DSA-3791

[oss-security] 20170131 CVE-2017-2596 Kernel: kvm: page reference leakage in handle_vmon

95878

RHSA-2017:1842

RHSA-2017:2077

https://bugzilla.redhat.com/show_bug.cgi?id=1417812

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to host memory leakage     issue. It could occur while emulating VMXON instruction     in 'handle_vmon'. An L1 guest user could use this flaw     to leak host memory potentially resulting in     DoS.(CVE-2017-2596i1/4%0

  - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST     extension implementations in the sk_run_filter function     in net/core/filter.c in the Linux kernel through 3.14.3     do not check whether a certain length value is     sufficiently large, which allows local users to cause a     denial of service (integer underflow and system crash)     via crafted BPF instructions. NOTE: the affected code     was moved to the __skb_get_nlattr and
    __skb_get_nlattr_nest functions before the     vulnerability was announced.(CVE-2014-3144i1/4%0

  - A flaw was found in the Linux kernel when freeing pages     in hugetlbfs. This could trigger a local denial of     service by crashing the kernel.(CVE-2017-15127i1/4%0

  - An issue was discovered in the Linux kernel before 4.8.
    Incorrect access checking in overlayfs mounts could be     used by local attackers to modify or truncate files in     the underlying filesystem.(CVE-2018-16597i1/4%0

  - Memory leak in the cuse_channel_release function in     fs/fuse/cuse.c in the Linux kernel before 4.4 allows     local users to cause a denial of service (memory     consumption) or possibly have unspecified other impact     by opening /dev/cuse many times.(CVE-2015-1339i1/4%0

  - A flaw was found in the way the Linux kernel's nested     NMI handler and espfix64 functionalities interacted     during NMI processing. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the     system.(CVE-2015-3290i1/4%0

  - Multiple array index errors in     drivers/hid/hid-multitouch.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_MULTITOUCH is enabled, allow     physically proximate attackers to cause a denial of     service (heap memory corruption, or NULL pointer     dereference and OOPS) via a crafted     device.(CVE-2013-2897i1/4%0

  - A flaw was found in the way the Linux kernel's futex     subsystem handled the requeuing of certain Priority     Inheritance (PI) futexes. A local, unprivileged user     could use this flaw to escalate their privileges on the     system.(CVE-2014-3153i1/4%0

  - The XFS subsystem in the Linux kernel 4.4 and later     allows local users to cause a denial of service     (fdatasync() failure and system hang) by using the vfs     syscall group in the 'trinity' program, as a result of     a page lock order bug in the XFS seek hole/data     implementation.(CVE-2016-8660i1/4%0

  - A flaw was found in the Linux kernel's key management     system where it was possible for an attacker to     escalate privileges or crash the machine. If a user key     gets negatively instantiated, an error code is cached     in the payload area. A negatively instantiated key may     be then be positively instantiated by updating it with     valid data. However, the -i1/4zupdate key type method     must be aware that the error code may be     there.(CVE-2015-8539i1/4%0

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239i1/4%0

  - An information leak flaw was found in the way the Linux     kernel handled media device enumerate entities IOCTL     requests. A local user able to access the /dev/media0     device file could use this flaw to leak kernel memory     bytes.(CVE-2014-1739i1/4%0

  - The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 does not initialize a certain structure     member, which allows local users to obtain sensitive     information from kernel memory via a crafted     application.(CVE-2015-7885i1/4%0

  - An information leak was discovered in the Linux kernel     in cdrom_ioctl_drive_status() function in     drivers/cdrom/cdrom.c that could be used by local     attackers to read kernel memory at certain     location.(CVE-2018-16658i1/4%0

  - A flaw was discovered in the Linux kernel's     implementation of VFIO. An attacker issuing an ioctl     can create a situation where memory is corrupted and     modify memory outside of the expected area. This may     overwrite kernel memory and subvert kernel     execution.(CVE-2016-9083i1/4%0

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invvpid     (Invalidate Translations Based on VPID) instructions.
    On hosts with an Intel processor and invppid VM exit     support, an unprivileged guest user could use these     instructions to crash the guest.(CVE-2014-3646i1/4%0

