http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191

http://securityadvisories.paloaltonetworks.com/Home/Detail/88

http://source.android.com/security/bulletin/2017-04-01.html

97397

1038201

https://github.com/torvalds/linux/commit/197c949e7798fbf28cfadc69d9ca0c2abbf93191

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The uas driver in the Linux kernel before 4.13.6 allows     local users to cause a denial of service (out-of-bounds     read and system crash), or possibly have unspecified     other impacts via a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530)

  - The implementation of big key management in     security/keys/big_key.c in the Linux kernel before     4.8.7 mishandles unsuccessful crypto registration in     conjunction with successful key-type registration,     which allows local users to cause a denial of service     (NULL pointer dereference and panic) or possibly have     unspecified other impact via a crafted application that     uses the big_key data type.(CVE-2016-9313)

  - The Linux kernel allows remote attackers to execute     arbitrary code via UDP traffic that triggers an unsafe     second checksum calculation during execution of a recv     system call with the MSG_PEEK flag. This may create a     kernel panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)

  - Buffer overflow in the exitcode_proc_write function in     arch/um/kernel/exitcode.c in the Linux kernel before     3.12 allows local users to cause a denial of service or     possibly have unspecified other impact by leveraging     root privileges for a write operation.(CVE-2013-4512)

  - It was found that unsharing a mount namespace could     allow a user to see data beneath their restricted     namespace.(CVE-2014-9717)

  - A divide-by-zero flaw was discovered in the Linux     kernel built with KVM virtualization     support(CONFIG_KVM). The flaw occurs in the KVM     module's Programmable Interval Timer(PIT) emulation,     when PIT counters for channel 1 or 2 are set to zero(0)     and a privileged user inside the guest attempts to read     these counters. A privileged guest user with access to     PIT I/O ports could exploit this issue to crash the     host kernel (denial of service).(CVE-2015-7513)

  - The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)

  - Stack-based buffer overflow in the     brcmf_cfg80211_start_ap() function in     'drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80     211.c' in the Linux kernel before 4.7.5 allows local     users to cause a denial of service (system crash) or     possibly have unspecified other impact via a long SSID     Information Element in a command to a Netlink     socket.(CVE-2016-8658)

  - drivers/hid/hid-sony.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_SONY is enabled, allows physically proximate     attackers to cause a denial of service (heap-based     out-of-bounds write) via a crafted     device.(CVE-2013-2890)

  - An issue where a provided address with access_ok() is     not checked was discovered in     i915_gem_execbuffer2_ioctl in     drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux     kernel through 4.19.13. A local attacker can craft a     malicious IOCTL function call to overwrite arbitrary     kernel memory, resulting in a Denial of Service or     privilege escalation.(CVE-2018-20669)

  - It was found that the permission checks performed by     the Linux kernel when a netlink message was received     were not sufficient. A local, unprivileged user could     potentially bypass these restrictions by passing a     netlink socket as stdout or stderr to a more privileged     process and altering the output of this     process.(CVE-2014-0181)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service.(CVE-2018-13094)

  - The irda_setsockopt function in net/irda/af_irda.c in     the Linux kernel, through 4.16, allows local users to     cause a denial of service (due to a use-after-free of     the ias_object and a system crash) or possibly have     unspecified other impact by leveraging an AF_IRDA     socket.(CVE-2018-6555)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel, when a processor supports the xsave     feature but not the xsaves feature, does not correctly     handle attempts to set reserved bits in the xstate     header via the ptrace() or rt_sigreturn() system call.
    This allows local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The fst_get_iface function in drivers/net/wan/farsync.c     in the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444)

  - In the Linux kernel, through 4.15.4, the floppy driver     reveals the addresses of kernel functions and global     variables using printk calls within the function     show_floppy in drivers/block/floppy.c. An attacker can     read this information from dmesg and use the addresses     to find the locations of kernel code and data and     bypass kernel security protections such as     KASLR.(CVE-2018-7273)

  - A flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table and, consequently, gain privileges by     leveraging write access.(CVE-2015-8967)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - A NULL pointer dereference security flaw was found in     the Linux kernel in the vcpu_scan_ioapic() function in     arch/x86/kvm/x86.c. This allows local users with     certain privileges to cause a denial of service via a     crafted system call to the KVM     subsystem.(CVE-2018-19407)

