When the kernel invalidated a     paging structure that was not in use locally, it could,     in principle, race against another CPU that is     switching to a process that uses the paging structure     in question. A local user could use a thread running     with a stale cached virtual-i1/4zphysical translation to     potentially escalate their privileges if the     translation in question were writable and the physical     page got reused for something critical (for example, a     page table).(CVE-2016-2069i1/4%0

  - Use after free vulnerability was found in percpu using     previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is     freed with free_percpu() which triggers async     pcpu_balance_work and then pcpu_extend_area_map could     use a chunk after it has been freed.(CVE-2016-4794i1/4%0

  - A missing authorization check in the     fscrypt_process_policy function in fs/crypto/policy.c     in the ext4 and f2fs filesystem encryption support in     the Linux kernel allows a user to assign an encryption     policy to a directory owned by a different user,     potentially creating a denial of     service.(CVE-2016-10318i1/4%0

  - The security_context_to_sid_core function in     security/selinux/ss/services.c in the Linux kernel     before 3.13.4 allows local users to cause a denial of     service (system crash) by leveraging the CAP_MAC_ADMIN     capability to set a zero-length security     context.(CVE-2014-1874i1/4%0

  - The vfe31_proc_general function in     drivers/media/video/msm/vfe/msm_vfe31.c in the     MSM-VFE31 driver for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, does not validate a     certain id value, which allows attackers to gain     privileges or cause a denial of service (memory     corruption) via an application that makes a crafted     ioctl call.(CVE-2014-9410i1/4%0

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on a negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel.(CVE-2017-12192i1/4%0

  - Out-of-bounds memory read in the x509_decode_time     function in x509_cert_parser.c in Linux kernels 4.3-rc1     and after.(CVE-2015-5327i1/4%0

  - It was found that the espfix functionality does not     work for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses.(CVE-2014-8134i1/4%0

  - An out-of-bounds write flaw was found in the way the     Apple Magic Mouse/Trackpad multi-touch driver handled     Human Interface Device (HID) reports with an invalid     size. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3181i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's key management subsystem handled keyring     object reference counting in certain error path of the     join_session_keyring() function. A local, unprivileged     user could use this flaw to escalate their privileges     on the system.(CVE-2016-0728i1/4%0

  - Use-after-free vulnerability in the skb_segment     function in net/core/skbuff.c in the Linux kernel     through 3.13.6 allows attackers to obtain sensitive     information from kernel memory by leveraging the     absence of a certain orphaning     operation.(CVE-2014-0131i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An information-leak vulnerability was found in the     kernel when it truncated a file to a smaller size which     consisted of an inline extent that was compressed. The     data between the new file size and the old file size     was not discarded and the number of bytes used by the     inode were not correctly decremented, which gave the     wrong report for callers of the stat(2) syscall. This     wasted metadata space and allowed for the truncated     data to be leaked, and data corruption or loss to     occur. A caller of the clone ioctl could exploit this     flaw by using only standard file-system operations     without root access to read the truncated     data.(CVE-2015-8374)

  - A flaw was found in the Linux kernel's key management     system where it was possible for an attacker to     escalate privileges or crash the machine. If a user key     gets negatively instantiated, an error code is cached     in the payload area. A negatively instantiated key may     be then be positively instantiated by updating it with     valid data. However, the -i1/4zupdate key type method     must be aware that the error code may be     there.(CVE-2015-8539)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543)

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569)

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575)

  - The ovl_setattr function in fs/overlayfs/inode.c in the     Linux kernel through 4.3.3 attempts to merge distinct     setattr operations, which allows local users to bypass     intended access restrictions and modify the attributes     of arbitrary overlay files via a crafted     application.(CVE-2015-8660)

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled sctp_accept()     during the processing of heartbeat timeout events. A     remote attacker could use this flaw to prevent further     connections to be accepted by the SCTP server running     on the system, resulting in a denial of     service.(CVE-2015-8767)

  - An infinite-loop flaw was found in the kernel. When a     local user calls the sys_writev syscall with a     specially crafted sequence of iov structs, the     fuse_fill_write_pages kernel function might never     terminate, instead continuing in a tight loop. This     process cannot be terminated and requires a     reboot.(CVE-2015-8785)

  - A NULL-pointer dereference vulnerability was found in     the Linux kernel's TCP stack, in     net/netfilter/nf_nat_redirect.c in the     nf_nat_redirect_ipv4() function. A remote,     unauthenticated user could exploit this flaw to create     a system crash (denial of service).(CVE-2015-8787)

  - A use-after-free flaw was found in the CXGB3 kernel     driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as     an error condition and incorrectly freed or cleaned up     the socket buffer (skb). When the device then sent the     skb's queued data, these structures were referenced. A     local attacker could use this flaw to panic the system     (denial of service) or, with a local account, escalate     their privileges.(CVE-2015-8812)

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816)

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944)

  - 'A flaw was found in the Linux kernel's implementation     of overlayfs. An attacker can leak file resources in     the system by opening a large file with write     permissions on a overlay filesystem that is     insufficient to deal with the size of the write.

