https://source.android.com/security/bulletin/pixel/2017-12-01

USN-3753-1

USN-3753-2

USN-3820-1

USN-3820-2

USN-3820-3

USN-3822-1

USN-3822-2

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

  - An elevation of privilege vulnerability in the kernel     scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233.(CVE-2017-13168)

  - A flaw in the load_elf_binary() function in the Linux     kernel allows a local attacker to leak the base address     of .text and stack sections for setuid binaries and     bypass ASLR because install_exec_creds() is called too     late in this function.(CVE-2019-11190)

  - The SCTP socket buffer used by a userspace application     is not accounted by the cgroups subsystem. An attacker     can use this flaw to cause a denial of service     attack.(CVE-2019-3874)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A flaw was found in the Linux kernel in the     hid_debug_events_read() function in the     drivers/hid/hid-debug.c file. A lack of the certain     checks may allow a privileged user ('root') to achieve     an out-of-bounds write and thus receiving user space     buffer corruption.(CVE-2018-9516)

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A flaw was found in the implementation of the 'fill     buffer', a mechanism used by modern CPUs when a     cache-miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time     can be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data)     sub-operations. These sub-operations allow the     processor to hand-off address generation logic into     these sub-operations for optimized writes. Both of     these sub-operations write to a shared distributed     processor structure called the 'processor store     buffer'. As a result, an unprivileged attacker could     use this flaw to read private data resident within the     CPU's processor store buffer. (CVE-2018-12126)

  - Microprocessors use a 'load port' subcomponent to     perform load operations from memory or IO. During a     load operation, the load port receives data from the     memory or IO subsystem and then provides the data to     the CPU registers and operations in the CPU's     pipelines. Stale load operations results are stored in     the 'load port' table until overwritten by newer     operations. Certain load-port operations triggered by     an attacker can be used to reveal data about previous     stale requests leaking data back to the attacker via a     timing side-channel. (CVE-2018-12127)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An elevation of privilege vulnerability in the kernel     scsi driver. Product: Android. Versions: Android     kernel. Android ID A-65023233.(CVE-2017-13168)

  - Non-optimized code for key handling of shared futexes     was found in the Linux kernel in the form of unbounded     contention time due to the page lock for real-time     users. Before the fix, the page lock was an     unnecessarily heavy lock for the futex path that     protected too much. After the fix, the page lock is     only required in a specific corner case.(CVE-2018-9422)

  - A flaw in the load_elf_binary() function in the Linux     kernel allows a local attacker to leak the base address     of .text and stack sections for setuid binaries and     bypass ASLR because install_exec_creds() is called too     late in this function.(CVE-2019-11190)

  - A flaw was found in the Linux kernel ext4 filesystem.
    An out-of-bound access is possible in the     ext4_ext_drop_refs() function when operating on a     crafted ext4 filesystem image.(CVE-2018-10877)

  - A vulnerability was found in polkit. When     authentication is performed by a non-root user to     perform an administrative task, the authentication is     temporarily cached in such a way that a local attacker     could impersonate the authorized process, thus gaining     access to elevated privileges.(CVE-2019-6133)

  - A flaw was found in the Linux kernel in the function     hso_probe() which reads if_num value from the USB     device (as an u8) and uses it without a length check to     index an array, resulting in an OOB memory read in     hso_probe() or hso_get_config_data(). An attacker with     a forged USB device and physical access to a system     (needed to connect such a device) can cause a system     crash and a denial of service.(CVE-2018-19985)

  - A flaw was found in the Linux kernel's implementation     of logical link control and adaptation protocol     (L2CAP), part of the Bluetooth stack in the     l2cap_parse_conf_rsp and l2cap_parse_conf_req     functions. An attacker with physical access within the     range of standard Bluetooth transmission can create a     specially crafted packet. The response to this     specially crafted packet can contain part of the kernel     stack which can be used in a further     attack.(CVE-2019-3460)

  - A flaw was found in the Linux kernels implementation of     Logical link control and adaptation protocol (L2CAP),     part of the Bluetooth stack. An attacker with physical     access within the range of standard Bluetooth     transmission can create a specially crafted packet. The     response to this specially crafted packet can contain     part of the kernel stack which can be used in a further     attack.(CVE-2019-3459)

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

kernel-uek [3.8.13-118.28.1.el7uek]
- udf: Check component length before reading it (Jan Kara) [Orabug: 21193696] {CVE-2014-9728}
- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 21193696] {CVE-2014-9728}
- intel_pstate: Fix overflow in busy_scaled due to long delay (mridula shastry) [Orabug: 28005134] - scsi: libsas: defer ata device eh commands to libata (Jason Yan) [Orabug: 28459689] {CVE-2018-10021}
- nfsd: silence sparse warning about accessing credentials (Jeff Layton) [Orabug: 28824742] {CVE-2017-13168}
- scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug: 28824742] {CVE-2017-13168}
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28892683] {CVE-2018-1000204}
- ALSA: rawmidi: Change resized buffers atomically (Takashi Iwai) [Orabug: 28898650] {CVE-2018-10902}
- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901657] {CVE-2016-3713} {CVE-2016-3713}
- cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929777] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710}
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) {CVE-2018-7755} {CVE-2018-7755}
- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: 28976585] {CVE-2017-17805}
- crypto: hmac - require that the underlying hash algorithm is unkeyed (Eric Biggers) [Orabug: 28976654] {CVE-2017-17806}

The remote OracleVM system is missing necessary patches to address critical security updates :

  - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447!     (Mike Kravetz) 

  - scsi: libsas: fix memory leak in sas_smp_get_phy_events     (Jason Yan) [Orabug: 27927687] (CVE-2018-7757)

  - KVM: vmx: shadow more fields that are read/written on     every vmexits (Paolo Bonzini) [Orabug: 28581045]

  - vhost/scsi: Use common handling code in request queue     handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Extract common handling code from control     queue handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Respond to control queue operations (Bijan     Mottahedeh) 

  - scsi: lpfc: devloss timeout race condition caused null     pointer reference (James Smart) [Orabug: 27994179]

  - scsi: qla2xxx: Fix race condition between iocb timeout     and initialisation (Ben Hutchings) [Orabug: 28013813]

  - i40e: Add programming descriptors to cleaned_count     (Alexander Duyck) 

  - i40e: Fix memory leak related filter programming status     (Alexander Duyck) [Orabug: 28228724]

  - xen-swiotlb: use actually allocated size on check     physical continuous (Joe Jin) [Orabug: 28258102]

  - Revert 'Revert 'xen-swiotlb: fix the check condition for     xen_swiotlb_free_coherent'' (Dongli Zhang) [Orabug:
    28258102]

  - net/mlx4_en: fix potential use-after-free with     dma_unmap_page (Sarah Newman) [Orabug: 28376051]

  - ocfs2: fix ocfs2 read block panic (Junxiao Bi) [Orabug:
    28580543]

  - block: fix bdi vs gendisk lifetime mismatch (Dan     Williams) [Orabug: 28645416]

  - e1000e: Fix link check race condition (Benjamin Poirier)     [Orabug: 28716958]

  - Revert 'e1000e: Separate signaling for link check/link     up' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Avoid missed interrupts following ICR read     (Benjamin Poirier) 

  - e1000e: Fix queue interrupt re-raising in Other     interrupt (Benjamin Poirier) [Orabug: 28716958]

  - Partial revert 'e1000e: Avoid receiver overrun interrupt     bursts' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Remove Other from EIAC (Benjamin Poirier)     [Orabug: 28716958]

  - Fix error code in nfs_lookup_verify_inode (Lance     Shelton) [Orabug: 28789030]

  - workqueue: Allow modifying low level unbound workqueue     cpumask (Lai Jiangshan) [Orabug: 28813166]

  - workqueue: Create low-level unbound workqueues cpumask     (Frederic Weisbecker) [Orabug: 28813166]

  - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug:
    28824718] (CVE-2017-13168)

  - Revert 'rds: RDS (tcp) hangs on sendto to unresponding     address' (Brian Maly) [Orabug: 28837953]

  - x86/speculation: Retpoline should always be available on     Skylake (Alexandre Chartre) [Orabug: 28801831]

  - x86/speculation: Add sysfs entry to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Switch to IBRS when loading a     non-retpoline module (Alexandre Chartre) [Orabug:
    28607548]

  - x86/speculation: Remove unnecessary retpoline     alternatives (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Use static key to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - locking/static_keys: Provide DECLARE and well as DEFINE     macros (Tony Luck) [Orabug: 28607548]

  - jump_label: remove bug.h, atomic.h dependencies for     HAVE_JUMP_LABEL (Jason Baron) [Orabug: 28607548]

  - locking/static_key: Fix concurrent static_key_slow_inc     (Paolo Bonzini) [Orabug: 28607548]

  - jump_label: make static_key_enabled work on     static_key_true/false types too (Tejun Heo) [Orabug:
    28607548]

  - locking/static_keys: Fix up the static keys     documentation (Jonathan Corbet) [Orabug: 28607548]

  - locking/static_keys: Fix a silly typo (Jonathan Corbet)     [Orabug: 28607548]

  - jump label, locking/static_keys: Update docs (Jason     Baron) [Orabug: 28607548]

  - x86/asm: Add asm macros for static keys/jump labels     (Andy Lutomirski) 

  - x86/asm: Error out if asm/jump_label.h is included     inappropriately (Andy Lutomirski) [Orabug: 28607548]

  - jump_label/x86: Work around asm build bug on     older/backported GCCs (Peter Zijlstra) [Orabug:
    28607548]

  - locking/static_keys: Add a new static_key interface     (Peter Zijlstra) 

  - locking/static_keys: Rework update logic (Peter     Zijlstra) [Orabug: 28607548]

  - jump_label: Add jump_entry_key helper (Peter Zijlstra)     [Orabug: 28607548]

  - jump_label, locking/static_keys: Rename     JUMP_LABEL_TYPE_* and related helpers to the static_key*     pattern (Peter Zijlstra) [Orabug: 28607548]

  - jump_label: Rename JUMP_LABEL_[EN,DIS]ABLE to     JUMP_LABEL_[JMP,NOP] (Peter Zijlstra) [Orabug: 28607548]

  - module, jump_label: Fix module locking (Peter Zijlstra)     [Orabug: 28607548]

  - x86/speculation: Protect against userspace-userspace     spectreRSB (Jiri Kosina) [Orabug: 28631590]     (CVE-2018-15572)

  - x86/spectre_v2: Remove remaining references to lfence     mitigation (Alejandro Jimenez) [Orabug: 28631590]     (CVE-2018-15572)

  - Revert 'md: allow a partially recovered device to be     hot-added to an array.' (NeilBrown) [Orabug: 28702623]

  - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel     Jordan) 

  - net/mlx4_core: print firmware version during driver     loading (Qing Huang) [Orabug: 28809377]

  - mm: numa: Do not trap faults on shared data section     pages. (Henry Willard) [Orabug: 28814880]

  - hugetlbfs: dirty pages as they are added to pagecache     (Mike Kravetz) 

  - rds: RDS (tcp) hangs on sendto to unresponding address     (Ka-Cheong Poon) [Orabug: 28762608]

  - nfs: fix a deadlock in nfs client initialization (Scott     Mayhew) 

  - infiniband: fix a possible use-after-free bug (Cong     Wang) [Orabug: 28774517] (CVE-2018-14734)

Jim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). (CVE-2016-9588)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3820-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[4.14.35-1818.4.5.el7uek]
- x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: x86_spec_ctrl_set needs to be called unconditionally (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris Ostrovsky)  [Orabug: 28814574]

[4.14.35-1818.4.4.el7uek]
- ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28821391]
- scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824731] {CVE-2017-13168}
- hugetlbfs: introduce truncation/fault mutex to avoid races (Mike Kravetz)  [Orabug: 28776542]
- rds: MPRDS messages delivered out of order (Ka-Cheong Poon)  [Orabug: 28838051]
- x86/bugs: rework x86_spec_ctrl_set to make its changes explicit (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec ctrl MSR (Daniel Jordan)  [Orabug: 28270952]
- iommu: turn on iommu=pt by default (Tushar Dave)  [Orabug: 28111039]
- vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775556]

[4.14.35-1818.4.3.el7uek]
- Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 28807515]
- x86/speculation: Retpoline should always be available on Skylake (Alexandre Chartre)  [Orabug: 28801830]
- x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) [Orabug: 28802799]
- net/mlx4_core: print firmware version during driver loading (Qing Huang)  [Orabug: 28809382]
- hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) [Orabug: 28813999]

[4.14.35-1818.4.2.el7uek]
- infiniband: fix a possible use-after-free bug (Cong Wang)  [Orabug: 28774511]  {CVE-2018-14734}
- nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [Orabug: 28775910]
- x86/speculation: Unconditionally fill RSB on context switch (Alejandro Jimenez)  [Orabug: 28631576]  {CVE-2018-15572}
- bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface (Somnath Kotur)  [Orabug: 28539344]
- rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong Poon)  [Orabug: 28762597]
- uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) [Orabug: 28769119]
- arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc Zyngier)  [Orabug: 28762424]  {CVE-2018-18021}
- arm64: KVM: Tighten guest core register access from userspace (Dave Martin)  [Orabug: 28762424]  {CVE-2018-18021}
- iommu/amd: Clear memory encryption mask from physical address (Singh, Brijesh)  [Orabug: 28770185]

[4.14.35-1818.4.1.el7uek]
- mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) [Orabug: 28700955]  {CVE-2018-17182}
- Btrfs: fix log replay failure after unlink and link combination (Filipe Manana)  [Orabug: 27941939]
- x86/speculation: Add sysfs entry to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Allow IBRS firmware to be enabled when IBRS is disabled (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Remove unnecessary retpoline alternatives (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Use static key to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) [Orabug: 28632641]
- IB/core: Initialize relaxed_pd properly (Yuval Shaia)  [Orabug: 28197305]

[4.14.35-1818.4.0.el7uek]
- e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 28489384]
- Revert 'e1000e: Separate signaling for link check/link up' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) [Orabug: 28489384]
- e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin Poirier)  [Orabug: 28489384]
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28489384]
- btrfs: validate type when reading a chunk (Gu Jinxiang)  [Orabug: 28700851]  {CVE-2018-14611}
- btrfs: Check that each block group has corresponding chunk at mount time (Qu Wenruo)  [Orabug: 28700872]  {CVE-2018-14610}
- net: rds: Use address family to designate IPv4 or IPv6 addresses (H&aring kon Bugge)  [Orabug: 28720069]
- net: rds: Fix blank at eol in af_rds.c (H&aring kon Bugge)  [Orabug: 28720069]

Description of changes:

[4.1.12-124.21.1.el7uek]
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447! (Mike Kravetz) [Orabug: 28839992]
- scsi: libsas: fix memory leak in sas_smp_get_phy_events() (Jason Yan) [Orabug: 27927687]  {CVE-2018-7757}
- KVM: vmx: shadow more fields that are read/written on every vmexits (Paolo Bonzini)  [Orabug: 28581045]
- vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh)  [Orabug: 28775573]
- vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh)  [Orabug: 28775573]
- vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775573]

[4.1.12-124.20.8.el7uek]
- scsi: lpfc: devloss timeout race condition caused NULL pointer reference (James Smart)  [Orabug: 27994179]
- scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (Ben Hutchings)  [Orabug: 28013813]
- i40e: Add programming descriptors to cleaned_count (Alexander Duyck) [Orabug: 28228724]
- i40e: Fix memory leak related filter programming status (Alexander Duyck)  [Orabug: 28228724]
- xen-swiotlb: use actually allocated size on check physical continuous (Joe Jin)  [Orabug: 28258102]
- Revert 'Revert 'xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent'' (Dongli Zhang)  [Orabug: 28258102]
- net/mlx4_en: fix potential use-after-free with dma_unmap_page (Sarah Newman)  [Orabug: 28376051]
- ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28580543]
- block: fix bdi vs gendisk lifetime mismatch (Dan Williams)  [Orabug: 28645416]
- e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 28716958]
- Revert 'e1000e: Separate signaling for link check/link up' (Benjamin Poirier)  [Orabug: 28716958]
- e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) [Orabug: 28716958]
- e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin Poirier)  [Orabug: 28716958]
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (Benjamin Poirier)  [Orabug: 28716958]
- e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28716958]
- Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 28789030]
- workqueue: Allow modifying low level unbound workqueue cpumask (Lai Jiangshan)  [Orabug: 28813166]
- workqueue: Create low-level unbound workqueues cpumask (Frederic Weisbecker)  [Orabug: 28813166]
- scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824718] {CVE-2017-13168}

USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125513	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1586)	Nessus	Huawei Local Security Checks	high
124431	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1304)	Nessus	Huawei Local Security Checks	high
119535	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4300)	Nessus	Oracle Linux Local Security Checks	high
119010	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0273)	Nessus	OracleVM Local Security Checks	medium
118973	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3822-1)	Nessus	Ubuntu Local Security Checks	high
118970	Ubuntu 14.04 LTS : linux-azure vulnerabilities (USN-3820-3)	Nessus	Ubuntu Local Security Checks	high
118969	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp vulnerabilities (USN-3820-2)	Nessus	Ubuntu Local Security Checks	high
118968	Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities (USN-3820-1)	Nessus	Ubuntu Local Security Checks	high
118861	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)	Nessus	Oracle Linux Local Security Checks	high
118814	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4265)	Nessus	Oracle Linux Local Security Checks	medium
112112	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)	Nessus	Ubuntu Local Security Checks	high
112111	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-13168

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins