http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1

96271

https://bugzilla.kernel.org/show_bug.cgi?id=193921

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4904-1 advisory.

  - The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr     operations that underspecifies removing extended privilege attributes, which allows local users to cause a     denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by     using chown to remove a capability from the ping or Wireshark dumpcap program. (CVE-2015-1350)

  - The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local     users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in kernel/time/timer.c. (CVE-2017-5967)

  - The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11     allows local users to cause a denial of service (improper error handling and system crash) or possibly     have unspecified other impact via a crafted USB device. (CVE-2017-16644)

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference. (CVE-2019-16231)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16232)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to     the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be     encountered. In one case, an error encountered earlier might be discarded by later processing, resulting     in the caller assuming successful mapping, and hence subsequent operations trying to access space that     wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery     from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930)

  - An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI     backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially     being at least under the influence of guests (such as out of memory conditions), it isn't correct to     assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running     in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
    (CVE-2021-26931)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel. A use-after-free     was found in the way the console subsystem was using     ioctls KDGKBSENT and KDSKBSENT. A local user could use     this flaw to get read memory access out of bounds. The     highest threat from this vulnerability is to data     confidentiality.(CVE-2020-25656)

  - The time subsystem in the Linux kernel through 4.9.9,     when CONFIG_TIMER_STATS is enabled, allows local users     to discover real PID values (as distinguished from PID     values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer     function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in     kernel/time/timer.c.(CVE-2017-5967)

  - A flaw in the way reply ICMP packets are limited in the     Linux kernel functionality was found that allows to     quickly scan open UDP ports. This flaw allows an     off-path remote user to effectively bypassing source     port UDP randomization. The highest threat from this     vulnerability is to confidentiality and possibly     integrity, because software that relies on UDP source     port randomization are indirectly affected as well.
    Kernel versions before 5.10 may be vulnerable to this     issue.(CVE-2020-25705)

  - In cdev_get of char_dev.c, there is a possible     use-after-free due to a race condition. This could lead     to local escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation.Product: AndroidVersions:
    Android-10Android ID: A-153467744(CVE-2020-0305)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-140550171(CVE-2020-0427)

  - A flaw was discovered in the way that the KVM     hypervisor handled instruction emulation for an L2     guest when nested virtualisation is enabled. Under some     circumstances, an L2 guest may trick the L0 guest into     accessing sensitive L1 resources that should be     inaccessible to the L2 guest.(CVE-2020-2732)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel(CVE-2020-0404)

  - A stack information leak flaw was found in s390/s390x     in the Linux kernel's memory manager functionality,     where it incorrectly writes to the     /proc/sys/vm/cmm_timeout file. This flaw allows a local     user to see the kernel data.(CVE-2020-10773)

  - Improper access control in BlueZ may allow an     unauthenticated user to potentially enable information     disclosure via adjacent access.(CVE-2020-12352)

  - A flaw was found in the Linux kernel. A use-after-free     memory flaw was found in the perf subsystem allowing a     local attacker with permission to monitor perf events     to corrupt memory and possibly escalate privileges. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-14351)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-151939299(CVE-2020-0433)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 5.4.0-rc2, there is a     use-after-free (read) in the __blk_add_trace function     in kernel/trace/blktrace.c (which is used to fill out a     blk_io_trace structure and place it in a per-cpu     sub-buffer).(CVE-2019-19768)

  - The Linux kernel through 5.3.13 has a start_offset+size     Integer Overflow in cpia2_remap_buffer in     drivers/media/usb/cpia2/cpia2_core.c because cpia2 has     its own mmap implementation. This allows local users     (with /dev/video0 access) to obtain read and write     permissions on kernel physical pages, which can     possibly result in a privilege     escalation.(CVE-2019-18675)

  - An issue was discovered in the Linux kernel through     5.5.6. set_fdc in drivers/block/floppy.c leads to a     wait_til_ready out-of-bounds read because the FDC index     is not checked for errors before assigning it, aka     CID-2e90ca68b0d2.(CVE-2020-9383)

  - There is a use-after-free vulnerability in the Linux     kernel through 5.5.2 in the vgacon_invert_region     function in     drivers/video/console/vgacon.c.(CVE-2020-8649)

  - There is a use-after-free vulnerability in the Linux     kernel through 5.5.2 in the vc_do_resize function in     drivers/tty/vt/vt.c.(CVE-2020-8647)

  - The time subsystem in the Linux kernel, when     CONFIG_TIMER_STATS is enabled, allows local users to     discover real PID values (as distinguished from PID     values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer     function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in     kernel/time/timer.c.(CVE-2017-5967)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2014-8181)

  - ext4_protect_reserved_inode in fs/ext4/block_validity.c     in the Linux kernel through 5.5.3 allows attackers to     cause a denial of service (soft lockup) via a crafted     journal size.(CVE-2020-8992)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
    ConsultIDs: CVE-2020-12826. Reason: This candidate is a     duplicate of CVE-2020-12826. Notes: All CVE users     should reference CVE-2020-12826 instead of this     candidate. All references and descriptions in this     candidate have been removed to prevent accidental     usage.(CVE-2020-10741)

  - A signal access-control issue was discovered in the     Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
    Because exec_id in include/linux/sched.h is only 32     bits, an integer overflow can interfere with a     do_notify_parent protection mechanism. A child process     can send an arbitrary signal to a parent process in a     different security domain. Exploitation limitations     include the amount of elapsed time before an integer     overflow occurs, and the lack of scenarios where     signals to a parent process present a substantial     operational threat.(CVE-2020-12826)

  - gadget_dev_desc_UDC_store in     drivers/usb/gadget/configfs.c in the Linux kernel     through 5.6.13 relies on kstrdup without considering     the possibility of an internal '\0' value, which allows     attackers to trigger an out-of-bounds read, aka     CID-15753588bcd4.(CVE-2020-13143)

  - An issue was discovered in the Linux kernel through     5.6.11. sg_write lacks an sg_remove_request call in a     certain failure case, aka     CID-83c6f2390040.(CVE-2020-12770)

  - An issue was found in Linux kernel before 5.5.4.
    mwifiex_ret_wmm_get_status() in     drivers/net/wireless/marvell/mwifiex/wmm.c allows a     remote AP to trigger a heap-based buffer overflow     because of an incorrect memcpy, aka     CID-3a9b153c5591.(CVE-2020-12654)

  - An issue was found in Linux kernel before 5.5.4. The     mwifiex_cmd_append_vsie_tlv() function in     drivers/net/wireless/marvell/mwifiex/scan.c allows     local users to gain privileges or cause a denial of     service because of an incorrect memcpy and buffer     overflow, aka CID-b70261a288ea.(CVE-2020-12653)

  - usb_sg_cancel in drivers/usb/core/message.c in the     Linux kernel before 5.6.8 has a use-after-free because     a transfer occurs without a reference, aka     CID-056ad39ee925.(CVE-2020-12464)

  - The __mptctl_ioctl function in     drivers/message/fusion/mptctl.c in the Linux kernel     before 5.4.14 allows local users to hold an incorrect     lock during the ioctl operation and trigger a race     condition, i.e., a 'double fetch' vulnerability, aka     CID-28d76df18f0a. NOTE: the vendor states 'The security     impact of this bug is not as bad as it could have been     because these operations are all privileged and root     already has enormous destructive     power.'(CVE-2020-12652)

  - In the Linux kernel before 5.6.1,     drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink     camera USB driver) mishandles invalid descriptors, aka     CID-a246b4d54770.(CVE-2020-11668)

  - An issue was discovered in the stv06xx subsystem in the     Linux kernel before 5.6.1.
    drivers/media/usb/gspca/stv06xx/stv06xx.c and     drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c     mishandle invalid descriptors, as demonstrated by a     NULL pointer dereference, aka     CID-485b06aadb93.(CVE-2020-11609)

  - An issue was discovered in the Linux kernel before     5.6.1. drivers/media/usb/gspca/ov519.c allows NULL     pointer dereferences in ov511_mode_init_regs and     ov518_mode_init_regs when there are zero endpoints, aka     CID-998912346c0d.(CVE-2020-11608)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c     has a stack-based out-of-bounds write because an empty     nodelist is mishandled during mount option parsing, aka     CID-aa9f7d5172fa. NOTE: Someone in the security     community disagrees that this is a vulnerability     because the issue 'is a bug in parsing mount options     which can only be specified by a privileged user, so     triggering the bug does not grant any powers not     already held.'.(CVE-2020-11565)

  - In the Linux kernel before 5.4.12,     drivers/input/input.c has out-of-bounds writes via a     crafted keycode table, as demonstrated by     input_set_keycode, aka     CID-cb222aed03d7.(CVE-2019-20636)

  - In the Linux kernel before 5.5.8, get_raw_socket in     drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel     stack corruption via crafted system     calls.(CVE-2020-10942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the ea_get function in fs/jfs/xattr.c in the Linux     kernel through 4.17.1, a memory corruption bug in JFS     can be triggered by calling setxattr twice with two     different extended attribute names on the same file.
    This vulnerability can be triggered by an unprivileged     user with the ability to create files and execute     programs. A kmalloc call is incorrect, leading to     slab-out-of-bounds in jfs_xattr.(CVE-2018-12233i1/4%0

  - The spectre_v2_select_mitigation function in     arch/x86/kernel/cpu/bugs.c in the Linux kernel before     4.18.1 does not always fill RSB upon a context switch,     which makes it easier for attackers to conduct     userspace-userspace spectreRSB     attacks.(CVE-2018-15572i1/4%0

  - Race condition in the queue_delete function in     sound/core/seq/seq_queue.c in the Linux kernel before     4.4.1 allows local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time.(CVE-2016-2544i1/4%0

  - A flaw was found in the Linux kernel's implementation     of BPF in which systems can application can overflow a     32 bit refcount in both program and map refcount. This     refcount can wrap and end up a user after     free.(CVE-2016-4558i1/4%0

  - Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allows remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block     device.(CVE-2013-4299i1/4%0

  - The imon_probe function in drivers/media/rc/imon.c in     the Linux kernel through 4.13.11 allows local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16537i1/4%0

  - A vulnerability in the handling of Transactional Memory     on powerpc systems was found. An unprivileged local     user can crash the kernel by starting a transaction,     suspending it, and then calling any of the exec() class     system calls.(CVE-2016-5828i1/4%0

  - A cross-boundary flaw was discovered in the Linux     kernel software raid driver. The driver accessed a     disabled bitmap where only the first byte of the buffer     was initialized to zero. This meant that the rest of     the request (up to 4095 bytes) was left and copied into     user space. An attacker could use this flaw to read     private information from user space that would not     otherwise have been accessible.(CVE-2015-5697i1/4%0

  - The parse_hid_report_descriptor function in     drivers/input/tablet/gtco.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16643i1/4%0

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130i1/4%0

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647i1/4%0

  - A flaw was found in the Linux kernel which could cause     a kernel panic when restoring machine specific     registers on the PowerPC platform. Incorrect     transactional memory state registers could     inadvertently change the call path on return from     userspace and cause the kernel to enter an unknown     state and crash.(CVE-2015-8845i1/4%0

  - fs/namespace.c in the Linux kernel through 3.16.1 does     not properly restrict clearing MNT_NODEV, MNT_NOSUID,     and MNT_NOEXEC and changing MNT_ATIME_MASK during a     remount of a bind mount, which allows local users to     gain privileges, interfere with backups and auditing on     systems that had atime enabled, or cause a denial of     service (excessive filesystem updating) on systems that     had atime disabled via a 'mount -o remount' command     within a user namespace.(CVE-2014-5207i1/4%0

  - The NFS2/3 RPC client could send long arguments to the     NFS server. These encoded arguments are stored in an     array of memory pages, and accessed using pointer     variables. Arbitrarily long arguments could make these     pointers point outside the array and cause an     out-of-bounds memory access. A remote user or program     could use this flaw to crash the kernel, resulting in     denial of service.(CVE-2017-7645i1/4%0

  - The time subsystem in the Linux kernel, when     CONFIG_TIMER_STATS is enabled, allows local users to     discover real PID values (as distinguished from PID     values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer     function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in     kernel/time/timer.c.(CVE-2017-5967i1/4%0

  - A vulnerability was found in the Linux kernel where the     keyctl_set_reqkey_keyring() function leaks the thread     keyring. This allows an unprivileged local user to     exhaust kernel memory and thus cause a     DoS.(CVE-2017-7472i1/4%0

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type-i1/4zmatch     is NULL. A local user could use this flaw to crash the     system or, potentially, escalate their     privileges.(CVE-2017-2647i1/4%0

  - The make_response function in     drivers/block/xen-blkback/blkback.c in the Linux kernel     before 4.11.8 allows guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures, aka XSA-216.(CVE-2017-10911i1/4%0

  - Stack-based buffer overflow in the SET_WPS_IE IOCTL     implementation in wlan_hdd_hostapd.c in the WLAN (aka     Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used     in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to gain privileges via a crafted     application that uses a long WPS IE     element.(CVE-2015-0570i1/4%0

  - The net_ctl_permissions function in net/sysctl_net.c in     the Linux kernel before 3.11.5 does not properly     determine uid and gid values, which allows local users     to bypass intended /proc/sys/net restrictions via a     crafted application.(CVE-2013-4270i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Infinite recursion in ahash.c by triggering EBUSY on a full queue :

A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.(CVE-2017-7618)

Time subsystem allows local users to discover real PID values :

The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.(CVE-2017-5967)

Stack-based buffer overflow in sg_ioctl function :

The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. (CVE-2017-7187)

Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c :

Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in mm/mempolicy.c; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616)

Race condition in Link Layer Control :

A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system.
(CVE-2017-2671)

Overflow in check for priv area size :

It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system.
Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-7308)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2016-2188

Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2016-9604

It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown.

CVE-2016-10200

Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-2647 / CVE-2017-6951

idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash).

CVE-2017-2671

Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default.

CVE-2017-5967

Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces.

CVE-2017-5970

Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled.

CVE-2017-7184

Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation.

CVE-2017-7261

Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash).

CVE-2017-7273

Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2017-7294

Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-7308

Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation.

CVE-2017-7472

Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion).

CVE-2017-7616

Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS.

CVE-2017-7618

Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash).

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs.

For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.9.10 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
148498	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4904-1)	Nessus	Ubuntu Local Security Checks	medium
146181	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1200)	Nessus	Huawei Local Security Checks	high
137932	EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2020-1713)	Nessus	Huawei Local Security Checks	medium
124802	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1478)	Nessus	Huawei Local Security Checks	high
100106	Amazon Linux AMI : kernel (ALAS-2017-828)	Nessus	Amazon Linux Local Security Checks	high
99733	Debian DLA-922-1 : linux security update	Nessus	Debian Local Security Checks	high
97310	Fedora 24 : kernel (2017-787bc0d5b4)	Nessus	Fedora Local Security Checks	high
97237	Fedora 25 : kernel (2017-0054c7b1f0)	Nessus	Fedora Local Security Checks	high

CVE-2017-5967

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

medium

high

high

high

high

high