  - An attacker on a network could abuse a flaw in the IPv6     stack fragment reassembly code to induce kernel memory     corruption on the system, possibly leading to a system     crash.(CVE-2016-9755i1/4%0

  - It was found that a regular user could remove xattr     permissions on files by using the chown or write system     calls. A local attacker could use this flaw to deny     elevated permissions from valid users, services, or     applications, potentially resulting in a denial of     service.(CVE-2015-1350i1/4%0

  - arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux     kernel through 4.7 on PowerPC platforms, when     CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS     users to cause a denial of service (host OS infinite     loop) by making a H_CEDE hypercall during the existence     of a suspended transaction.(CVE-2016-5412i1/4%0

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary     task.(CVE-2018-17972i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The perf_cpu_time_max_percent_handler function in     kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service     (integer overflow) or possibly have unspecified other     impact via a large value, as demonstrated by an     incorrect sample-rate calculation.(CVE-2017-18255)

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270)

  - The timer_create syscall implementation in     kernel/time/posix-timers.c in the Linux kernel doesn't     properly validate the sigevent-i1/4zsigev_notify field,     which leads to out-of-bounds access in the show_timer     function.(CVE-2017-18344)

  - arch/x86/kvm/emulate.c in the Linux kernel through     4.9.3 allows local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt.(CVE-2017-2584)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to host memory leakage     issue. It could occur while emulating VMXON instruction     in 'handle_vmon'. An L1 guest user could use this flaw     to leak host memory potentially resulting in     DoS.(CVE-2017-2596)

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type-i1/4zmatch     is NULL. A local user could use this flaw to crash the     system or, potentially, escalate their     privileges.(CVE-2017-2647)

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671)

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way this     allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - The do_shmat function in ipc/shm.c in the Linux kernel,     through 4.9.12, does not restrict the address     calculated by a certain rounding operation. This allows     privileged local users to map page zero and,     consequently, bypass a protection mechanism that exists     for the mmap system call. This is possible by making     crafted shmget and shmat system calls in a privileged     context.(CVE-2017-5669)

  - A vulnerability was found in the Linux kernel where     having malicious IP options present would cause the     ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible     privilege escalation.(CVE-2017-5970)

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986)

  - It was found that the original fix for CVE-2016-6786     was incomplete. There exist a race between two     concurrent sys_perf_event_open() calls when both try     and move the same pre-existing software group into a     hardware context.(CVE-2017-6001)

  - A use-after-free flaw was found in the way the Linux     kernel's Datagram Congestion Control Protocol (DCCP)     implementation freed SKB (socket buffer) resources for     a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO     option is set on the socket. A local, unprivileged user     could use this flaw to alter the kernel memory,     allowing them to escalate their privileges on the     system.(CVE-2017-6074)

  - A flaw was found in the Linux kernel's handling of     packets with the URG flag. Applications using the     splice() and tcp_splice_read() functionality could     allow a remote attacker to force the kernel to enter a     condition in which it could loop     indefinitely.(CVE-2017-6214)

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348)

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353)

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel allows local users to cause a denial of service     (stack-based buffer overflow) or possibly have     unspecified other impacts via a large command size in     an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds     write access in the sg_write function.(CVE-2017-7187)

  - In was found that in the Linux kernel, in     vmw_surface_define_ioctl() function in     'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a     'num_sizes' parameter is assigned a user-controlled     value which is not checked if it is zero. This is used     in a call to kmalloc() and later leads to dereferencing     ZERO_SIZE_PTR, which in turn leads to a GPF and     possibly to a kernel panic.(CVE-2017-7261)

  - An out-of-bounds write vulnerability was found in the     Linux kernel's vmw_surface_define_ioctl() function, in     the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-7294)

  - It was found that the packet_set_ring() function of the     Linux kernel's networking implementation did not     properly validate certain block-size data. A local     attacker with CAP_NET_RAW capability could use this     flaw to trigger a buffer overflow, resulting in the     crash of the system. Due to the nature of the flaw,     privilege escalation cannot be fully ruled     out.(CVE-2017-7308)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Security Fix(es) :