  - When unmounting the underlying device, the system is     unable to free an inode and this will consume     resources. Repeating this for all available inodes and     memory will create a denial of service     situation.(CVE-2015-8953)'

  - The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel before     4.2 allows local users to obtain sensitive information     or cause a denial of service (NULL pointer dereference)     via vectors involving a bind system call on a Bluetooth     RFCOMM socket.(CVE-2015-8956)

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961)

  - A flaw was found in the Linux kernel SCSI subsystem,     which allowed a local user to gain privileges or cause     a denial of service (memory corruption and system     crash) by issuing an SG_IO ioctl call while a device     was being detached.(CVE-2015-8962)

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963)

  - The tty_set_termios_ldisc() function in     'drivers/tty/tty_ldisc.c' in the Linux kernel before     4.5 allows local users to obtain sensitive information     from kernel memory by reading a tty data     structure.(CVE-2015-8964)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux     kernel before 4.5 allows local users to cause a system     crash and a denial of service by the NULL pointer     dereference via accept(2) system call for AF_ALG socket     without calling setkey() first to set a cipher     key.(CVE-2015-8970)

  - It was found that kernel/events/core.c in the Linux     kernel mishandles counter grouping, which allows local     users to gain privileges via a crafted application,     related to the perf_pmu_register and perf_event_open     functions.(CVE-2015-9004)

  - A use-after-free flaw was discovered in the Linux     kernel's tty subsystem, which allows for the disclosure     of uncontrolled memory location and possible kernel     panic. The information leak is caused by a race     condition when attempting to set and read the tty line     discipline. A local attacker could use the TIOCSETD     (via tty_set_ldisc ) to switch to a new line discipline     a concurrent call to a TIOCGETD ioctl performing a read     on a given tty could then access previously allocated     memory. Up to 4 bytes could be leaked when querying the     line discipline or the kernel could panic with a     NULL-pointer dereference.(CVE-2016-0723)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0100 for details.

The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandled destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2016-4557: The replace_map_fd_with_map_ptr function     in kernel/bpf/verifier.c in the Linux kernel did not     properly maintain an fd data structure, which allowed     local users to gain privileges or cause a denial of     service (use-after-free) via crafted BPF instructions     that reference an incorrect file descriptor     (bnc#979018).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4951: The tipc_nl_publ_dump function in     net/tipc/socket.c in the Linux kernel did not verify     socket existence, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     dumpit operation (bnc#981058).

  - CVE-2015-8787: The nf_nat_redirect_ipv4 function in     net/netfilter/nf_nat_redirect.c in the Linux kernel     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by sending certain IPv4     packets to an incompletely configured interface, a     related issue to CVE-2003-1604 (bnc#963931).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-6828: A use after free in     tcp_xmit_retransmit_queue() was fixed that could be used     by local attackers to crash the kernel (bsc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986362 986365 990058).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for man-in-the-middle     attackers to hijack TCP sessions via a blind in-window     attack (bnc#989152).

  - CVE-2016-1237: nfsd in the Linux kernel allowed local     users to bypass intended file-permission restrictions by     setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c,     and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

  - AF_VSOCK: Shrink the area influenced by prepare_to_wait     (bsc#994520).

  - KVM: arm/arm64: Handle forward time correction     gracefully (bnc#974266).

  - Linux 4.1.29. Refreshed patch:
    patches.xen/xen3-fixup-xen Deleted patches:
    patches.fixes/0001-Revert-ecryptfs-forbid-opening-files-     without-mmap-ha.patch     patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lo     wer-file-system.patch     patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compo     und-page-ar     patches.rpmify/Revert-powerpc-Update-TM-user-feature-bit     s-in-scan_f

  - Revert 'mm/swap.c: flush lru pvecs on compound page     arrival' (boo#989084).

  - Revert 'powerpc: Update TM user feature bits in     scan_features()'. Fix the build error of 4.1.28 on ppc.

  - Revive i8042_check_power_owner() for 4.1.31 kabi fix.

  - USB: OHCI: Do not mark EDs as ED_OPER if scheduling     fails (bnc#987886).

  - USB: validate wMaxPacketValue entries in endpoint     descriptors (bnc#991665).

  - Update     patches.fixes/0002-nfsd-check-permissions-when-setting-A     CLs.patch (bsc#986570 CVE-2016-1237).

  - Update     patches.fixes/0001-posix_acl-Add-set_posix_acl.patch     (bsc#986570 CVE-2016-1237).

  - netfilter: x_tables: fix 4.1 stable backport     (bsc#989176).