  - It was found that current implementation of kl5kusb105     driver failed to detect short transfers when attempting     to read the line state and logged the content of the     uninitialized heap transfer buffer.(CVE-2017-5549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free flaw was found in the way the Linux     kernel's key management subsystem handled keyring     object reference counting in certain error path of the     join_session_keyring() function. A local, unprivileged     user could use this flaw to escalate their privileges     on the system.(CVE-2016-0728)

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758)

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821)

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823)

  - The aio_mount function in fs/aio.c in the Linux kernel     does not properly restrict execute access, which makes     it easier for local users to bypass intended SELinux     W^X policy restrictions.(CVE-2016-10044)

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088)

  - A use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the     system.(CVE-2016-10200)

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - The Linux kernel allows remote attackers to execute     arbitrary code via UDP traffic that triggers an unsafe     second checksum calculation during execution of a recv     system call with the MSG_PEEK flag. This may create a     kernel panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly restrict the mount     namespace, which allows local users to gain privileges     by mounting an overlayfs filesystem on top of a FUSE     filesystem, and then executing a crafted setuid     program.(CVE-2016-1576)

  - A syntax vulnerability was discovered in the kernel's     ASN1.1 DER decoder, which could lead to memory     corruption or a complete local denial of service     through x509 certificate DER files. A local system user     could use a specially created key file to trigger     BUG_ON() in the public_key_verify_signature() function     (crypto/asymmetric_keys/public_key.c), to cause a     kernel panic and crash the system.(CVE-2016-2053)

  - A flaw was discovered in the way the Linux kernel dealt     with paging structures. When the kernel invalidated a     paging structure that was not in use locally, it could,     in principle, race against another CPU that is     switching to a process that uses the paging structure     in question. A local user could use a thread running     with a stale cached virtual->physical translation to     potentially escalate their privileges if the     translation in question were writable and the physical     page got reused for something critical (for example, a     page table).(CVE-2016-2069)

  - A divide-by-zero vulnerability was found in a way the     kernel processes TCP connections. The error can occur     if a connection starts another cwnd reduction phase by     setting tp->prior_cwnd to the current cwnd (0) in     tcp_init_cwnd_reduction(). A remote, unauthenticated     attacker could use this flaw to crash the kernel     (denial of service).(CVE-2016-2070)

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117)

  - The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)

  - The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187)

  - The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2188)

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384)

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543)

  - Race condition in the queue_delete function in     sound/core/seq/seq_queue.c in the Linux kernel before     4.4.1 allows local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time.(CVE-2016-2544)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0015 for details.

The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

  - CVE-2015-9004: kernel/events/core.c in the Linux kernel     mishandled counter grouping, which allowed local users     to gain privileges via a crafted application, related to     the perf_pmu_register and perf_event_open functions     (bnc#1037306).

  - CVE-2016-10229: udp.c in the Linux kernel allowed remote     attackers to execute arbitrary code via UDP traffic that     triggers an unsafe second checksum calculation during     execution of a recv system call with the MSG_PEEK flag     (bnc#1032268).

  - CVE-2016-9604: The handling of keyrings starting with     '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have     allowed local users to manipulate privileged keyrings,     was fixed (bsc#1035576)

  - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds     Write. Due to a missing bounds check, and the fact that     parport_ptr integer is static, a 'secure boot' kernel     command line adversary (can happen due to bootloader     vulns, e.g. Google Nexus 6's CVE-2016-10277, where due     to a vulnerability the adversary has partial control     over the command line) can overflow the parport_nr array     in the following code, by appending many (>LP_NO)     'lp=none' arguments to the command line (bnc#1039456).

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     is vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

  - CVE-2017-10661: Race condition in fs/timerfd.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (list corruption or     use-after-free) via simultaneous file-descriptor     operations that leverage improper might_cancel queueing     (bnc#1053152).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bnc#1048275).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A     user-controlled buffer is copied into a local buffer of     constant size using strcpy without a length check which     can cause a buffer overflow. (bnc#1053148).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14140: The move_pages system call in     mm/migrate.c in the Linux kernel doesn't check the     effective uid of the target process, enabling a local     attacker to learn the memory layout of a setuid     executable despite ASLR (bnc#1057179).

  - CVE-2017-15265: Use-after-free vulnerability in the     Linux kernel allowed local users to have unspecified     impact via vectors related to /dev/snd/seq     (bnc#1062520).

  - CVE-2017-15274: security/keys/keyctl.c in the Linux     kernel did not consider the case of a NULL payload in     conjunction with a nonzero length value, which allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192 (bnc#1045327).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c (bnc#1030593).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type (bnc#1029850).

  - CVE-2017-7482: A potential memory corruption was fixed     in decoding of krb5 principals in the kernels kerberos     handling. (bnc#1046107).

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879).

  - CVE-2017-7518: The Linux kernel was vulnerable to an     incorrect debug exception(#DB) error. It could occur     while emulating a syscall instruction and potentially     lead to guest privilege escalation. (bsc#1045922).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-7889: The mm subsystem in the Linux kernel did     not properly enforce the CONFIG_STRICT_DEVMEM protection     mechanism, which allowed local users to read or write to     kernel memory locations in the first megabyte (and     bypass slab-allocation access restrictions) via an     application that opens the /dev/mem file, related to     arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bnc#1035877).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1037182 bsc#1038982).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1037183 bsc#1038981).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The version of Palo Alto Networks PAN-OS running on the remote host is 6.1.x prior to 6.1.18, 7.0.x prior to 7.0.17, 7.1.x prior to 7.1.12, or 8.0.x prior to 8.0.3. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in the OpenSSL     component that is triggered when handling a large number     of consecutive 'SSL3_AL_WARNING' undefined alerts. An     unauthenticated, remote attacker can exploit this, by     continuously sending warning alerts, to exhaust     available CPU resources. Note that this vulnerability     does not affect the 8.0.x version branch.
    (CVE-2016-8610)

  - A remote code execution vulnerability exists in the     Linux kernel in udp.c due to an unsafe second checksum     calculation during execution of a recv system call with     the MSG_PEEK flag. An unauthenticated, remote attacker     can exploit this, via specially crafted UDP traffic, to     cause a denial of service condition or the execution of     arbitrary code. Note that this vulnerability does not     affect the 7.0.x version branch. (CVE-2016-10229)

  - A remote code execution vulnerability exists in the DNS     proxy service that is triggered when resolving fully     qualified domain names (FQDN). An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. Note that this vulnerability was fixed in version     7.1.10 for the 7.1.x version branch. (CVE-2017-8390)

  - A XML external entity (XXE) vulnerability exists due to     an incorrectly configured XML parser accepting XML from     an untrusted source. An unauthenticated, remote attacker     can exploit this by sending specially crafted XML data     to the GlobalProtect external interface. Exploitation of     this vulnerability may allow disclosure of information,     denial of service or server side request forgery.
    (CVE-2017-9458)

  - A stored cross-site scripting (XSS) vulnerability exists     in the Firewall web interface due to improper validation     of user-supplied input before returning it to users. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2017-9459)

  - A cross-site scripting (XSS) vulnerability exists in the     GlobalProtect component due to improper validation of     user-supplied input to unspecified request parameters.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted request, to execute arbitrary     script code in a user's browser session.
    (CVE-2017-9467, CVE-2017-12416)

  - A denial of service vulnerability exists that is     triggered when the system attempts to close the     connection of a rogue client that ignored the URL     filtering block page. An unauthenticated, remote     attacker can exploit this to crash the interface. Note     that this vulnerability does not affect the 6.1.x and     7.0.x version branches.

Unsafe second checksum calculation in udp.c :

The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation. (CVE-2016-10229)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986995] (CVE-2017-7895)

  - ocfs2/o2net: o2net_listen_data_ready should do nothing     if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug:
    25510857]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 23750748]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki) [Orabug: 25534688]

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549845]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549845]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719676] (CVE-2017-2583)     (CVE-2017-2583)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719811] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720815] (CVE-2017-6214)

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796604] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797014] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797056]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (David Howells) [Orabug:
    25823965] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825107] (CVE-2015-5257)

  - RDS: fix race condition when sending a message on     unbound socket (Quentin Casasnovas) [Orabug: 25871048]     (CVE-2015-6937) (CVE-2015-6937)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udf: Treat symlink component of type 2 as / (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877531] (CVE-2016-7910)

  - RHEL: complement upstream workaround for CVE-2016-10142.
    (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)     (CVE-2016-10142)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25752011] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696689] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696689] (CVE-2017-2636)

  - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc     (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)

  - list: introduce list_first_entry_or_null (Jiri Pirko)     [Orabug: 25696689] (CVE-2017-2636)

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451538] (CVE-2016-8633)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463929]     (CVE-2016-3672)

  - x86 get_unmapped_area: Access mmap_legacy_base through     mm_struct member (Radu Caragea) [Orabug: 25463929]     (CVE-2016-3672)

  - sg_start_req: make sure that there's not too many     elements in iovec (Al Viro) [Orabug: 25490377]     (CVE-2015-5707)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507232] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507232] (CVE-2016-8645)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)

  - x86: bpf_jit: fix compilation of large bpf programs     (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)

  - net: fix a kernel infoleak in x25 module (Kangjie Lu)     [Orabug: 25512417] (CVE-2016-4580)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512472]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682437] (CVE-2017-6345)

  - dccp: fix freeing skb too early for IPV6_RECVPKTINFO     (Andrey Konovalov) [Orabug: 25598277] (CVE-2017-6074)

  - vfs: read file_handle only once in handle_to_path (Sasha     Levin) [Orabug: 25388709] (CVE-2015-1420)

  - crypto: algif_hash - Only export and import on sockets     with data (Herbert Xu) [Orabug: 25417807]

  - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)     [Orabug: 25462763] (CVE-2016-4482)

  - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811]     (CVE-2016-4485)

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

  - unix: avoid use-after-free in ep_remove_wait_queue     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986990] (CVE-2017-7895)

  - fnic: Update fnic driver version to 1.6.0.24 (John     Sobecki) [Orabug: 24448585]

  - xen-netfront: Rework the fix for Rx stall during OOM and     network stress (Dongli Zhang) [Orabug: 25450703]

  - xen-netfront: Fix Rx stall during network stress and OOM     (Dongli Zhang) [Orabug: 25450703]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki)

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549809]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549809]

  - VSOCK: Fix lockdep issue. (Dongli Zhang) [Orabug:
    25559937]

  - VSOCK: sock_put wasn't safe to call in interrupt context     (Dongli Zhang) [Orabug: 25559937]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 25677469]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719675] (CVE-2017-2583)     (CVE-2017-2583)

  - ext4: validate s_first_meta_bg at mount time (Eryu Guan)     [Orabug: 25719738] (CVE-2016-10208)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719810] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720813] (CVE-2017-6214)

  - lpfc cannot establish connection with targets that send     PRLI under P2P mode (Joe Jin) [Orabug: 25759083]

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796594] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797012] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797052]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814663]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (Aniket Alshi) [Orabug:
    25823962] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825105] (CVE-2015-5257)     (CVE-2015-5257)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871102] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25876655] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877530] (CVE-2016-7910)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790392] (CVE-2016-9644)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766911] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765776] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765445] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751996] (CVE-2017-7187)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - ipv6: catch a null skb before using it in a DTRACE     (Shannon Nelson) 

  - sparc64: Do not retain old VM_SPARC_ADI flag when     protection changes on page (Khalid Aziz) [Orabug:
    26038830]

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986971] (CVE-2017-7895)

  - sparc64: Detect DAX ra+pgsz when hvapi minor doesn't     indicate it (Rob Gardner) [Orabug: 25997533]

  - sparc64: DAX memory will use RA+PGSZ feature in HV (Rob     Gardner) 

  - sparc64: Disable DAX flow control (Rob Gardner) [Orabug:
    25997226]

  - sparc64: DAX memory needs persistent mappings (Rob     Gardner) [Orabug: 25997137]

  - sparc64: Fix incorrect error print in DAX driver when     validating ccb (Sanath Kumar) [Orabug: 25996975]

  - sparc64: DAX request for non 4MB memory should return     with unique errno (Sanath Kumar) [Orabug: 25996823]

  - sparc64: DAX request to mmap non 4MB memory should fail     with a debug print (Sanath Kumar) [Orabug: 25996823]

  - sparc64: DAX request for non 4MB memory should return     with unique errno (Sanath Kumar) [Orabug: 25996823]

  - sparc64: Incorrect print by DAX driver when old driver     API is used (Sanath Kumar) [Orabug: 25996790]

  - sparc64: DAX request to dequeue half of a long CCB     should not succeed (Sanath Kumar) [Orabug: 25996747]

  - sparc64: dax_overflow_check reports incorrect data     (Sanath Kumar) 

  - sparc64: Ignored DAX ref count causes lockup (Rob     Gardner) [Orabug: 25996628]

  - sparc64: disable dax page range checking on RA (Rob     Gardner) [Orabug: 25996546]

  - sparc64: Oracle Data Analytics Accelerator (DAX) driver     (Sanath Kumar) [Orabug: 25996522]

  - sparc64: Add DAX hypervisor services (Allen Pais)     [Orabug: 25996475]

  - sparc64: create/destroy cpu sysfs dynamically (Atish     Patra) [Orabug: 21775890] [Orabug: 25216469]

  - megaraid: Fix unaligned warning (Allen Pais) [Orabug:
    24817799]

  - Re-enable SDP for uek-nano kernel (Ashok Vairavan)     [Orabug: 25968572]

  - xsigo: Compute node crash on FC failover (Pradeep     Gopanapalli) 

  - NVMe: Set affinity after allocating request queues     (Keith Busch) 

  - nvme: use an integer value to Linux errno values     (Christoph Hellwig) 

  - blk-mq: fix racy updates of rq->errors (Christoph     Hellwig) [Orabug: 25945973]

  - x86/apic: Handle zero vector gracefully in     clear_vector_irq (Keith Busch) [Orabug: 24515998]

  - PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)     [Orabug: 24819170]

  - PCI: Prevent VPD access for buggy devices (Babu Moger)     [Orabug: 24819170]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki) [Orabug: 25525433]

  - Btrfs: don't BUG_ON in btrfs_orphan_add (Josef Bacik)     [Orabug: 25534945]

  - Btrfs: clarify do_chunk_alloc's return value (Liu Bo)     [Orabug: 25534945]

  - btrfs: flush_space: treat return value of do_chunk_alloc     properly (Alex Lyakas) [Orabug: 25534945]

  - Revert '[SCSI] libiscsi: Reduce locking contention in     fast path' (Ashish Samant) [Orabug: 25721518]

  - qla2xxx: Allow vref count to timeout on vport delete.
    (Joe Carnuccio) [Orabug: 25862953]

  - Drivers: hv: kvp: fix IP Failover (Vitaly Kuznetsov)     [Orabug: 25866691]

  - Drivers: hv: util: Pass the channel information during     the init call (K. Y. Srinivasan) [Orabug: 25866691]

  - Drivers: hv: utils: run polling callback always in     interrupt context (Olaf Hering) [Orabug: 25866691]

  - Drivers: hv: util: Increase the timeout for util     services (K. Y. Srinivasan) [Orabug: 25866691]

  - Drivers: hv: kvp: check kzalloc return value (Vitaly     Kuznetsov) 

  - Drivers: hv: fcopy: dynamically allocate smsg_out in     fcopy_send_data (Vitaly Kuznetsov)

  - Drivers: hv: vss: full handshake support (Vitaly     Kuznetsov) [Orabug: 25866691]

  - xen: Make VPMU init message look less scary (Juergen     Gross) [Orabug: 25873416]

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25876652] (CVE-2016-10229)

Description of changes:

[2.6.39-400.295.2.el6uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995]  {CVE-2017-7895}

[2.6.39-400.295.1.el6uek]
- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed)  [Orabug: 25510857]
- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 23750748]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)  [Orabug: 25534688]
- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549845]
- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845]
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles)  [Orabug: 25549845]
- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719676]  {CVE-2017-2583} {CVE-2017-2583}
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719811]  {CVE-2017-5986}
- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 25720815]  {CVE-2017-6214}
- USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796604]   {CVE-2016-2782}
- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797014]  {CVE-2017-5669}
- vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 25797056]  {CVE-2015-6252}
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- KEYS: Remove key_type::match in favour of overriding default by match_preparse (David Howells)  [Orabug: 25823965]  {CVE-2017-2647} {CVE-2017-2647}
- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825107]  {CVE-2015-5257}
- RDS: fix race condition when sending a message on unbound socket (Quentin Casasnovas)  [Orabug: 25871048]  {CVE-2015-6937} {CVE-2015-6937}
- udf: Check path length when reading symlink (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udf: Treat symlink component of type 2 as / (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25874741]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877531]  {CVE-2016-7910}
- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas)  [Orabug: 25765786]  {CVE-2016-10142} {CVE-2016-10142}
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765448]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011]  {CVE-2017-7187}
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696689]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696689]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696689]  {CVE-2017-2636}
- list: introduce list_first_entry_or_null (Jiri Pirko)  [Orabug: 25696689]  {CVE-2017-2636}
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463929]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463929]  {CVE-2016-3672}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490377]  {CVE-2015-5707}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507232]  {CVE-2016-8645}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507330]  {CVE-2016-7425}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 25507375]  {CVE-2015-4700}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512417]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512472]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682437]  {CVE-2017-6345}
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov)  [Orabug: 25598277]  {CVE-2017-6074}
- vfs: read file_handle only once in handle_to_path (Sasha Levin) [Orabug: 25388709]  {CVE-2015-1420}
- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu)  [Orabug: 25417807]
- USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 25462763]  {CVE-2016-4482}
- net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462811]  {CVE-2016-4485}
- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat)  [Orabug: 25464000]  {CVE-2013-7446}
- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25464000]  {CVE-2013-7446}

Description of changes:

kernel-uek [3.8.13-118.18.2.el7uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986990]  {CVE-2017-7895}

[3.8.13-118.18.1.el7uek]
- fnic: Update fnic driver version to 1.6.0.24 (John Sobecki)  [Orabug: 24448585]
- xen-netfront: Rework the fix for Rx stall during OOM and network stress (Dongli Zhang)  [Orabug: 25450703]
- xen-netfront: Fix Rx stall during network stress and OOM (Dongli Zhang)  [Orabug: 25450703]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)
- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549809]
- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549809]
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles)  [Orabug: 25549809]
- VSOCK: Fix lockdep issue. (Dongli Zhang)  [Orabug: 25559937]
- VSOCK: sock_put wasn't safe to call in interrupt context (Dongli Zhang)  [Orabug: 25559937]
- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 25677469]
- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719675]  {CVE-2017-2583} {CVE-2017-2583}
- ext4: validate s_first_meta_bg at mount time (Eryu Guan)  [Orabug: 25719738]  {CVE-2016-10208}
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719810]  {CVE-2017-5986}
- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 25720813]  {CVE-2017-6214}
- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin)  [Orabug: 25759083]
- USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796594]   {CVE-2016-2782}
- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797012]  {CVE-2017-5669}
- vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 25797052]  {CVE-2015-6252}
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft)  [Orabug: 25814663]  {CVE-2017-7184}
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft)  [Orabug: 25814663]  {CVE-2017-7184}
- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Aniket Alshi)  [Orabug: 25823962]  {CVE-2017-2647} {CVE-2017-2647}
- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825105]  {CVE-2015-5257} {CVE-2015-5257}
- udf: Check path length when reading symlink (Jan Kara)  [Orabug: 25871102]  {CVE-2015-9731}
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25876655]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877530]  {CVE-2016-7910}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790392]  {CVE-2016-9644}
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766911]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765776]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765445]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751996]  {CVE-2017-7187}

Description of changes:

kernel-uek [4.1.12-94.3.4.el7uek]
- ipv6: catch a null skb before using it in a DTRACE (Shannon Nelson) [Orabug: 26075879]
- sparc64: Do not retain old VM_SPARC_ADI flag when protection changes on page (Khalid Aziz)  [Orabug: 26038830]

[4.1.12-94.3.3.el7uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986971]  {CVE-2017-7895}

[4.1.12-94.3.2.el7uek]
- sparc64: Detect DAX ra+pgsz when hvapi minor doesn't indicate it (Rob Gardner)  [Orabug: 25997533]
- sparc64: DAX memory will use RA+PGSZ feature in HV (Rob Gardner) [Orabug: 25997533] [Orabug: 25931417]
- sparc64: Disable DAX flow control (Rob Gardner)  [Orabug: 25997226]
- sparc64: DAX memory needs persistent mappings (Rob Gardner)  [Orabug: 25997137]
- sparc64: Fix incorrect error print in DAX driver when validating ccb (Sanath Kumar)  [Orabug: 25996975]
- sparc64: DAX request for non 4MB memory should return with unique errno (Sanath Kumar)  [Orabug: 25996823]
- sparc64: DAX request to mmap non 4MB memory should fail with a debug print (Sanath Kumar)  [Orabug: 25996823]
- sparc64: DAX request for non 4MB memory should return with unique errno (Sanath Kumar)  [Orabug: 25996823]
- sparc64: Incorrect print by DAX driver when old driver API is used (Sanath Kumar)  [Orabug: 25996790]
- sparc64: DAX request to dequeue half of a long CCB should not succeed (Sanath Kumar)  [Orabug: 25996747]
- sparc64: dax_overflow_check reports incorrect data (Sanath Kumar) [Orabug: 25996655]
- sparc64: Ignored DAX ref count causes lockup (Rob Gardner)  [Orabug: 25996628]
- sparc64: disable dax page range checking on RA (Rob Gardner)  [Orabug: 25996546]
- sparc64: Oracle Data Analytics Accelerator (DAX) driver (Sanath Kumar)   [Orabug: 25996522]
- sparc64: Add DAX hypervisor services (Allen Pais)  [Orabug: 25996475]
- sparc64: create/destroy cpu sysfs dynamically (Atish Patra)  [Orabug: 21775890] [Orabug: 25216469]
- megaraid: Fix unaligned warning (Allen Pais)  [Orabug: 24817799]

[4.1.12-94.3.1.el7uek]
- Re-enable SDP for uek-nano kernel (Ashok Vairavan)  [Orabug: 25968572]
- xsigo: Compute node crash on FC failover (Pradeep Gopanapalli) [Orabug: 25946533]
- NVMe: Set affinity after allocating request queues (Keith Busch) [Orabug: 25945973]
- nvme: use an integer value to Linux errno values (Christoph Hellwig) [Orabug: 25945973]
- blk-mq: fix racy updates of rq->errors (Christoph Hellwig)  [Orabug: 25945973]
- x86/apic: Handle zero vector gracefully in clear_vector_irq() (Keith Busch)  [Orabug: 24515998]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 24819170]
- PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 24819170]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)  [Orabug: 25525433]
- Btrfs: don't BUG_ON() in btrfs_orphan_add (Josef Bacik)  [Orabug: 25534945]
- Btrfs: clarify do_chunk_alloc()'s return value (Liu Bo)  [Orabug: 25534945]
- btrfs: flush_space: treat return value of do_chunk_alloc properly (Alex Lyakas)  [Orabug: 25534945]
- Revert '[SCSI] libiscsi: Reduce locking contention in fast path' (Ashish Samant)  [Orabug: 25721518]
- qla2xxx: Allow vref count to timeout on vport delete. (Joe Carnuccio)   [Orabug: 25862953]
- Drivers: hv: kvp: fix IP Failover (Vitaly Kuznetsov)  [Orabug: 25866691]
- Drivers: hv: util: Pass the channel information during the init call (K. Y. Srinivasan)  [Orabug: 25866691]
- Drivers: hv: utils: run polling callback always in interrupt context (Olaf Hering)  [Orabug: 25866691]
- Drivers: hv: util: Increase the timeout for util services (K. Y. Srinivasan)  [Orabug: 25866691]
- Drivers: hv: kvp: check kzalloc return value (Vitaly Kuznetsov) [Orabug: 25866691]
- Drivers: hv: fcopy: dynamically allocate smsg_out in fcopy_send_data() (Vitaly Kuznetsov)
- Drivers: hv: vss: full handshake support (Vitaly Kuznetsov)  [Orabug: 25866691]
- xen: Make VPMU init message look less scary (Juergen Gross)  [Orabug: 25873416]
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25876652]  {CVE-2016-10229}

The remote OracleVM system is missing necessary patches to address critical security updates :

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877531] (CVE-2016-7910)

Description of changes:

[2.6.39-400.294.7.el6uek]
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25874741]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877531]  {CVE-2016-7910}

ID	Name	Product	Family	Severity
124826	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)	Nessus	Huawei Local Security Checks	critical
124815	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1491)	Nessus	Huawei Local Security Checks	critical
106469	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
104374	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)	Nessus	SuSE Local Security Checks	critical
102774	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102773	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
101164	Palo Alto Networks PAN-OS 6.1.x < 6.1.18 / 7.0.x < 7.0.17 / 7.1.x < 7.1.12 / 8.0.x < 8.0.3 Multiple Vulnerabilities	Nessus	Palo Alto Local Security Checks	critical
100552	Amazon Linux AMI : kernel (ALAS-2017-832)	Nessus	Amazon Linux Local Security Checks	critical
100238	OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)	Nessus	OracleVM Local Security Checks	critical
100237	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)	Nessus	OracleVM Local Security Checks	critical
100236	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0104)	Nessus	OracleVM Local Security Checks	critical
100235	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)	Nessus	Oracle Linux Local Security Checks	critical
100234	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)	Nessus	Oracle Linux Local Security Checks	critical
100233	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3565)	Nessus	Oracle Linux Local Security Checks	critical
99391	OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0061)	Nessus	OracleVM Local Security Checks	critical
99388	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3538)	Nessus	Oracle Linux Local Security Checks	critical

CVE-2016-10229

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins