http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3951a3709ff50990bf3e188c27d346792103432

94187

https://github.com/torvalds/linux/commit/f3951a3709ff50990bf3e188c27d346792103432

https://source.android.com/security/bulletin/2016-11-01.html

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An out-of-bounds memory access flaw was found in the     Linux kernel's system call auditing implementation. On     a system with existing audit rules defined, a local,     unprivileged user could use this flaw to leak kernel     memory to user space or, potentially, crash the     system.(CVE-2014-3917i1/4%0

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net     namespaces.(CVE-2017-17448i1/4%0

  - A race condition flaw was found between the chown and     execve system calls. When changing the owner of a     setuid user binary to root, the race condition could     momentarily make the binary setuid root. A local,     unprivileged user could potentially use this flaw to     escalate their privileges on the     system.(CVE-2015-3339i1/4%0

  - Keberos 5 tickets being decoded when using the RXRPC     keys incorrectly assumes the size of a field. This     could lead to the size-remaining variable wrapping and     the data pointer going over the end of the buffer. This     could possibly lead to memory corruption and possible     privilege escalation.(CVE-2017-7482i1/4%0

  - The nfs_can_extend_write function in fs/nfs/write.c in     the Linux kernel before 3.13.3 relies on a write     delegation to extend a write operation without a     certain up-to-date verification, which allows local     users to obtain sensitive information from kernel     memory in opportunistic circumstances by writing to a     file in an NFS filesystem and then reading the same     file.(CVE-2014-2038i1/4%0

  - KVM in the Linux kernel before 4.8.12, when I/O APIC is     enabled, does not properly restrict the VCPU index,     which allows guest OS users to gain host OS privileges     or cause a denial of service (out-of-bounds array     access and host OS crash) via a crafted interrupt     request, related to arch/x86/kvm/ioapic.c and     arch/x86/kvm/ioapic.h.(CVE-2016-9777i1/4%0

  - The instruction decoder in arch/x86/kvm/emulate.c in     the KVM subsystem in the Linux kernel before 3.18-rc2     lacks intended decoder-table flags for certain     RIP-relative instructions, which allows guest OS users     to cause a denial of service (NULL pointer dereference     and host OS crash) via a crafted     application.(CVE-2014-8480i1/4%0

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508i1/4%0

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly restrict the mount     namespace, which allows local users to gain privileges     by mounting an overlayfs filesystem on top of a FUSE     filesystem, and then executing a crafted setuid     program.(CVE-2016-1576i1/4%0

  - A use-after-free vulnerability was found when issuing     an ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption     or possibly privilege escalation.(CVE-2017-15265i1/4%0

  - The drivers/uwb/uwbd.c in the Linux kernel, before     4.13.6, allows local users to cause a denial of service     (general protection fault and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16526i1/4%0

  - The Linux kernel was found vulnerable to a NULL pointer     dereference in the     drivers/net/phy/mdio-bcm-unimac.c:unimac_mdio_probe()     function caused by an unchecked return value from the     platform_get_resource() function. A successful flaw     exploitation can cause a system panic and a denial of     service. This flaw is believed not to be an attacker     triggerable as bad return value can be caused by     hardware misconfiguration.(CVE-2018-8043i1/4%0

  - A flaw was found in the Linux kernel SCSI subsystem,     which allowed a local user to gain privileges or cause     a denial of service (memory corruption and system     crash) by issuing an SG_IO ioctl call while a device     was being detached.(CVE-2015-8962i1/4%0

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-7913i1/4%0

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002i1/4%0

  - Race condition in the environ_read() function in     'fs/proc/base.c' in the Linux kernel before 4.5.4     allows local users to obtain sensitive information from     kernel memory by reading a '/proc/*/environ' file     during a process-setup time interval in which     environment-variable copying is     incomplete.(CVE-2016-7916i1/4%0

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001i1/4%0

  - A vulnerability was found in the Linux kernel when     peeling off an association to the socket in another     network namespace. All transports in this association     are not to be rehashed and keep using the old key in     hashtable, thus removing transports from hashtable when     closing the socket, all transports are being freed.
    Later on a use-after-free issue could be caused when     looking up an association and dereferencing the     transports.(CVE-2017-15115i1/4%0

  - The evm_verify_hmac function in     security/integrity/evm/evm_main.c in the Linux kernel     before 4.5 does not properly copy data, which makes it     easier for local users to forge MAC values via a timing     side-channel attack.(CVE-2016-2085i1/4%0

  - A flaw was discovered in processing setsockopt for 32     bit processes on 64 bit systems. This flaw will allow     attackers to alter arbitrary kernel memory when     unloading a kernel module. This action is usually     restricted to root-privileged users but can also be     leveraged if the kernel is compiled with CONFIG_USER_NS     and CONFIG_NET_NS and the user is granted elevated     privileges.(CVE-2016-4997i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An information-leak vulnerability was found in the     kernel when it truncated a file to a smaller size which     consisted of an inline extent that was compressed. The     data between the new file size and the old file size     was not discarded and the number of bytes used by the     inode were not correctly decremented, which gave the     wrong report for callers of the stat(2) syscall. This     wasted metadata space and allowed for the truncated     data to be leaked, and data corruption or loss to     occur. A caller of the clone ioctl could exploit this     flaw by using only standard file-system operations     without root access to read the truncated     data.(CVE-2015-8374)

  - A flaw was found in the Linux kernel's key management     system where it was possible for an attacker to     escalate privileges or crash the machine. If a user key     gets negatively instantiated, an error code is cached     in the payload area. A negatively instantiated key may     be then be positively instantiated by updating it with     valid data. However, the -i1/4zupdate key type method     must be aware that the error code may be     there.(CVE-2015-8539)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543)

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569)

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575)

  - The ovl_setattr function in fs/overlayfs/inode.c in the     Linux kernel through 4.3.3 attempts to merge distinct     setattr operations, which allows local users to bypass     intended access restrictions and modify the attributes     of arbitrary overlay files via a crafted     application.(CVE-2015-8660)

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled sctp_accept()     during the processing of heartbeat timeout events. A     remote attacker could use this flaw to prevent further     connections to be accepted by the SCTP server running     on the system, resulting in a denial of     service.(CVE-2015-8767)

  - An infinite-loop flaw was found in the kernel. When a     local user calls the sys_writev syscall with a     specially crafted sequence of iov structs, the     fuse_fill_write_pages kernel function might never     terminate, instead continuing in a tight loop. This     process cannot be terminated and requires a     reboot.(CVE-2015-8785)

  - A NULL-pointer dereference vulnerability was found in     the Linux kernel's TCP stack, in     net/netfilter/nf_nat_redirect.c in the     nf_nat_redirect_ipv4() function. A remote,     unauthenticated user could exploit this flaw to create     a system crash (denial of service).(CVE-2015-8787)

  - A use-after-free flaw was found in the CXGB3 kernel     driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as     an error condition and incorrectly freed or cleaned up     the socket buffer (skb). When the device then sent the     skb's queued data, these structures were referenced. A     local attacker could use this flaw to panic the system     (denial of service) or, with a local account, escalate     their privileges.(CVE-2015-8812)

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816)

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944)

  - 'A flaw was found in the Linux kernel's implementation     of overlayfs. An attacker can leak file resources in     the system by opening a large file with write     permissions on a overlay filesystem that is     insufficient to deal with the size of the write.

  - When unmounting the underlying device, the system is     unable to free an inode and this will consume     resources. Repeating this for all available inodes and     memory will create a denial of service     situation.(CVE-2015-8953)'

  - The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel before     4.2 allows local users to obtain sensitive information     or cause a denial of service (NULL pointer dereference)     via vectors involving a bind system call on a Bluetooth     RFCOMM socket.(CVE-2015-8956)

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961)

  - A flaw was found in the Linux kernel SCSI subsystem,     which allowed a local user to gain privileges or cause     a denial of service (memory corruption and system     crash) by issuing an SG_IO ioctl call while a device     was being detached.(CVE-2015-8962)

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963)

  - The tty_set_termios_ldisc() function in     'drivers/tty/tty_ldisc.c' in the Linux kernel before     4.5 allows local users to obtain sensitive information     from kernel memory by reading a tty data     structure.(CVE-2015-8964)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux     kernel before 4.5 allows local users to cause a system     crash and a denial of service by the NULL pointer     dereference via accept(2) system call for AF_ALG socket     without calling setkey() first to set a cipher     key.(CVE-2015-8970)

  - It was found that kernel/events/core.c in the Linux     kernel mishandles counter grouping, which allows local     users to gain privileges via a crafted application,     related to the perf_pmu_register and perf_event_open     functions.(CVE-2015-9004)

  - A use-after-free flaw was discovered in the Linux     kernel's tty subsystem, which allows for the disclosure     of uncontrolled memory location and possible kernel     panic. The information leak is caused by a race     condition when attempting to set and read the tty line     discipline. A local attacker could use the TIOCSETD     (via tty_set_ldisc ) to switch to a new line discipline     a concurrent call to a TIOCGETD ioctl performing a read     on a given tty could then access previously allocated     memory. Up to 4 bytes could be leaked when querying the     line discipline or the kernel could panic with a     NULL-pointer dereference.(CVE-2016-0723)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944)

It was discovered that a use-after-free vulnerability existed in the performance events and counters subsystem of the Linux kernel for ARM64. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8955)

It was discovered that the SCSI generic (sg) driver in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-8962)

Sasha Levin discovered that a race condition existed in the performance events and counters subsystem of the Linux kernel when handling CPU unplug events. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8963)

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2015-8964)

It was discovered that the fcntl64() system call in the Linux kernel did not properly set memory limits when returning on 32-bit ARM processors. A local attacker could use this to gain administrative privileges. (CVE-2015-8966)

It was discovered that the system call table for ARM 64-bit processors in the Linux kernel was not write-protected. An attacker could use this in conjunction with another kernel vulnerability to execute arbitrary code. (CVE-2015-8967)

It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2016-10088)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system     call is processed, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted application that did not supply a     key, related to the lrw_crypt function in crypto/lrw.c     (bnc#1008374).

  - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix     ACLs (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could have enabled a     local malicious application to execute arbitrary code     within the context of the kernel bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux, when the GNU Compiler     Collection (gcc) stack protector is enabled, used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes. The following feature was implemented :

  - The ext2 filesystem got reenabled and supported to allow     support for 'XIP' (Execute In Place) (FATE#320805). The     following security bugs were fixed :

  - CVE-2017-5551: The tmpfs filesystem implementation in     the Linux kernel preserved the setgid bit during a     setxattr call, which allowed local users to gain group     privileges by leveraging the existence of a setgid     program with restrictions on execute permissions     (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserved the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2017-2583: A Linux kernel built with the     Kernel-based Virtual Machine (CONFIG_KVM) support was     vulnerable to an incorrect segment selector(SS) value     error. A user/process inside guest could have used this     flaw to crash the guest resulting in DoS or potentially     escalate their privileges inside guest. (bsc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-8645: The TCP stack in the Linux kernel     mishandled skb truncation, which allowed local users to     cause a denial of service (system crash) via a crafted     application that made sendto system calls, related to     net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c     (bnc#1009969).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could enable a local     malicious application to execute arbitrary code within     the context of the kernel. This issue is rated as     Moderate because it first requires compromising a     privileged process and current compiler optimizations     restrict access to the vulnerable code. Product:
    Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935 (bnc#1014746).

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bnc#1013540).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2016-7914: The assoc_array_insert_into_terminal_node     function in lib/assoc_array.c in the Linux kernel did     not check whether a slot is a leaf, which allowed local     users to obtain sensitive information from kernel memory     or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data structures, as     demonstrated by the keyutils test suite (bnc#1010475).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via crafted fragmented packets (bnc#1008833).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misused the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel uses an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-8658: Stack-based buffer overflow in the     brcmf_cfg80211_start_ap function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a long SSID Information     Element in a command to a Netlink socket (bnc#1004462).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     by using an ABORT_TASK command to abort a device write     operation (bnc#994748).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for remote attackers to     hijack TCP sessions via a blind in-window attack     (bnc#989152).

  - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb     function in drivers/s390/char/sclp_ctl.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory by changing a certain     length value, aka a 'double fetch' vulnerability     (bnc#987542).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986362 bnc#986365).

  - CVE-2016-5828: The start_thread function in     arch/powerpc/kernel/process.c in the Linux kernel on     powerpc platforms mishandled transactional state, which     allowed local users to cause a denial of service     (invalid process state or TM Bad Thing exception, and     system crash) or possibly have unspecified other impact     by starting and suspending a transaction before an exec     system call (bnc#986569).

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.69 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-7914: The assoc_array_insert_into_terminal_node     function in lib/assoc_array.c in the Linux kernel did     not check whether a slot is a leaf, which allowed local     users to obtain sensitive information from kernel memory     or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data structures, as     demonstrated by the keyutils test suite (bnc#1010475).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could enable a local     malicious application to execute arbitrary code within     the context of the kernel. This issue is rated as     Moderate because it first requires compromising a     privileged process and current compiler optimizations     restrict access to the vulnerable code. Product:
    Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935 (bnc#1014746).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel, in certain unusual hardware configurations,     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-8645: The TCP stack in the Linux kernel     mishandled skb truncation, which allowed local users to     cause a denial of service (system crash) via a crafted     application that made sendto system calls, related to     net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c     (bnc#1009969).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug' (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misuses the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531     1013542).

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bnc#1013540     1017589).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bsc#1019851).

  - CVE-2017-2583: Fixed broken emulation of 'MOV SS, null     selector' (bsc#1020602).

  - CVE-2017-5551: Clear SGID bit when setting file     permissions on tmpfs (bsc#1021258).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-94 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5551: tmpfs: clear S_ISGID when setting posix     ACLs (bsc#1021258).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device NOTE: this vulnerability existed because of an     incomplete fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-5696: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#989152).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provided an incomplete set of requirements for setattr     operations that underspecified removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could enable a local     malicious application to execute arbitrary code within     the context of the kernel. This issue is rated as     Moderate because it first requires compromising a     privileged process and current compiler optimizations     restrict access to the vulnerable code. (bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2013-6368: The KVM subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (system crash) via a VAPIC synchronization     operation involving a page-end address (bnc#853052).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel, in certain unusual hardware configurations,     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed :

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An out of bounds read in the ping     protocol handler could have lead to information     disclosure (bsc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provides an incomplete set of requirements for setattr     operations that underspecified removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel before 4.8.7, in certain unusual hardware     configurations, allowed remote attackers to execute     arbitrary code via crafted fragmented packets     (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2017-5551: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions. This CVE tracks the     fix for the tmpfs filesystem. (bsc#1021258).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file, aka Android internal bug     25739721 (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bsc#986365).

  - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel     did not reset the PIT counter values during state     restoration, which allowed guest OS users to cause a     denial of service (divide-by-zero error and host OS     crash) via a zero value, related to the     kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions     (bnc#960689).

  - CVE-2013-4312: The Linux kernel allowed local users to     bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor     over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and     IP6T_SO_SET_REPLACE setsockopt implementations in the     netfilter subsystem in the Linux kernel allow local     users to gain privileges or cause a denial of service     (memory corruption) by leveraging in-container root     access to provide a crafted offset value that triggers     an unintended decrement (bnc#986362).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

  - CVE-2016-1583: The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (stack memory consumption) via vectors involving crafted     mmap calls for /proc pathnames, leading to recursive     pagefault handling (bnc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandled NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2015-7833: The usbvision driver in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (panic) via a nonzero bInterfaceNumber value     in a USB device descriptor (bnc#950998).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2012-6704, CVE-2016-9793

Eric Dumazet found that a local user with CAP_NET_ADMIN capability could set a socket's buffer size to be negative, leading to a denial of service or other security impact. Additionally, in kernel versions prior to 3.5, any user could do this if sysctl net.core.rmem_max was changed to a very large value.

CVE-2015-1350 / #770492

Ben Harris reported that local users could remove set-capability attributes from any file visible to them, allowing a denial of service.

CVE-2015-8962

Calvin Owens fouund that removing a SCSI device while it was being accessed through the SCSI generic (sg) driver led to a double- free, possibly causing a denial of service (crash or memory corruption) or privilege escalation. This could be exploited by local users with permision to access a SCSI device node.

CVE-2015-8963

Sasha Levin reported that hot-unplugging a CPU resulted in a use-after-free by the performance events (perf) subsystem, possibly causing a denial of service (crash or memory corruption) or privilege escalation. This could by exploited by any local user.

CVE-2015-8964

It was found that the terminal/serial (tty) subsystem did not reliably reset the terminal buffer state when the terminal line discipline was changed. This could allow a local user with access to a terminal device to read sensitive information from kernel memory.

CVE-2016-7097

Jan Kara found that changing the POSIX ACL of a file never cleared its set-group-ID flag, which should be done if the user changing it is not a member of the group-owner. In some cases, this would allow the user-owner of an executable to gain the privileges of the group-owner.

CVE-2016-7910

Vegard Nossum discovered that a memory allocation failure while handling a read of /proc/diskstats or /proc/partitions could lead to a use-after-free, possibly causing a denial of service (crash or memory corruption) or privilege escalation.

CVE-2016-7911

Dmitry Vyukov reported that a race between ioprio_get() and ioprio_set() system calls could result in a use-after-free, possibly causing a denial of service (crash) or leaking sensitive information.

CVE-2016-7915

Benjamin Tissoires found that HID devices could trigger an out-of- bounds memory access in the HID core. A physically present user could possibly use this for denial of service (crash) or to leak sensitive information.

CVE-2016-8399

Qidan He reported that the IPv4 ping socket implementation did not validate the length of packets to be sent. A user with permisson to use ping sockets could cause an out-of-bounds read, possibly resulting in a denial of service or information leak. However, on Debian systems no users have permission to create ping sockets by default.

CVE-2016-8633

Eyal Itkin reported that the IP-over-Firewire driver (firewire-net) did not validate the offset or length in link-layer fragmentation headers. This allowed a remote system connected by Firewire to write to memory after a packet buffer, leading to a denial of service (crash) or remote code execution.

CVE-2016-8645

Marco Grassi reported that if a socket filter (BPF program) attached to a TCP socket truncates or removes the TCP header, this could cause a denial of service (crash). This was exploitable by any local user.

CVE-2016-8655

Philip Pettersson found that the implementation of packet sockets (AF_PACKET family) had a race condition between enabling a transmit ring buffer and changing the version of buffers used, which could result in a use-after-free. A local user with the CAP_NET_ADMIN capability could exploit this for privilege escalation.

CVE-2016-9178

Al Viro found that a failure to read data from user memory might lead to a information leak on the x86 architecture (amd64 or i386).

CVE-2016-9555

Andrey Konovalov reported that the SCTP implementation does not validate 'out of the blue' packet chunk lengths early enough. A remote system able could use this to cause a denial of service (crash) or other security impact for systems using SCTP.

CVE-2016-9576, CVE-2016-10088

Dmitry Vyukov reported that using splice() with the SCSI generic driver led to kernel memory corruption. Local users with permision to access a SCSI device node could exploit this for privilege escalation.

CVE-2016-9756

Dmitry Vyukov reported that KVM for the x86 architecture (amd64 or i386) did not correctly handle the failure of certain instructions that require software emulation on older processors. This could be exploited by guest systems to leak sensitive information or for denial of service (log spam).

CVE-2016-9794

Baozeng Ding reported a race condition in the ALSA (sound) subsystem that could result in a use-after-free. Local users with access to a PCM sound device could exploit this for denial of service (crash or memory corruption) or other security impact.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.84-1. This version also includes bug fixes from upstream version 3.2.84 and updates the PREEMPT_RT featureset to version 3.2.84-rt122.
Finally, this version adds the option to mitigate security issues in the performance events (perf) subsystem by disabling use by unprivileged users. This can be done by setting sysctl kernel.perf_event_paranoid=3.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1 which will be included in the next point release (8.6).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel through 4.8.2,     when the GNU Compiler Collection (gcc) stack protector     is enabled, uses an incorrect buffer size for certain     timeout data, which allowed local users to cause a     denial of service (stack memory corruption and panic) by     reading the /proc/keys file (bnc#1004517).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-7914: The assoc_array_insert_into_terminal_node     function in lib/assoc_array.c in the Linux kernel did     not check whether a slot is a leaf, which allowed local     users to obtain sensitive information from kernel memory     or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data structures, as     demonstrated by the keyutils test suite (bnc#1010475).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel before 4.8.7, in certain unusual hardware     configurations, allowed remote attackers to execute     arbitrary code via crafted fragmented packets     (bnc#1008833).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

The following non-security bugs were fixed :

  - bna: Add synchronization for tx ring (bsc#993739).

  - bonding: set carrier off for devices created through     netlink (bsc#999577).

  - btrfs: fix extent tree corruption due to relocation     (bsc#990384).

  - introduce NETIF_F_GSO_ENCAP_ALL helper mask     (bsc#1001486).

  - ipv6: send NEWLINK on RA managed/otherconf changes     (bsc#934067).

  - ipv6: send only one NEWLINK when RA causes changes     (bsc#934067).

  - tunnels: Remove encapsulation offloads on decap     (bsc#1001486).

  - usbhid: add ATEN CS962 to list of quirky devices     (bsc#1007615).

  - vmxnet3: Wake queue from reset work (bsc#999907).

The openSUSE Leap 42.1 kernel was updated to 4.1.36 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-9794: A use-after-free in ALSA pcm could lead     to crashes or allowed local users to potentially gain     privileges (bsc#1013533).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9178: The __get_user_asm_ex macro in     arch/x86/include/asm/uaccess.h in the Linux kernel did     not initialize a certain integer variable, which allowed     local users to obtain sensitive information from kernel     stack memory by triggering failure of a get_user_ex call     (bnc#1008650).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations,     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-8630: The x86_decode_insn function in     arch/x86/kvm/emulate.c in the Linux kernel, when KVM is     enabled, allowed local users to cause a denial of     service (host OS crash) via a certain use of a ModR/M     byte in an undefined instruction (bnc#1009222).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misuses the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel through 4.8.2,     when the GNU Compiler Collection (gcc) stack protector     is enabled, uses an incorrect buffer size for certain     timeout data, which allowed local users to cause a     denial of service (stack memory corruption and panic) by     reading the /proc/keys file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

The following non-security bugs were fixed :

  - ata: ahci_xgene: dereferencing uninitialized pointer in     probe (bsc#1006580).

  - blacklist.conf: add some commits (bsc#1006580)

  - bna: Add synchronization for tx ring (bsc#993739).

  - bonding: set carrier off for devices created through     netlink (bsc#999577).

  - btrfs: deal with duplicates during extent_map insertion     in btrfs_get_extent (bsc#1001171).

  - btrfs: deal with existing encompassing extent map in     btrfs_get_extent() (bsc#1001171).

  - btrfs: fix extent tree corruption due to relocation     (bsc#990384).

  - btrfs: fix races on root_log_ctx lists (bsc#1007653).

  - ext4: fix data exposure after a crash (bsc#1012876).

  - ext4: fix reference counting bug on block allocation     error (bsc#1012876).

  - gre: Disable segmentation offloads w/ CSUM and we are     encapsulated via FOU (bsc#1001486).

  - gro: Allow tunnel stacking in the case of FOU/GUE     (bsc#1001486).

  - ipv6: send NEWLINK on RA managed/otherconf changes     (bsc#934067).

  - ipv6: send only one NEWLINK when RA causes changes     (bsc#934067).

  - isofs: Do not return EACCES for unknown filesystems     (bsc#1012876).

  - jbd2: fix checkpoint list cleanup (bsc#1012876).

  - jbd2: Fix unreclaimed pages after truncate in     data=journal mode (bsc#1010909).

  - locking/static_key: Fix concurrent static_key_slow_inc()     (bsc#1006580).

  - mmc: Fix kabi breakage of mmc-block in 4.1.36     (stable-4.1.36).

  - posix_acl: Added fix for f2fs.

  - Revert 'kbuild: add -fno-PIE' (stable-4.1.36).

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (stable-4.1.36).

  - tunnels: Remove encapsulation offloads on decap     (bsc#1001486).

  - usbhid: add ATEN CS962 to list of quirky devices     (bsc#1007615).

  - vmxnet3: Wake queue from reset work (bsc#999907).

ID	Name	Product	Family	Severity
124981	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1528)	Nessus	Huawei Local Security Checks	high
124813	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)	Nessus	Huawei Local Security Checks	critical
101928	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)	Nessus	Ubuntu Local Security Checks	critical
97297	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0494-1)	Nessus	SuSE Local Security Checks	critical
97205	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0471-1)	Nessus	SuSE Local Security Checks	high
97189	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0464-1)	Nessus	SuSE Local Security Checks	high
97097	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0437-1)	Nessus	SuSE Local Security Checks	critical
96903	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)	Nessus	SuSE Local Security Checks	critical
96188	Debian DLA-772-1 : linux security update	Nessus	Debian Local Security Checks	critical
95705	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1431)	Nessus	SuSE Local Security Checks	critical
95702	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1428)	Nessus	SuSE Local Security Checks	critical

CVE-2015-8962

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

critical

critical

high

high

critical

critical

critical

critical

critical