http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45f6fad84cc305103b28d73482b344d7f5b76f39

RHSA-2016:0855

RHSA-2016:2574

RHSA-2016:2584

RHSA-2016:2695

http://source.android.com/security/bulletin/2016-08-01.html

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3

92227

https://github.com/torvalds/linux/commit/45f6fad84cc305103b28d73482b344d7f5b76f39

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The snd_msndmidi_input_read function in     sound/isa/msnd/msnd_midi.c in the Linux kernel through     4.11.7 allows local users to cause a denial of service     (over-boundary access) or possibly have unspecified     other impact by changing the value of a message queue     head pointer between two kernel reads of that value,     aka a 'double fetch' vulnerability.(CVE-2017-9985i1/4%0

  - An assertion failure issue was found in the Linux     kernel's KVM hypervisor module built to support     visualization on ARM64 architecture platforms. The     failure could occur while accessing Performance     Monitors Cycle Count Register (PMCCNTR) from a guest. A     privileged guest user could use this flaw to crash the     host kernel resulting in denial of     service.(CVE-2017-12168i1/4%0

  - The iscsi_if_rx() function in     'drivers/scsi/scsi_transport_iscsi.c' in the Linux     kernel from v2.6.24-rc1 through 4.13.2 allows local     users to cause a denial of service (a system panic) by     making a number of certain syscalls by leveraging     incorrect length validation in the kernel     code.(CVE-2017-14489i1/4%0

  - The hdpvr_probe function in     drivers/media/usb/hdpvr/hdpvr-core.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (improper error handling and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16644i1/4%0

  - The dvb frontend management subsystem in the Linux     kernel contains a use-after-free which can allow a     malicious user to write to memory that may be assigned     to another kernel structure. This could create memory     corruption, panic, or possibly other side     affects.(CVE-2017-16648i1/4%0

  - It was found that the Linux kernel's IPv6     implementation mishandled socket options. A local     attacker could abuse concurrent access to the socket     options to escalate their privileges, or cause a denial     of service (use-after-free and system crash) via a     crafted sendmsg system call.(CVE-2016-3841i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879i1/4%0

  - A race condition was found in the Linux kernel, present     since v3.14-rc1 through v4.12. The race happens between     threads of inotify_handle_event() and vfs_rename()     while running the rename operation against the same     file. As a result of the race the next slab data or the     slab's free list pointer can be corrupted with     attacker-controlled data, which may lead to the     privilege escalation.(CVE-2017-7533i1/4%0

  - A privilege-escalation vulnerability was discovered in     the Linux kernel built with User Namespace     (CONFIG_USER_NS) support. The flaw occurred when the     ptrace() system call was used on a root-owned process     to enter a user namespace. A privileged namespace user     could exploit this flaw to potentially escalate their     privileges on the system, outside the original     namespace.(CVE-2015-8709i1/4%0

  - Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     before 4.5.2 allows local users to cause a denial of     service (memory corruption and system crash, or     spinlock) or possibly have unspecified other impact by     removing a network namespace, related to the     ppp_register_net_channel and ppp_unregister_channel     functions.(CVE-2016-4805i1/4%0

  - A flaw was found in the way the Linux kernel's     kvm_iommu_map_pages() function handled IOMMU mapping     failures. A privileged user in a guest with an assigned     host device could use this flaw to crash the     host.(CVE-2014-3601i1/4%0

  - A flaw was found in the Linux kernel's implementation     of associative arrays introduced in 3.13. This     functionality was backported to the 3.10 kernels in Red     Hat Enterprise Linux 7. The flaw involved a null     pointer dereference in assoc_array_apply_edit() due to     incorrect node-splitting in assoc_array implementation.
    This affects the keyring key type and thus key addition     and link creation operations may cause the kernel to     panic.(CVE-2017-12193i1/4%0

  - Multiple race conditions in drivers/char/adsprpc.c and     drivers/char/adsprpc_compat.c in the ADSPRPC driver for     the Linux kernel 3.x, as used in Qualcomm Innovation     Center (QuIC) Android contributions for MSM devices and     other products, allow attackers to cause a denial of     service (zero-value write) or possibly have unspecified     other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl     call.(CVE-2015-0572i1/4%0

  - The sanity_check_ckpt function in fs/f2fs/super.c in     the Linux kernel before version 4.12.4 does not     validate the blkoff and segno arrays. This allows an     unprivileged, local user to cause a system panic and     DoS. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-10663i1/4%0

  - A stack overflow flaw caused by infinite recursion was     found in the way the Linux kernel's Universal Disk     Format (UDF) file system implementation processed     indirect Information Control Blocks (ICBs). An attacker     with physical access to the system could use a     specially crafted UDF image to crash the     system.(CVE-2014-6410i1/4%0

  - Race condition in the ion_ioctl function in     drivers/staging/android/ion/ion.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) by calling     ION_IOC_FREE on two CPUs at the same     time.(CVE-2016-9120i1/4%0

  - drivers/hid/hid-picolcd_core.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_PICOLCD is enabled, allows     physically proximate attackers to cause a denial of     service (NULL pointer dereference and OOPS) via a     crafted device.(CVE-2013-2899i1/4%0

  - A flaw was found in the Linux kernel's implementation     of overlayfs. An attacker can leak file resources in     the system by opening a large file with write     permissions on a overlay filesystem that is     insufficient to deal with the size of the write.When     unmounting the underlying device, the system is unable     to free an inode and this will consume resources.
    Repeating this for all available inodes and memory will     create a denial of service situation.(CVE-2015-8953i1/4%0

  - Buffer overflow in the mp_override_legacy_irq()     function in arch/x86/kernel/acpi/boot.c in the Linux     kernel through 4.12.2 allows local users to gain     privileges via a crafted ACPI table.(CVE-2017-11473i1/4%0

  - Use-after-free vulnerability in the     kvm_ioctl_create_device function in virt/kvm/kvm_main.c     in the Linux kernel before 4.8.13 allows host OS users     to cause a denial of service (host OS crash) or     possibly gain privileges via crafted ioctl calls on the     /dev/kvm device.(CVE-2016-10150i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The snd_timer_interrupt function in sound/core/timer.c     in the Linux kernel before 4.4.1 does not properly     maintain a certain linked list, which allows local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call.(CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1     uses an incorrect type of mutex, which allows local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call.(CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1     employs a locking approach that does not consider slave     timer instances, which allows local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call.(CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1     retains certain linked lists after a close or stop     action, which allows local users to cause a denial of     service (system crash) via a crafted ioctl call,     related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1     does not prevent recursive callback access, which     allows local users to cause a denial of service     (deadlock) via a crafted ioctl call.(CVE-2016-2549)

  - A resource-exhaustion vulnerability was found in the     kernel, where an unprivileged process could allocate     and accumulate far more file descriptors than the     process' limit. A local, unauthenticated user could     exploit this flaw by sending file descriptors over a     Unix socket and then closing them to keep the process'     fd count low, thereby creating kernel-memory or     file-descriptors exhaustion (denial of     service).(CVE-2016-2550)

  - It is possible for a single process to cause an OOM     condition by filling large pipes with data that are     never read. A typical process filling 4096 pipes with 1     MB of data will use 4 GB of memory and there can be     multiple such processes, up to a     per-user-limit.(CVE-2016-2847)

  - A security flaw was found in the Linux kernel that an     attempt to move page mapped by AIO ring buffer to the     other node triggers NULL pointer dereference at     trace_writeback_dirty_page(), because     aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)

  - A security flaw was found in the Linux kernel in the     mark_source_chains() function in     'net/ipv4/netfilter/ip_tables.c'. It is possible for a     user-supplied 'ipt_entry' structure to have a large     'next_offset' field. This field is not bounds checked     prior to writing to a counter value at the supplied     offset.(CVE-2016-3134)

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135)

  - The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted USB device without two     interrupt-in endpoint descriptors.(CVE-2016-3136)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions.(CVE-2016-3137)

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138)

  - The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

  - The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)

  - 'A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps ''rtnl_lock'' spinlock for a very long time (up     to hour). This blocks many network-related operations,     including creation of new incoming ssh connections.

  - The problem is especially important for containers, as     the container owner has enough permissions to trigger     this and block a network access on a whole host,     outside the container.(CVE-2016-3156)'

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited.(CVE-2016-3672)

  - The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)

  - It was found that the Linux kernel's IPv6     implementation mishandled socket options. A local     attacker could abuse concurrent access to the socket     options to escalate their privileges, or cause a denial     of service (use-after-free and system crash) via a     crafted sendmsg system call.(CVE-2016-3841)

  - The usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)

  - A flaw was found in the Linux kernel's keyring handling     code: the key_reject_and_link() function could be     forced to free an arbitrary memory block. An attacker     could use this flaw to trigger a use-after-free     condition on the system, potentially allowing for     privilege escalation.(CVE-2016-4470)

  - The proc_connectinfo() function in     'drivers/usb/core/devio.c' in the Linux kernel through     4.6 does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory via a crafted USBDEVFS_CONNECTINFO     ioctl call. The stack object 'ci' has a total size of 8     bytes. Its last 3 bytes are padding bytes which are not     initialized and are leaked to userland.(CVE-2016-4482)

  - A flaw was found in the way certain interfaces of the     Linux kernel's Infiniband subsystem used write() as     bi-directional ioctl() replacement, which could lead to     insufficient memory security checks when being invoked     using the splice() system call. A local unprivileged     user on a system with either Infiniband hardware     present or RDMA Userspace Connection Manager Access     module explicitly loaded, could use this flaw to     escalate their privileges on the system.(CVE-2016-4565)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4316 advisory.    - The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted     with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions     by leveraging improper handling of secure_boot flag across kexec reboot. (CVE-2015-7837)    - The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain     privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system     call. (CVE-2016-3841)    - The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x     before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption)     or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.     (CVE-2017-18017)    - In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in     the sound system, this can lead to a deadlock and denial of service condition. (CVE-2018-1000004)    - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length     inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel     crash) or have unspecified other impact by executing a crafted sequence of system calls that use the     blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)    - The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a     root directory with a zero i_links_count, which allows attackers to cause a denial of service     (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)    - In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow     properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android     releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.     (CVE-2018-5848)    - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux     kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read     accesses to files in the /sys/class/sas_phy directory, as demonstrated by the     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)    - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a     double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part     of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for     privilege escalation. (CVE-2018-10902)    - An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android     kernel.
Android ID A-65023233. (CVE-2017-13168)    - ** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with     dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel     heap pages to the userspace. This has been fixed upstream in     http://www.nessus.org/u?5d4e77b1 already. The problem has     limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the     Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties     dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit.     (CVE-2018-1000204)    - An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc     in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from     unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and     CVE-2018-16658. (CVE-2018-18710)    - The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths,     which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted     filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. (CVE-2014-9728)    - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8,     which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain     sensitive information or cause a denial of service (system crash), via a crafted ioctl call.     (CVE-2016-3713)    - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the     underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based     hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a     kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing     SHA-3 initialization. (CVE-2017-17806)    - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel     through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM     ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)    - ** DISPUTED
** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to     cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party     disputes the relevance of this report because the failure can only occur for physically proximate     attackers who unplug SAS Host Bus Adapter cables.
(CVE-2018-10021)    - drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of     service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated. (CVE-2017-18079)    - An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in     the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and     system crash) by leveraging root access.
(CVE-2017-14051)    - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability     for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.     (CVE-2017-17450)    - ** DISPUTED ** Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c     in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging     root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.     (CVE-2018-7995)    - In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a     missing bounds check. This could lead to local escalation of privilege with System execution privileges     needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android     ID: A-71361580. (CVE-2018-9516)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Use-after-free vulnerability in the disk_seqf_stop     function in block/genhd.c in the Linux kernel before     4.7.1 allows local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had     failed.(CVE-2016-7910)

  - Race condition in the get_task_ioprio function in     block/ioprio.c in the Linux kernel before 4.6.6 allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get     system call.(CVE-2016-7911)

  - The assoc_array_insert_into_terminal_node function in     lib/assoc_array.c in the Linux kernel before 4.5.3 does     not check whether a slot is a leaf, which allows local     users to obtain sensitive information from kernel     memory or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data structures, as     demonstrated by the keyutils test suite.(CVE-2016-7914)

  - The IPv6 stack in the Linux kernel before 4.3.3     mishandles options data, which allows local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call.(CVE-2016-3841)

  - Race condition in the environ_read function in     fs/proc/base.c in the Linux kernel before 4.5.4 allows     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is     incomplete.(CVE-2016-7916)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system     call is processed, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted application that did not supply a     key, related to the lrw_crypt function in crypto/lrw.c     (bnc#1008374).

  - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix     ACLs (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could have enabled a     local malicious application to execute arbitrary code     within the context of the kernel bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux, when the GNU Compiler     Collection (gcc) stack protector is enabled, used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed :

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An out of bounds read in the ping     protocol handler could have lead to information     disclosure (bsc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provides an incomplete set of requirements for setattr     operations that underspecified removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel before 4.8.7, in certain unusual hardware     configurations, allowed remote attackers to execute     arbitrary code via crafted fragmented packets     (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2017-5551: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions. This CVE tracks the     fix for the tmpfs filesystem. (bsc#1021258).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file, aka Android internal bug     25739721 (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bsc#986365).

  - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel     did not reset the PIT counter values during state     restoration, which allowed guest OS users to cause a     denial of service (divide-by-zero error and host OS     crash) via a zero value, related to the     kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions     (bnc#960689).

  - CVE-2013-4312: The Linux kernel allowed local users to     bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor     over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and     IP6T_SO_SET_REPLACE setsockopt implementations in the     netfilter subsystem in the Linux kernel allow local     users to gain privileges or cause a denial of service     (memory corruption) by leveraging in-container root     access to provide a crafted offset value that triggers     an unintended decrement (bnc#986362).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

  - CVE-2016-1583: The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (stack memory consumption) via vectors involving crafted     mmap calls for /proc pathnames, leading to recursive     pagefault handling (bnc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandled NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2015-7833: The usbvision driver in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (panic) via a nonzero bInterfaceNumber value     in a USB device descriptor (bnc#950998).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - It was found that the Linux kernel's IPv6 implementation     mishandled socket options. A local attacker could abuse     concurrent access to the socket options to escalate     their privileges, or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call. (CVE-2016-3841, Important)

(CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)

Additional Changes :

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. For the PowerPC64 a new 'bigmem' flavor has been added to support big Power machines. (FATE#319026) The following security bugs were fixed :

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel, when the GNU     Compiler Collection (gcc) stack protector is enabled,     uses an incorrect buffer size for certain timeout data,     which allowed local users to cause a denial of service     (stack memory corruption and panic) by reading the     /proc/keys file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file, aka Android internal bug     25739721 (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for remote attackers to     hijack TCP sessions via a blind in-window attack     (bnc#989152).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986365).

  - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel     did not reset the PIT counter values during state     restoration, which allowed guest OS users to cause a     denial of service (divide-by-zero error and host OS     crash) via a zero value, related to the     kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions     (bnc#960689).

  - CVE-2013-4312: The Linux kernel allowed local users to     bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor     over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c (bnc#839104     bsc#922947 bsc#968014).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)

* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)

Red Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;
Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-2574 advisory.

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2     incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from     kernel memory by reading packet data. (CVE-2016-2117)

  - The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an     OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service     (system crash) via a rename system call, related to fs/namei.c and fs/open.c. (CVE-2016-6198)

  - Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges     by triggering access to a paging structure by a different CPU. (CVE-2016-2069)

  - The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which     allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large     number of IP addresses. (CVE-2016-3156)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a     certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted series of mount system calls. (CVE-2016-4581)

  - fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows     local users to cause a denial of service (memory consumption) by creating many pipes with non-default     sizes. (CVE-2016-2847)

  - fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local     users to obtain sensitive pre-truncation information from a file via a clone action. (CVE-2015-8374)

  - Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in     the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified     other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)

  - The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR     with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing     exception and panic) via a crafted application. (CVE-2015-8844)

  - The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on     powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call,     which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted     application. (CVE-2015-8845)

  - The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local     users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)

  - The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to     cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. (CVE-2016-2053)

  - Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel     before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)

  - The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not     initialize a certain data structure, which allows local users to obtain sensitive information from kernel     stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)

  - sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which     allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA     timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.
    (CVE-2016-4578)

  - arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when     CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite     loop) by making a H_CEDE hypercall during the existence of a suspended transaction. (CVE-2016-5412)

  - drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a     denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a     device write operation. (CVE-2016-6327)

  - Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel     through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by     changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)

  - fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory     for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL     pointer dereference and panic) via crafted network traffic. (CVE-2015-8746)

  - drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error     conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-     after-free) via crafted packets. (CVE-2015-8812)

  - The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel     before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a     certain page move. (CVE-2016-3070)

  - The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted     with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute     untrusted code by appending ACPI tables to the initrd. (CVE-2016-3699)

  - The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain     privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system     call. (CVE-2016-3841)

  - Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a     denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf     system calls. (CVE-2016-4794)

  - The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc     platforms mishandles transactional state, which allows local users to cause a denial of service (invalid     process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by     starting and suspending a transaction before an exec system call. (CVE-2016-5828)

  - Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through     4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by     changing a certain string, aka a double fetch vulnerability. (CVE-2016-6136)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)

Additional Changes :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/2754251

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)

* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)

Red Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;
Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

USN-3083-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

Dmitry Vyukov discovered that the IPv6 implementation in the Linux kernel did not properly handle options data, including a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-3841)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Dmitry Vyukov discovered that the IPv6 implementation in the Linux kernel did not properly handle options data, including a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-3841)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-0855 advisory.

  - The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper     paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)

  - The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support     a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of     service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
    (CVE-2015-5156)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

ID	Name	Product	Family	Severity
124976	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)	Nessus	Huawei Local Security Checks	critical
124816	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1492)	Nessus	Huawei Local Security Checks	critical
120977	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316)	Nessus	Oracle Linux Local Security Checks	high
99846	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1089)	Nessus	Huawei Local Security Checks	high
97297	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0494-1)	Nessus	SuSE Local Security Checks	critical
96903	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)	Nessus	SuSE Local Security Checks	critical
95841	Scientific Linux Security Update : kernel on SL7.x x86_64 (20161103)	Nessus	Scientific Linux Local Security Checks	critical
95536	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2976-1)	Nessus	SuSE Local Security Checks	critical
95321	CentOS 7 : kernel (CESA-2016:2574)	Nessus	CentOS Local Security Checks	critical
94697	Oracle Linux 7 : kernel (ELSA-2016-2574)	Nessus	Oracle Linux Local Security Checks	critical
94667	RHEL 7 : kernel (RHSA-2016:2695)	Nessus	Red Hat Local Security Checks	high
94547	RHEL 7 : kernel-rt (RHSA-2016:2584)	Nessus	Red Hat Local Security Checks	critical
94537	RHEL 7 : kernel (RHSA-2016:2574)	Nessus	Red Hat Local Security Checks	critical
93603	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3083-2)	Nessus	Ubuntu Local Security Checks	high
93602	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3083-1)	Nessus	Ubuntu Local Security Checks	high
91210	Oracle Linux 6 : kernel (ELSA-2016-0855)	Nessus	Oracle Linux Local Security Checks	high
91170	CentOS 6 : kernel (CESA-2016:0855)	Nessus	CentOS Local Security Checks	high
91077	RHEL 6 : kernel (RHSA-2016:0855)	Nessus	Red Hat Local Security Checks	high

CVE-2016-3841

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

high

high

critical

critical

critical

critical

critical

critical

high

critical

critical

high

high

high

high

high