  - An use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the system.
    (CVE-2016-10200, Important)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type->match is     NULL. A local user could use this flaw to crash the     system or, potentially, escalate their privileges.
    (CVE-2017-2647, Important)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft- lockup the     system and thus cause denial of service. (CVE-2017-8797,     Important)

This update also fixes multiple Moderate and Low impact security issues :

  - CVE-2015-8839, CVE-2015-8970, CVE-2016-9576,     CVE-2016-7042, CVE-2016-7097, CVE-2016-8645,     CVE-2016-9576, CVE-2016-9588, CVE-2016-9806,     CVE-2016-10088, CVE-2016-10147, CVE-2017-2596,     CVE-2017-2671, CVE-2017-5970, CVE-2017-6001,     CVE-2017-6951, CVE-2017-7187, CVE-2017-7616,     CVE-2017-7889, CVE-2017-8890, CVE-2017-9074,     CVE-2017-8890, CVE-2017-9075, CVE-2017-8890,     CVE-2017-9076, CVE-2017-8890, CVE-2017-9077,     CVE-2017-9242, CVE-2014-7970, CVE-2014-7975,     CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

The remote Oracle Linux host is missing a security update for the kernel package(s).

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-1842 advisory.

  - The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the     CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which     allows local users to cause a denial of service (loss of writability) by making certain unshare system     calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. (CVE-2014-7975)

  - The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU     Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout     data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading     the /proc/keys file. (CVE-2016-7042)

  - Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3     allows local users to cause a denial of service (double free) or possibly have unspecified other impact     via a crafted application that makes sendmsg system calls, leading to a free operation associated with a     new dump that started earlier than anticipated. (CVE-2016-9806)

  - The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly     restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory     locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
    (CVE-2016-9576)

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr     call, which allows local users to gain group privileges by leveraging the existence of a setgid program     with restrictions on execute permissions. (CVE-2016-7097)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as     demonstrated by mcryptd(md5). (CVE-2016-10147)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly     emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of page references. (CVE-2017-2596)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain     privileges via a crafted application that makes concurrent perf_event_open system calls for moving a     software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2016-6786. (CVE-2017-6001)

  - The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain     match field, related to the keyring_search_iterator function in keyring.c. (CVE-2017-2647)

  - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15     allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by     leveraging use of the accept system call. (CVE-2017-8890)

  - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)

  - The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly     interact with certain locations of a chroot directory, which allows local users to cause a denial of     service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
    (CVE-2014-7970)

  - crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause     a denial of service (NULL pointer dereference and system crash) via a crafted application that does not     supply a key, related to the lrw_crypt function in crypto/lrw.c. (CVE-2015-8970)

  - Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users     to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c     and net/l2tp/l2tp_ip6.c. (CVE-2016-10200)

  - fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount     namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via     MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of     mounts. (CVE-2016-6213)

  - It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal     keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its     session keyring. This allows root to bypass module signature verification by adding a new public key of     its own devising to the keyring. (CVE-2016-9604)

  - The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a     certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local     users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a     socket system call. (CVE-2017-2671)

  - The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows     local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call     for the dead type. (CVE-2017-6951)

  - Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux     kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by     triggering failure of a certain bitmap operation. (CVE-2017-7616)

  - The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file,     related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)

  - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option, which allows local users to cause a denial of     service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send     system calls. (CVE-2017-9074)

  - The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9076)

  - The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure may occur, which allows local users to cause a     denial of service (system crash) via crafted system calls. (CVE-2017-9242)

  - Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local     users to cause a denial of service (disk corruption) by writing to a page that is associated with a     different user's file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839)

  - Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow     local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
    (CVE-2016-9685)

  - The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when     processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This     type value is uninitialized upon encountering certain error conditions. This value is used as an array     index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the     whole system. (CVE-2017-8797)

  - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9075)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

Li Qiang discovered that an integer overflow vulnerability existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7294)

Jason Donenfeld discovered a heap overflow in the MACsec module in the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7477)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for Matrox G200eH3

  - Support for tcp_westwood The following security bugs     were fixed :

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7374: Use-after-free vulnerability in     fs/crypto/ in the Linux kernel allowed local users to     cause a denial of service (NULL pointer dereference) or     possibly gain privileges by revoking keyring keys being     used for ext4, f2fs, or ubifs encryption, causing     cryptographic transform objects to be freed prematurely     (bnc#1032006).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel had incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulated the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3533 advisory.

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr     call, which allows local users to gain group privileges by leveraging the existence of a setgid program     with restrictions on execute permissions. (CVE-2016-7097)

  - An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious     application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate     because it first requires compromising a privileged process and current compiler optimizations restrict     access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
    A-31349935. (CVE-2016-8399)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain     privileges or cause a denial of service (double free) by setting the HDLC line discipline. (CVE-2017-2636)

  - crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as     demonstrated by mcryptd(md5). (CVE-2016-10147)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2     does not restrict a certain length field, which allows local users to gain privileges or cause a denial of     service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)

  - drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations,     allows remote attackers to execute arbitrary code via crafted fragmented packets. (CVE-2016-8633)

  - Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically     proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact     by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)

  - The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not     properly randomize the legacy base address, which makes it easier for local users to defeat the intended     restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or     setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  - The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly     emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of page references. (CVE-2017-2596)

  - arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in     certain error cases, which allows local users to obtain sensitive information from kernel stack memory via     a crafted application. (CVE-2016-9756)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the     relationship between the minimum fragment length and the maximum packet size, which allows local users to     gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN     capability. (CVE-2016-8632)

  - The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not     initialize a certain integer variable, which allows local users to obtain sensitive information from     kernel stack memory by triggering failure of a get_user_ex call. (CVE-2016-9178)

  - The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6     mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via     filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.
    (CVE-2015-8952)

  - The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1     allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)

  - The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in     required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have     unspecified other impact via crafted system calls. (CVE-2017-6345)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain     privileges via a crafted application that makes concurrent perf_event_open system calls for moving a     software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2016-6786. (CVE-2017-6001)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds     access. (CVE-2017-5897)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     manages lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-2583: The load_segment_descriptor     implementation in arch/x86/kvm/emulate.c in the Linux     kernel improperly emulates a 'MOV SS, NULL selector'     instruction, which allowed guest OS users to cause a     denial of service (guest OS crash) or gain guest OS     privileges via a crafted application (bnc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

The following non-security bugs were fixed :

  - Fix kABI breakage of musb struct in 4.1.39 (stable     4.1.39).

  - Revert 'ptrace: Capture the ptracer's creds not     PT_PTRACE_CAP' (stable 4.1.39).

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - ext4: validate s_first_meta_bg at mount time     (bsc#1023377).

  - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp     (bsc#1030118).

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs.

The following security bugs were fixed :

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application, as demonstrated by     trinity (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

The following non-security bugs were fixed :

  - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC     (bsc#1028819).

  - ACPI, ioapic: Clear on-stack resource before using it     (bsc#1028819).

  - ACPI: Remove platform devices from a bus on removal     (bsc#1028819).

  - add mainline tag to one hyperv patch

  - bnx2x: allow adding VLANs while interface is down     (bsc#1027273).

  - btrfs: backref: Fix soft lockup in __merge_refs function     (bsc#1017641).

  - btrfs: incremental send, do not delay rename when parent     inode is new (bsc#1028325).

  - btrfs: incremental send, do not issue invalid rmdir     operations (bsc#1028325).

  - btrfs: qgroup: Move half of the qgroup accounting time     out of commit trans (bsc#1017461).

  - btrfs: send, fix failure to rename top level inode due     to name collision (bsc#1028325).

  - btrfs: serialize subvolume mounts with potentially     mismatching rw flags (bsc#951844 bsc#1024015)

  - crypto: algif_hash - avoid zero-sized array     (bnc#1007962).

  - cxgb4vf: do not offload Rx checksums for IPv6 fragments     (bsc#1026692).

  - drivers: hv: vmbus: Prevent sending data on a rescinded     channel (fate#320485, bug#1028217).

  - drm/i915: Add intel_uncore_suspend / resume functions     (bsc#1011913).

  - drm/i915: Listen for PMIC bus access notifications     (bsc#1011913).

  - drm/mgag200: Added support for the new device G200eH3     (bsc#1007959, fate#322780)

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

  - futex: Add missing error handling to FUTEX_REQUEUE_PI     (bsc#969755).

  - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI     (bsc#969755).

  - i2c: designware-baytrail: Acquire P-Unit access on bus     acquire (bsc#1011913).

  - i2c: designware-baytrail: Call     pmic_bus_access_notifier_chain (bsc#1011913).

  - i2c: designware-baytrail: Fix race when resetting the     semaphore (bsc#1011913).

  - i2c: designware-baytrail: Only check     iosf_mbi_available() for shared hosts (bsc#1011913).

  - i2c: designware: Disable pm for PMIC i2c-bus even if     there is no _SEM method (bsc#1011913).

  - i2c-designware: increase timeout (bsc#1011913).

  - i2c: designware: Never suspend i2c-busses used for     accessing the system PMIC (bsc#1011913).

  - i2c: designware: Rename accessor_flags to flags     (bsc#1011913).

  - kABI: protect struct iscsi_conn (kabi).

  - kABI: protect struct se_node_acl (kabi).

  - kABI: restore can_rx_register parameters (kabi).

  - kgr/module: make a taint flag module-specific     (fate#313296).

  - kgr: remove all arch-specific kgraft header files     (fate#313296).

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - md/raid1: add rcu protection to rdev in fix_read_error     (References: bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: fix a use-after-free bug     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: handle flush request correctly     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: Refactor raid1_make_request     (bsc#998106,bsc#1020048,bsc#982783).

  - mm: fix set pageblock migratetype in deferred struct     page init (bnc#1027195).

  - mm/page_alloc: Remove useless parameter of
    __free_pages_boot_core (bnc#1027195).

  - module: move add_taint_module() to a header file     (fate#313296).

  - net/ena: change condition for host attribute     configuration (bsc#1026509).

  - net/ena: change driver's default timeouts (bsc#1026509).

  - net: ena: change the return type of ena_set_push_mode()     to be void (bsc#1026509).

  - net: ena: Fix error return code in ena_device_init()     (bsc#1026509).

  - net/ena: fix ethtool RSS flow configuration     (bsc#1026509).

  - net/ena: fix NULL dereference when removing the driver     after device reset failed (bsc#1026509).

  - net/ena: fix potential access to freed memory during     device reset (bsc#1026509).

  - net/ena: fix queues number calculation (bsc#1026509).

  - net/ena: fix RSS default hash configuration     (bsc#1026509).

  - net/ena: reduce the severity of ena printouts     (bsc#1026509).

  - net/ena: refactor ena_get_stats64 to be atomic context     safe (bsc#1026509).

  - net/ena: remove ntuple filter support from device     feature list (bsc#1026509).

  - net: ena: remove superfluous check in ena_remove()     (bsc#1026509).

  - net: ena: Remove unnecessary pci_set_drvdata()     (bsc#1026509).

  - net/ena: update driver version to 1.1.2 (bsc#1026509).

  - net/ena: use READ_ONCE to access completion descriptors     (bsc#1026509).

  - net: ena: use setup_timer() and mod_timer()     (bsc#1026509).

  - net/mlx4_core: Avoid command timeouts during VF driver     device shutdown (bsc#1028017).

  - net/mlx4_core: Avoid delays during VF driver device     shutdown (bsc#1028017).

  - net/mlx4_core: Fix racy CQ (Completion Queue) free     (bsc#1028017).

  - net/mlx4_core: Fix when to save some qp context flags     for dynamic VST to VGT transitions (bsc#1028017).

  - net/mlx4_core: Use cq quota in SRIOV when creating     completion EQs (bsc#1028017).

  - net/mlx4_en: Fix bad WQE issue (bsc#1028017).

  - NFS: do not try to cross a mountpount when there isn't     one there (bsc#1028041).

  - nvme: Do not suspend admin queue that wasn't created     (bsc#1026505).

  - nvme: Suspend all queues before deletion (bsc#1026505).

  - PCI: hv: Fix wslot_to_devfn() to fix warnings on device     removal (fate#320485, bug#1028217).

  - PCI: hv: Use device serial number as PCI domain     (fate#320485, bug#1028217).

  - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

  - RAID1: a new I/O barrier implementation to remove resync     window (bsc#998106,bsc#1020048,bsc#982783).

  - RAID1: avoid unnecessary spin locks in I/O barrier code     (bsc#998106,bsc#1020048,bsc#982783).

  - Revert 'give up on gcc ilog2() constant optimizations'     (kabi).

  - Revert 'net: introduce device min_header_len' (kabi).

  - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown     flow' (bsc#1028017).

  - Revert 'nfit, libnvdimm: fix interleave set cookie     calculation' (kabi).

  - Revert 'RDMA/core: Fix incorrect structure packing for     booleans' (kabi).

  - Revert 'target: Fix NULL dereference during LUN lookup +     active I/O shutdown' (kabi).

  - rtlwifi: rtl_usb: Fix missing entry in USB driver's     private data (bsc#1026462).

  - s390/kmsg: add missing kmsg descriptions (bnc#1025683,     LTC#151573).

  - s390/mm: fix zone calculation in arch_add_memory()     (bnc#1025683, LTC#152318).

  - sched/loadavg: Avoid loadavg spikes caused by delayed     NO_HZ accounting (bsc#1018419).

  - scsi_dh_alua: Do not modify the interval value for     retries (bsc#1012910).

  - scsi: do not print 'reservation conflict' for TEST UNIT     READY (bsc#1027054).

  - softirq: Let ksoftirqd do its job (bsc#1019618).

  - supported.conf: Add tcp_westwood as supported module     (fate#322432)

  - taint/module: Clean up global and module taint flags     handling (fate#313296).

  - Update mainline reference in     patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as     t_fb_create.patch See (bsc#1028158) for the context in     which this was discovered upstream.

  - x86/apic/uv: Silence a shift wrapping warning     (bsc#1023866).

  - x86/mce: Do not print MCEs when mcelog is active     (bsc#1013994).

  - x86, mm: fix gup_pte_range() vs DAX mappings     (bsc#1026405).

  - x86/mm/gup: Simplify get_user_pages() PTE bit handling     (bsc#1026405).

  - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit     access (bsc#1011913).

  - x86/platform/intel/iosf_mbi: Add a PMIC bus access     notifier (bsc#1011913).

  - x86/platform: Remove warning message for duplicate NMI     handlers (bsc#1029220).

  - x86/platform/UV: Add basic CPU NMI health check     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless NMIs     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless systems     (bsc#1023866).

  - x86/platform/UV: Clean up the NMI code to match current     coding style (bsc#1023866).

  - x86/platform/UV: Clean up the UV APIC code     (bsc#1023866).

  - x86/platform/UV: Ensure uv_system_init is called when     necessary (bsc#1023866).

  - x86/platform/UV: Fix 2 socket config problem     (bsc#1023866).

  - x86/platform/UV: Fix panic with missing UVsystab support     (bsc#1023866).

  - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be     NMI source (bsc#1023866).

  - x86/platform/UV: Verify NMI action is valid, default is     standard (bsc#1023866).

  - xen-blkfront: correct maximum segment accounting     (bsc#1018263).

  - xen-blkfront: do not call talk_to_blkback when already     connected to blkback.

  - xen/blkfront: Fix crash if backend does not follow the     right states.

  - xen-blkfront: free resources if xlvbd_alloc_gendisk     fails.

  - xen/netback: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xen/netfront: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xfs: do not take the IOLOCK exclusive for direct I/O     page invalidation (bsc#1015609).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-6786 / CVE-2016-6787     It was discovered that the performance events subsystem     does not properly manage locks during certain     migrations, allowing a local attacker to escalate     privileges. This can be mitigated by disabling     unprivileged use of performance events:sysctl     kernel.perf_event_paranoid=3

  - CVE-2016-8405     Peter Pi of Trend Micro discovered that the frame buffer     video subsystem does not properly check bounds while     copying color maps to userspace, causing a heap buffer     out-of-bounds read, leading to information disclosure.

  - CVE-2016-9191     CAI Qian discovered that reference counting is not     properly handled within proc_sys_readdir in the sysctl     implementation, allowing a local denial of service     (system hang) or possibly privilege escalation.

  - CVE-2017-2583     Xiaohan Zhang reported that KVM for amd64 does not     correctly emulate loading of a null stack selector. This     can be used by a user in a guest VM for denial of     service (on an Intel CPU) or to escalate privileges     within the VM (on an AMD CPU).

  - CVE-2017-2584     Dmitry Vyukov reported that KVM for x86 does not     correctly emulate memory access by the SGDT and SIDT     instructions, which can result in a use-after-free and     information leak.

  - CVE-2017-2596     Dmitry Vyukov reported that KVM leaks page references     when emulating a VMON for a nested hypervisor. This can     be used by a privileged user in a guest VM for denial of     service or possibly to gain privileges in the host.

  - CVE-2017-2618     It was discovered that an off-by-one in the handling of     SELinux attributes in /proc/pid/attr could result in     local denial of service.

  - CVE-2017-5549     It was discovered that the KLSI KL5KUSB105 serial USB     device driver could log the contents of uninitialised     kernel memory, resulting in an information leak.

  - CVE-2017-5551     Jan Kara found that changing the POSIX ACL of a file on     tmpfs never cleared its set-group-ID flag, which should     be done if the user changing it is not a member of the     group-owner. In some cases, this would allow the     user-owner of an executable to gain the privileges of     the group-owner.

  - CVE-2017-5897     Andrey Konovalov discovered an out-of-bounds read flaw     in the ip6gre_err function in the IPv6 networking code.

  - CVE-2017-5970     Andrey Konovalov discovered a denial-of-service flaw in     the IPv4 networking code. This can be triggered by a     local or remote attacker if a local UDP or raw socket     has the IP_RETOPTS option enabled.

  - CVE-2017-6001     Di Shen discovered a race condition between concurrent     calls to the performance events subsystem, allowing a     local attacker to escalate privileges. This flaw exists     because of an incomplete fix of CVE-2016-6786. This can     be mitigated by disabling unprivileged use of     performance events: sysctl kernel.perf_event_paranoid=3

  - CVE-2017-6074     Andrey Konovalov discovered a use-after-free     vulnerability in the DCCP networking code, which could     result in denial of service or local privilege     escalation. On systems that do not already have the dccp     module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-dccp.conf install     dccp false

The 4.9.7 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124971	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1518)	Nessus	Huawei Local Security Checks	high
124825	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)	Nessus	Huawei Local Security Checks	high
102734	CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)	Nessus	CentOS Local Security Checks	high
102645	Scientific Linux Security Update : kernel on SL7.x x86_64 (20170801)	Nessus	Scientific Linux Local Security Checks	high
102511	Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
102281	Oracle Linux 7 : kernel (ELSA-2017-1842)	Nessus	Oracle Linux Local Security Checks	high
102151	RHEL 7 : kernel-rt (RHSA-2017:2077)	Nessus	Red Hat Local Security Checks	high
102143	RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)	Nessus	Red Hat Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
100665	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3312-2)	Nessus	Ubuntu Local Security Checks	critical
100664	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3312-1)	Nessus	Ubuntu Local Security Checks	critical
100255	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3293-1)	Nessus	Ubuntu Local Security Checks	high
100023	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)	Nessus	SuSE Local Security Checks	high
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	critical
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	critical
99157	openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)	Nessus	SuSE Local Security Checks	high
99156	openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)	Nessus	SuSE Local Security Checks	high
97357	Debian DSA-3791-1 : linux - security update	Nessus	Debian Local Security Checks	critical
97033	Fedora 25 : kernel (2017-472052ebe5)	Nessus	Fedora Local Security Checks	medium
97032	Fedora 24 : kernel (2017-392b319bb5)	Nessus	Fedora Local Security Checks	medium

CVE-2017-2596

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

critical

high

high

high

critical

critical

critical

high

high

critical

critical

high

high

critical

medium

medium