  - nfsd: check permissions when setting ACLs (bsc#986570).

  - posix_acl: Add set_posix_acl (bsc#986570).

  - ppp: defer netns reference release for ppp channel     (bsc#980371).

  - series.conf: Move a kABI patch to its own section

  - supported.conf: enable i2c-designware driver     (bsc#991110)

  - tcp: enable per-socket rate limiting of all 'challenge     acks' (bsc#989152).

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The openSUSE Leap 42.1 kernel was updated to 4.1.20 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2015-1339: A memory leak in cuse could be used to     exhaust kernel memory. (bsc#969356).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936 951638).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-7884: The vivid_fb_ioctl function in     drivers/media/platform/vivid/vivid-osd.c in the Linux     kernel did not initialize a certain structure member,     which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951626).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-8709: kernel/ptrace.c in the Linux kernel     mishandled uid and gid mappings, which allowed local     users to gain privileges by establishing a user     namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here (bnc#959709).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call. (bsc#961509)

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8787: The nf_nat_redirect_ipv4 function in     net/netfilter/nf_nat_redirect.c in the Linux kernel     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by sending certain IPv4     packets to an incompletely configured interface, a     related issue to CVE-2003-1604 (bnc#963931).

  - CVE-2015-8812: A flaw was found in the CXGB3 kernel     driver when the network was considered congested. The     kernel would incorrectly misinterpret the congestion as     an error condition and incorrectly free/clean up the     skb. When the device would then send the skb's queued,     these structures would be referenced and may panic the     system or allow an attacker to escalate privileges in a     use-after-free scenario. (bsc#966437).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: When Linux invalidated a paging structure     that is not in use locally, it could, in principle, race     against another CPU that is switching to a process that     uses the paging structure in question. (bsc#963767)

  - CVE-2016-2184: A malicious USB device could cause a     kernel crash in the alsa usb-audio driver. (bsc#971125)

  - CVE-2016-2383: Incorrect branch fixups for eBPF allow     arbitrary read of kernel memory. (bsc#966684)

  - CVE-2016-2384: A malicious USB device could cause a     kernel crash in the alsa usb-audio driver. (bsc#966693)

The following non-security bugs were fixed :

  - alsa: hda - Apply clock gate workaround to Skylake, too     (bsc#966137).

  - alsa: hda - disable dynamic clock gating on Broxton     before reset (bsc#966137).

  - alsa: hda - Fix playback noise with 24/32 bit sample     size on BXT (bsc#966137).

  - alsa: seq: Fix double port list deletion (bsc#968018).

  - alsa: seq: Fix leak of pool buffer at concurrent writes     (bsc#968018).

  - alsa: timer: Fix race between stop and interrupt     (bsc#968018).

  - alsa: timer: Fix wrong instance passed to slave     callbacks (bsc#968018).

  - arm64: Add workaround for Cavium erratum 27456.

  - arm64: Backport arm64 patches from SLE12-SP1-ARM

  - btrfs: teach backref walking about backrefs with     underflowed (bsc#966259).

  - cgroup kabi fix for 4.1.19.

  - config: Disable CONFIG_DDR. CONFIG_DDR is selected     automatically by drivers which need it.

  - config: Disable MFD_TPS65218 The TPS65218 is a power     management IC for 32-bit ARM systems.

  - config: Modularize NF_REJECT_IPV4/V6 There is no reason     why these helper modules should be built-in when the     rest of netfilter is built as modules.

  - config: Update x86 config files: Enable Intel RAPL This     driver is useful when power caping is needed. It was     enabled in the SLE kernel 2 years ago.

  - Delete patches.fixes/bridge-module-get-put.patch. As     discussed in     http://lists.opensuse.org/opensuse-kernel/2015-11/msg000     46.html

  - drm/i915: Fix double unref in intelfb_alloc failure path     (boo#962866, boo#966179).

  - drm/i915: Fix failure paths around initial fbdev     allocation (boo#962866, boo#966179).

  - drm/i915: Pin the ifbdev for the info->system_base GGTT     mmapping (boo#962866, boo#966179).

  - e1000e: Avoid divide by zero error (bsc#965125).

  - e1000e: fix division by zero on jumbo MTUs (bsc#965125).

  - e1000e: fix systim issues (bsc#965125).

  - e1000e: Fix tight loop implementation of systime read     algorithm (bsc#965125).

  - ibmvnic: Fix ibmvnic_capability struct.

  - intel: Disable Skylake support in intel_idle driver     again (boo#969582) This turned out to bring a regression     on some machines, unfortunately. It should be addressed     in the upstream at first.

  - intel_idle: allow idle states to be freeze-mode specific     (boo#969582).

  - intel_idle: Skylake Client Support (boo#969582).

  - intel_idle: Skylake Client Support - updated     (boo#969582).

  - libceph: fix scatterlist last_piece calculation     (bsc#963746).

  - lio: Add LIO clustered RBD backend (fate#318836)

  - net kabi fixes for 4.1.19.

  - numa patches updated to v15

  - ocfs2: fix dlmglue deadlock issue(bnc#962257)

  - pci: thunder: Add driver for ThunderX-pass(1,2) on-chip     devices

  - pci: thunder: Add PCIe host driver for ThunderX     processors

  - sd: Optimal I/O size is in bytes, not sectors     (boo#961263).

  - sd: Reject optimal transfer length smaller than page     size (boo#961263).

  - series.conf: move cxgb3 patch to network drivers section

Update to latest upstream stable release, Linux v4.3.4. Elan touchpad fixes. ---- Update to 4.3.y stable series. Fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream stable release, Linux v4.3.4. Fixes for Elan touchpads.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446)

It was discovered that the KVM implementation in the Linux kernel did not properly restore the values of the Programmable Interrupt Timer (PIT). A user-assisted attacker in a KVM guest could cause a denial of service in the host (system crash). (CVE-2015-7513)

It was discovered that the Linux kernel keyring subsystem contained a race between read and revoke operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-7550)

Sasha Levin discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel had a race condition when checking whether a socket was bound or not. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-7990)

It was discovered that the Btrfs implementation in the Linux kernel incorrectly handled compressed inline extants on truncation. A local attacker could use this to expose sensitive information.
(CVE-2015-8374)

Guoyong Gang discovered that the Linux kernel networking implementation did not validate protocol identifiers for certain protocol families, A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2015-8543)

Dmitry Vyukov discovered that the pptp implementation in the Linux kernel did not verify an address length when setting up a socket. A local attacker could use this to craft an application that exposed sensitive information from kernel memory. (CVE-2015-8569)

David Miller discovered that the Bluetooth implementation in the Linux kernel did not properly validate the socket address length for Synchronous Connection-Oriented (SCO) sockets. A local attacker could use this to expose sensitive information. (CVE-2015-8575)

It was discovered that the netfilter Network Address Translation (NAT) implementation did not ensure that data structures were initialized when handling IPv4 addresses. An attacker could use this to cause a denial of service (system crash). (CVE-2015-8787).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446)

It was discovered that the KVM implementation in the Linux kernel did not properly restore the values of the Programmable Interrupt Timer (PIT). A user-assisted attacker in a KVM guest could cause a denial of service in the host (system crash). (CVE-2015-7513)

Sasha Levin discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel had a race condition when checking whether a socket was bound or not. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-7990)

It was discovered that the Btrfs implementation in the Linux kernel incorrectly handled compressed inline extants on truncation. A local attacker could use this to expose sensitive information.
(CVE-2015-8374)

It was discovered that the netfilter Network Address Translation (NAT) implementation did not ensure that data structures were initialized when handling IPv4 addresses. An attacker could use this to cause a denial of service (system crash). (CVE-2015-8787).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.
(CVE-2015-7613)

Linux kernels built with the name spaces support(CONFIG_NAMESPACE) is vulnerable to a potential privilege escalation flaw. It could occur when a process within a container escapes the intended bind mounts to access the full file system. A privileged user inside a container could use this flaw to potentially gain full privileges on a system.
(CVE-2015-2925)

A NULL pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).
(CVE-2015-8787)

ID	Name	Product	Family	Severity
124980	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)	Nessus	Huawei Local Security Checks	critical
124813	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)	Nessus	Huawei Local Security Checks	critical
93679	OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0100)	Nessus	OracleVM Local Security Checks	critical
93445	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1076)	Nessus	SuSE Local Security Checks	critical
93148	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)	Nessus	Oracle Linux Local Security Checks	critical
90482	openSUSE Security Update : the Linux Kernel (openSUSE-2016-445)	Nessus	SuSE Local Security Checks	critical
89554	Fedora 22 : kernel-4.3.4-200.fc22 (2016-5d43766e33)	Nessus	Fedora Local Security Checks	critical
89507	Fedora 23 : kernel-4.3.4-300.fc23 (2016-2f25d12c51)	Nessus	Fedora Local Security Checks	critical
88526	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2890-3)	Nessus	Ubuntu Local Security Checks	critical
88525	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2890-2)	Nessus	Ubuntu Local Security Checks	critical
88524	Ubuntu 15.10 : linux vulnerabilities (USN-2890-1)	Nessus	Ubuntu Local Security Checks	critical
88523	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2889-2)	Nessus	Ubuntu Local Security Checks	critical
88522	Ubuntu 15.04 : linux vulnerabilities (USN-2889-1)	Nessus	Ubuntu Local Security Checks	critical
86634	Amazon Linux AMI : kernel (ALAS-2015-603)	Nessus	Amazon Linux Local Security Checks	critical

CVE-2015-8787

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical