http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b74d439e1697110c5e5c600643e823eb1dd0762

DSA-3804

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.13

[oss-security] 20170228 Linux: net/llc: avoid BUG_ON() in skb_orphan() (CVE-2017-6345)

96510

https://github.com/torvalds/linux/commit/8b74d439e1697110c5e5c600643e823eb1dd0762

USN-3754-1

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2     Voice Service driver for the Linux kernel 3.x, as used     in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service (memory     corruption) or possibly have unspecified other impact     via a write request, as demonstrated by a     voice_svc_send_req buffer overflow.(CVE-2016-5343i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4655i1/4%0

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420i1/4%0

  - A flaw was found in the way the Linux kernel's keys     subsystem handled the termination condition in the     associative array garbage collection functionality. A     local, unprivileged user could use this flaw to crash     the system.(CVE-2014-3631i1/4%0

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961i1/4%0

  - Buffer overflow in the oz_cdev_write function in     drivers/staging/ozwpan/ozcdev.c in the Linux kernel     before 3.12 allows local users to cause a denial of     service or possibly have unspecified other impact via a     crafted write operation.(CVE-2013-4513i1/4%0

  - The nfnetlink_rcv_batch() function in     'net/netfilter/nfnetlink.c' in the Linux kernel before     4.5 does not check whether a batch message's length     field is large enough, which allows local users to     obtain sensitive information from kernel memory or     cause a denial of service (infinite loop or     out-of-bounds read) by leveraging the CAP_NET_ADMIN     capability.(CVE-2016-7917i1/4%0

  - Array index error in the kvm_vm_ioctl_create_vcpu     function in virt/kvm/kvm_main.c in the KVM subsystem in     the Linux kernel through 3.12.5 allows local users to     gain privileges via a large id value.(CVE-2013-4587i1/4%0

  - A leak of information was possible when issuing a     netlink command of the stack memory area leading up to     this function call. An attacker could use this to     determine stack information for use in a later     exploit.(CVE-2016-5243i1/4%0

  - An issue was discovered in the Linux kernel in the F2FS     filesystem code. A NULL pointer dereference in     fscrypt_do_page_crypto() in the fs/crypto/crypto.c     function can occur when operating on a file on a     corrupted f2fs image.(CVE-2018-14616i1/4%0

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575i1/4%0

  - A denial of service vulnerability was found in the     WhiteHEAT USB Serial Driver (whiteheat_attach function     in drivers/usb/serial/whiteheat.c). In the driver, the     COMMAND_PORT variable was hard coded and set to 4 (5th     element). The driver assumed that the number of ports     would always be 5 and used port number 5 as the command     port. However, when using a USB device in which the     number of ports was set to a number less than 5 (for     example, 3), the driver triggered a kernel NULL-pointer     dereference. A non-privileged attacker could use this     flaw to panic the host.(CVE-2015-5257i1/4%0

  - The LLC subsystem in the Linux kernel does not ensure     that a certain destructor exists in required     circumstances, which allows local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls.(CVE-2017-6345i1/4%0

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object aEURoer1aEUR     has a total size of 32 bytes. Its field aEURoeeventaEUR and     aEURoevalaEUR both contain 4 bytes padding. These 8 bytes     padding bytes are sent to user without being     initialized.(CVE-2016-4578i1/4%0

  - An information leak flaw was found in the way the Linux     kernel changed certain segment registers and     thread-local storage (TLS) during a context switch. A     local, unprivileged user could use this flaw to leak     the user space TLS base address of an arbitrary     process.(CVE-2014-9419i1/4%0

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364i1/4%0

  - A flaw was found in the Linux kernel's handling of     clearing SELinux attributes on /proc/pid/attr files. An     empty (null) write to this file can crash the system by     causing the system to attempt to access unmapped kernel     memory.(CVE-2017-2618i1/4%0

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794i1/4%0

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)t was found that the Linux kernel's floppy     driver leaked internal kernel memory addresses to user     space during the processing of the FDRAWCMD IOCTL     command. A local user with write access to /dev/fdX     could use this flaw to obtain information about the     kernel heap arrangement. (CVE-2014-1738, Low)Note: A     local user with write access to /dev/fdX could use     these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1737i1/4%0

  - An out-of-bounds memory access flaw was found in the     Linux kernel's aiptek USB tablet driver (aiptek_probe()     function in drivers/input/tablet/aiptek.c). The driver     assumed that the interface always had at least one     endpoint. By using a specially crafted USB device with     no endpoints on one of its interfaces, an unprivileged     user with physical access to the system could trigger a     kernel NULL pointer dereference, causing the system to     panic.(CVE-2015-7515i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for the tcp_westwood TCP scheduling algorithm     The following security bugs were fixed :

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bsc#1035877).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type. (bsc#1029850).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c. (bsc#1030593)

  - CVE-2016-9604: This fixes handling of keyrings starting     with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could     have allowed local users to manipulate privileged     keyrings (bsc#1035576)

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap     operation. (bnc#1033336).

  - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd     subsystem in the Linux kernel allowed remote attackers     to cause a denial of service (system crash) via a long     RPC reply, related to net/sunrpc/svc.c,     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanaged the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bsc#1015703).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bsc#1023762).

  - CVE-2017-5986: A race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacts with mm/migrate.c,     which allowed local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by triggering a certain     page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190)

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697)

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bsc#914939).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bsc#1003077).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nfsd: stricter decoding of write-like NFSv2/v3 ops (J.
    Bruce Fields) [Orabug: 25986995] (CVE-2017-7895)

  - ocfs2/o2net: o2net_listen_data_ready should do nothing     if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug:
    25510857]

  - IB/CORE: sync the resouce access in fmr_pool (Wengang     Wang) [Orabug: 23750748]

  - ipv6: Skip XFRM lookup if dst_entry in socket cache is     valid (Jakub Sitnicki) [Orabug: 25534688]

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25549845]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25549845]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719676] (CVE-2017-2583)     (CVE-2017-2583)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719811] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720815] (CVE-2017-6214)

  - USB: visor: fix null-deref at probe (Johan Hovold)     [Orabug: 25796604] (CVE-2016-2782)

  - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr     Bueso) [Orabug: 25797014] (CVE-2017-5669)

  - vhost: actually track log eventfd file     (Marc-Andr&eacute  Lureau) [Orabug: 25797056]     (CVE-2015-6252)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814664]     (CVE-2017-7184)

  - KEYS: Remove key_type::match in favour of overriding     default by match_preparse (David Howells) [Orabug:
    25823965] (CVE-2017-2647) (CVE-2017-2647)

  - USB: whiteheat: fix potential null-deref at probe (Johan     Hovold) [Orabug: 25825107] (CVE-2015-5257)

  - RDS: fix race condition when sending a message on     unbound socket (Quentin Casasnovas) [Orabug: 25871048]     (CVE-2015-6937) (CVE-2015-6937)

  - udf: Check path length when reading symlink (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udf: Treat symlink component of type 2 as / (Jan Kara)     [Orabug: 25871104] (CVE-2015-9731)

  - udp: properly support MSG_PEEK with truncated buffers     (Eric Dumazet) [Orabug: 25874741] (CVE-2016-10229)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877531] (CVE-2016-7910)

  - RHEL: complement upstream workaround for CVE-2016-10142.
    (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)     (CVE-2016-10142)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25752011] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696689] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696689] (CVE-2017-2636)

  - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc     (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)

  - list: introduce list_first_entry_or_null (Jiri Pirko)     [Orabug: 25696689] (CVE-2017-2636)

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451538] (CVE-2016-8633)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463929]     (CVE-2016-3672)

  - x86 get_unmapped_area: Access mmap_legacy_base through     mm_struct member (Radu Caragea) [Orabug: 25463929]     (CVE-2016-3672)

  - sg_start_req: make sure that there's not too many     elements in iovec (Al Viro) [Orabug: 25490377]     (CVE-2015-5707)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507232] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507232] (CVE-2016-8645)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)

  - x86: bpf_jit: fix compilation of large bpf programs     (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)

  - net: fix a kernel infoleak in x25 module (Kangjie Lu)     [Orabug: 25512417] (CVE-2016-4580)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512472]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682437] (CVE-2017-6345)

  - dccp: fix freeing skb too early for IPV6_RECVPKTINFO     (Andrey Konovalov) [Orabug: 25598277] (CVE-2017-6074)

  - vfs: read file_handle only once in handle_to_path (Sasha     Levin) [Orabug: 25388709] (CVE-2015-1420)

  - crypto: algif_hash - Only export and import on sockets     with data (Herbert Xu) [Orabug: 25417807]

  - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)     [Orabug: 25462763] (CVE-2016-4482)

  - net: fix infoleak in llc (Kangjie Lu) [Orabug: 25462811]     (CVE-2016-4485)

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

  - unix: avoid use-after-free in ep_remove_wait_queue     (Rainer Weikusat) [Orabug: 25464000] (CVE-2013-7446)

Description of changes:

[2.6.39-400.295.2.el6uek]
- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995]  {CVE-2017-7895}

[2.6.39-400.295.1.el6uek]
- ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed)  [Orabug: 25510857]
- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 23750748]
- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki)  [Orabug: 25534688]
- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549845]
- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845]
- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles)  [Orabug: 25549845]
- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719676]  {CVE-2017-2583} {CVE-2017-2583}
- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719811]  {CVE-2017-5986}
- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 25720815]  {CVE-2017-6214}
- USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796604]   {CVE-2016-2782}
- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797014]  {CVE-2017-5669}
- vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 25797056]  {CVE-2015-6252}
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
- KEYS: Remove key_type::match in favour of overriding default by match_preparse (David Howells)  [Orabug: 25823965]  {CVE-2017-2647} {CVE-2017-2647}
- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825107]  {CVE-2015-5257}
- RDS: fix race condition when sending a message on unbound socket (Quentin Casasnovas)  [Orabug: 25871048]  {CVE-2015-6937} {CVE-2015-6937}
- udf: Check path length when reading symlink (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udf: Treat symlink component of type 2 as / (Jan Kara)  [Orabug: 25871104]  {CVE-2015-9731}
- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25874741]  {CVE-2016-10229}
- block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 25877531]  {CVE-2016-7910}
- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas)  [Orabug: 25765786]  {CVE-2016-10142} {CVE-2016-10142}
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765448]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011]  {CVE-2017-7187}
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696689]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696689]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696689]  {CVE-2017-2636}
- list: introduce list_first_entry_or_null (Jiri Pirko)  [Orabug: 25696689]  {CVE-2017-2636}
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463929]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463929]  {CVE-2016-3672}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490377]  {CVE-2015-5707}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507232]  {CVE-2016-8645}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507330]  {CVE-2016-7425}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 25507375]  {CVE-2015-4700}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512417]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512472]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682437]  {CVE-2017-6345}
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov)  [Orabug: 25598277]  {CVE-2017-6074}
- vfs: read file_handle only once in handle_to_path (Sasha Levin) [Orabug: 25388709]  {CVE-2015-1420}
- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu)  [Orabug: 25417807]
- USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 25462763]  {CVE-2016-4482}
- net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462811]  {CVE-2016-4485}
- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat)  [Orabug: 25464000]  {CVE-2013-7446}
- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25464000]  {CVE-2013-7446}

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enabled scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacted with     mm/migrate.c, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact by     triggering a certain page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanages the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bnc#1015703).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel is too late in     obtaining a certain lock and consequently cannot ensure     that disconnect function calls are safe, which allowed     local users to cause a denial of service (panic) by     leveraging access to the protocol value of IPPROTO_ICMP     in a socket system call (bnc#1031003).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bnc#1023762).

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bnc#1024938).

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bnc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bnc#1033336).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for Matrox G200eH3

  - Support for tcp_westwood The following security bugs     were fixed :

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7374: Use-after-free vulnerability in     fs/crypto/ in the Linux kernel allowed local users to     cause a denial of service (NULL pointer dereference) or     possibly gain privileges by revoking keyring keys being     used for ext4, f2fs, or ubifs encryption, causing     cryptographic transform objects to be freed prematurely     (bnc#1032006).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel had incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulated the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - RHEL: complement upstream workaround for CVE-2016-10142.
    (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142)     (CVE-2016-10142)

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766914] (CVE-2016-8399)

  - ipv6: stop sending PTB packets for MTU < 1280 (Hagen     Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25752011] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696689] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696689] (CVE-2017-2636)

  - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc     (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636)

  - list: introduce list_first_entry_or_null (Jiri Pirko)     [Orabug: 25696689] (CVE-2017-2636)

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451538] (CVE-2016-8633)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463929]     (CVE-2016-3672)

  - x86 get_unmapped_area: Access mmap_legacy_base through     mm_struct member (Radu Caragea) [Orabug: 25463929]     (CVE-2016-3672)

  - sg_start_req: make sure that there's not too many     elements in iovec (Al Viro) [Orabug: 25490377]     (CVE-2015-5707)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507232] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507232] (CVE-2016-8645)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507330] (CVE-2016-7425)

  - x86: bpf_jit: fix compilation of large bpf programs     (Alexei Starovoitov) [Orabug: 25507375] (CVE-2015-4700)

  - net: fix a kernel infoleak in x25 module (Kangjie Lu)     [Orabug: 25512417] (CVE-2016-4580)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512472]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682437] (CVE-2017-6345)

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

Description of changes:

[2.6.39-400.294.6.el6uek]
- RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas)  [Orabug: 25765786]  {CVE-2016-10142} {CVE-2016-10142}

[2.6.39-400.294.5.el6uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914]  {CVE-2016-8399}
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765448]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011]  {CVE-2017-7187}

[2.6.39-400.294.4.el6uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696689]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696689]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696689]  {CVE-2017-2636}
- list: introduce list_first_entry_or_null (Jiri Pirko)  [Orabug: 25696689]  {CVE-2017-2636}
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463929]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463929]  {CVE-2016-3672}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490377]  {CVE-2015-5707}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507232]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507232]  {CVE-2016-8645}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507330]  {CVE-2016-7425}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 25507375]  {CVE-2015-4700}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512417]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512472]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682437]  {CVE-2017-6345}

Description of changes:

[3.8.13-118.17.4.el7uek]
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790392]  {CVE-2016-9644}

[3.8.13-118.17.3.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766911]  {CVE-2016-8399}

[3.8.13-118.17.2.el7uek]
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765776]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765445]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751996]  {CVE-2017-7187}

[3.8.13-118.17.1.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696686]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696686]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696686]  {CVE-2017-2636}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 21305080]  {CVE-2015-4700}
- net: filter: return -EINVAL if BPF_S_ANC* operation is not supported (Daniel Borkmann)  [Orabug: 22187148] - KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED (David Howells)  - KEYS: Increase root_maxkeys and root_maxbytes sizes (Steve Dickson)  - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451530]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463927]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463927]  {CVE-2016-3672}
- pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (WANG Cong)  [Orabug: 25490335]  {CVE-2015-8569}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490372]  {CVE-2015-5707}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507195]  {CVE-2016-9588}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507230]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507230]  {CVE-2016-8645}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507281] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507328]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507328]  {CVE-2016-7425}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512413]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512471]  {CVE-2016-3140}
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25543892]  {CVE-2017-5970}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682430]  {CVE-2017-6345}
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov)   {CVE-2017-6074}
- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu)  [Orabug: 25417805]  {CVE-2016-8646}
- USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 25462760]  {CVE-2016-4482}
- net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462807]  {CVE-2016-4485}
- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat)  [Orabug: 25463996]  {CVE-2013-7446}
- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25463996]  {CVE-2013-7446}
- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) [Orabug: 25203623]  {CVE-2016-9793}

Description of changes:

[4.1.12-61.1.33.el7uek]
- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.32.el7uek]
- x86/mm: Expand the exception table logic to allow new handling options (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.31.el7uek]
- rebuild bumping release

[4.1.12-61.1.30.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765436]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984]  {CVE-2017-7187}

[4.1.12-61.1.29.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696677]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696677]  {CVE-2017-2636}
- If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783]
- PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj)  [Orabug: 25353783]
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520]  {CVE-2016-8633}
- usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork)   [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso)   [Orabug: 25463898]  {CVE-2016-3951}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 25507133]  {CVE-2017-2596}
- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153]  {CVE-2016-10147}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507226]  {CVE-2016-8645}
- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507319]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] {CVE-2015-8952}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682419]  {CVE-2017-6345}
- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847]
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300]  {CVE-2017-5970}
- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 25699015]  {CVE-2017-5897}
- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     manages lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-2583: The load_segment_descriptor     implementation in arch/x86/kvm/emulate.c in the Linux     kernel improperly emulates a 'MOV SS, NULL selector'     instruction, which allowed guest OS users to cause a     denial of service (guest OS crash) or gain guest OS     privileges via a crafted application (bnc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

The following non-security bugs were fixed :

  - Fix kABI breakage of musb struct in 4.1.39 (stable     4.1.39).

  - Revert 'ptrace: Capture the ptracer's creds not     PT_PTRACE_CAP' (stable 4.1.39).

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - ext4: validate s_first_meta_bg at mount time     (bsc#1023377).

  - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp     (bsc#1030118).

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs.

The following security bugs were fixed :

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application, as demonstrated by     trinity (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

The following non-security bugs were fixed :

  - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC     (bsc#1028819).

  - ACPI, ioapic: Clear on-stack resource before using it     (bsc#1028819).

  - ACPI: Remove platform devices from a bus on removal     (bsc#1028819).

  - add mainline tag to one hyperv patch

  - bnx2x: allow adding VLANs while interface is down     (bsc#1027273).

  - btrfs: backref: Fix soft lockup in __merge_refs function     (bsc#1017641).

  - btrfs: incremental send, do not delay rename when parent     inode is new (bsc#1028325).

  - btrfs: incremental send, do not issue invalid rmdir     operations (bsc#1028325).

  - btrfs: qgroup: Move half of the qgroup accounting time     out of commit trans (bsc#1017461).

  - btrfs: send, fix failure to rename top level inode due     to name collision (bsc#1028325).

  - btrfs: serialize subvolume mounts with potentially     mismatching rw flags (bsc#951844 bsc#1024015)

  - crypto: algif_hash - avoid zero-sized array     (bnc#1007962).

  - cxgb4vf: do not offload Rx checksums for IPv6 fragments     (bsc#1026692).

  - drivers: hv: vmbus: Prevent sending data on a rescinded     channel (fate#320485, bug#1028217).

  - drm/i915: Add intel_uncore_suspend / resume functions     (bsc#1011913).

  - drm/i915: Listen for PMIC bus access notifications     (bsc#1011913).

  - drm/mgag200: Added support for the new device G200eH3     (bsc#1007959, fate#322780)

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

  - futex: Add missing error handling to FUTEX_REQUEUE_PI     (bsc#969755).

  - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI     (bsc#969755).

  - i2c: designware-baytrail: Acquire P-Unit access on bus     acquire (bsc#1011913).

  - i2c: designware-baytrail: Call     pmic_bus_access_notifier_chain (bsc#1011913).

  - i2c: designware-baytrail: Fix race when resetting the     semaphore (bsc#1011913).

  - i2c: designware-baytrail: Only check     iosf_mbi_available() for shared hosts (bsc#1011913).

  - i2c: designware: Disable pm for PMIC i2c-bus even if     there is no _SEM method (bsc#1011913).

  - i2c-designware: increase timeout (bsc#1011913).

  - i2c: designware: Never suspend i2c-busses used for     accessing the system PMIC (bsc#1011913).

  - i2c: designware: Rename accessor_flags to flags     (bsc#1011913).

  - kABI: protect struct iscsi_conn (kabi).

  - kABI: protect struct se_node_acl (kabi).

  - kABI: restore can_rx_register parameters (kabi).

  - kgr/module: make a taint flag module-specific     (fate#313296).

  - kgr: remove all arch-specific kgraft header files     (fate#313296).

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - md/raid1: add rcu protection to rdev in fix_read_error     (References: bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: fix a use-after-free bug     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: handle flush request correctly     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: Refactor raid1_make_request     (bsc#998106,bsc#1020048,bsc#982783).

  - mm: fix set pageblock migratetype in deferred struct     page init (bnc#1027195).

  - mm/page_alloc: Remove useless parameter of
    __free_pages_boot_core (bnc#1027195).

  - module: move add_taint_module() to a header file     (fate#313296).

  - net/ena: change condition for host attribute     configuration (bsc#1026509).

  - net/ena: change driver's default timeouts (bsc#1026509).

  - net: ena: change the return type of ena_set_push_mode()     to be void (bsc#1026509).

  - net: ena: Fix error return code in ena_device_init()     (bsc#1026509).

  - net/ena: fix ethtool RSS flow configuration     (bsc#1026509).

  - net/ena: fix NULL dereference when removing the driver     after device reset failed (bsc#1026509).

  - net/ena: fix potential access to freed memory during     device reset (bsc#1026509).

  - net/ena: fix queues number calculation (bsc#1026509).

  - net/ena: fix RSS default hash configuration     (bsc#1026509).

  - net/ena: reduce the severity of ena printouts     (bsc#1026509).

  - net/ena: refactor ena_get_stats64 to be atomic context     safe (bsc#1026509).

  - net/ena: remove ntuple filter support from device     feature list (bsc#1026509).

  - net: ena: remove superfluous check in ena_remove()     (bsc#1026509).

  - net: ena: Remove unnecessary pci_set_drvdata()     (bsc#1026509).

  - net/ena: update driver version to 1.1.2 (bsc#1026509).

  - net/ena: use READ_ONCE to access completion descriptors     (bsc#1026509).

  - net: ena: use setup_timer() and mod_timer()     (bsc#1026509).

  - net/mlx4_core: Avoid command timeouts during VF driver     device shutdown (bsc#1028017).

  - net/mlx4_core: Avoid delays during VF driver device     shutdown (bsc#1028017).

  - net/mlx4_core: Fix racy CQ (Completion Queue) free     (bsc#1028017).

  - net/mlx4_core: Fix when to save some qp context flags     for dynamic VST to VGT transitions (bsc#1028017).

  - net/mlx4_core: Use cq quota in SRIOV when creating     completion EQs (bsc#1028017).

  - net/mlx4_en: Fix bad WQE issue (bsc#1028017).

  - NFS: do not try to cross a mountpount when there isn't     one there (bsc#1028041).

  - nvme: Do not suspend admin queue that wasn't created     (bsc#1026505).

  - nvme: Suspend all queues before deletion (bsc#1026505).

  - PCI: hv: Fix wslot_to_devfn() to fix warnings on device     removal (fate#320485, bug#1028217).

  - PCI: hv: Use device serial number as PCI domain     (fate#320485, bug#1028217).

  - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

  - RAID1: a new I/O barrier implementation to remove resync     window (bsc#998106,bsc#1020048,bsc#982783).

  - RAID1: avoid unnecessary spin locks in I/O barrier code     (bsc#998106,bsc#1020048,bsc#982783).

  - Revert 'give up on gcc ilog2() constant optimizations'     (kabi).

  - Revert 'net: introduce device min_header_len' (kabi).

  - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown     flow' (bsc#1028017).

  - Revert 'nfit, libnvdimm: fix interleave set cookie     calculation' (kabi).

  - Revert 'RDMA/core: Fix incorrect structure packing for     booleans' (kabi).

  - Revert 'target: Fix NULL dereference during LUN lookup +     active I/O shutdown' (kabi).

  - rtlwifi: rtl_usb: Fix missing entry in USB driver's     private data (bsc#1026462).

  - s390/kmsg: add missing kmsg descriptions (bnc#1025683,     LTC#151573).

  - s390/mm: fix zone calculation in arch_add_memory()     (bnc#1025683, LTC#152318).

  - sched/loadavg: Avoid loadavg spikes caused by delayed     NO_HZ accounting (bsc#1018419).

  - scsi_dh_alua: Do not modify the interval value for     retries (bsc#1012910).

  - scsi: do not print 'reservation conflict' for TEST UNIT     READY (bsc#1027054).

  - softirq: Let ksoftirqd do its job (bsc#1019618).

  - supported.conf: Add tcp_westwood as supported module     (fate#322432)

  - taint/module: Clean up global and module taint flags     handling (fate#313296).

  - Update mainline reference in     patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as     t_fb_create.patch See (bsc#1028158) for the context in     which this was discovered upstream.

  - x86/apic/uv: Silence a shift wrapping warning     (bsc#1023866).

  - x86/mce: Do not print MCEs when mcelog is active     (bsc#1013994).

  - x86, mm: fix gup_pte_range() vs DAX mappings     (bsc#1026405).

  - x86/mm/gup: Simplify get_user_pages() PTE bit handling     (bsc#1026405).

  - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit     access (bsc#1011913).

  - x86/platform/intel/iosf_mbi: Add a PMIC bus access     notifier (bsc#1011913).

  - x86/platform: Remove warning message for duplicate NMI     handlers (bsc#1029220).

  - x86/platform/UV: Add basic CPU NMI health check     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless NMIs     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless systems     (bsc#1023866).

  - x86/platform/UV: Clean up the NMI code to match current     coding style (bsc#1023866).

  - x86/platform/UV: Clean up the UV APIC code     (bsc#1023866).

  - x86/platform/UV: Ensure uv_system_init is called when     necessary (bsc#1023866).

  - x86/platform/UV: Fix 2 socket config problem     (bsc#1023866).

  - x86/platform/UV: Fix panic with missing UVsystab support     (bsc#1023866).

  - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be     NMI source (bsc#1023866).

  - x86/platform/UV: Verify NMI action is valid, default is     standard (bsc#1023866).

  - xen-blkfront: correct maximum segment accounting     (bsc#1018263).

  - xen-blkfront: do not call talk_to_blkback when already     connected to blkback.

  - xen/blkfront: Fix crash if backend does not follow the     right states.

  - xen-blkfront: free resources if xlvbd_alloc_gendisk     fails.

  - xen/netback: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xen/netfront: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xfs: do not take the IOLOCK exclusive for direct I/O     page invalidation (bsc#1015609).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2016-9588

Jim Mattson discovered that the KVM implementation for Intel x86 processors does not properly handle #BP and #OF exceptions in an L2 (nested) virtual machine. A local attacker in an L2 guest VM can take advantage of this flaw to cause a denial of service for the L1 guest VM.

CVE-2017-2636

Alexander Popov discovered a race condition flaw in the n_hdlc line discipline that can lead to a double free. A local unprivileged user can take advantage of this flaw for privilege escalation. On systems that do not already have the n_hdlc module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false

CVE-2017-5669

Gareth Evans reported that privileged users can map memory at address 0 through the shmat() system call. This could make it easier to exploit other kernel security vulnerabilities via a set-UID program.

CVE-2017-5986

Alexander Popov reported a race condition in the SCTP implementation that can be used by local users to cause a denial of service (crash).
The initial fix for this was incorrect and introduced further security issues (CVE-2017-6353). This update includes a later fix that avoids those. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

CVE-2017-6214

Dmitry Vyukov reported a bug in the TCP implementation's handling of urgent data in the splice() system call. This can be used by a remote attacker for denial of service (hang) against applications that read from TCP sockets with splice().

CVE-2017-6345

Andrey Konovalov reported that the LLC type 2 implementation incorrectly assigns socket buffer ownership. This might be usable by a local user to cause a denial of service (memory corruption or crash) or privilege escalation. On systems that do not already have the llc2 module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-llc2.conf install llc2 false

CVE-2017-6346

Dmitry Vyukov reported a race condition in the raw packet (af_packet) fanout feature. Local users with the CAP_NET_RAW capability (in any user namespace) can use this for denial of service and possibly for privilege escalation.

CVE-2017-6348

Dmitry Vyukov reported that the general queue implementation in the IrDA subsystem does not properly manage multiple locks, possibly allowing local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.86-1.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1+deb8u2.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-9588     Jim Mattson discovered that the KVM implementation for     Intel x86 processors does not properly handle #BP and     #OF exceptions in an L2 (nested) virtual machine. A     local attacker in an L2 guest VM can take advantage of     this flaw to cause a denial of service for the L1 guest     VM.

  - CVE-2017-2636     Alexander Popov discovered a race condition flaw in the     n_hdlc line discipline that can lead to a double free. A     local unprivileged user can take advantage of this flaw     for privilege escalation. On systems that do not already     have the n_hdlc module loaded, this can be mitigated by     disabling it:echo >> /etc/modprobe.d/disable-n_hdlc.conf     install n_hdlc false

  - CVE-2017-5669     Gareth Evans reported that privileged users can map     memory at address 0 through the shmat() system call.
    This could make it easier to exploit other kernel     security vulnerabilities via a set-UID program.

  - CVE-2017-5986     Alexander Popov reported a race condition in the SCTP     implementation that can be used by local users to cause     a denial-of-service (crash). The initial fix for this     was incorrect and introduced further security issues (     CVE-2017-6353 ). This update includes a later fix that     avoids those. On systems that do not already have the     sctp module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-sctp.conf install     sctp false

  - CVE-2017-6214     Dmitry Vyukov reported a bug in the TCP implementation's     handling of urgent data in the splice() system call.
    This can be used by a remote attacker for     denial-of-service (hang) against applications that read     from TCP sockets with splice().

  - CVE-2017-6345     Andrey Konovalov reported that the LLC type 2     implementation incorrectly assigns socket buffer     ownership. This can be used by a local user to cause a     denial-of-service (crash). On systems that do not     already have the llc2 module loaded, this can be     mitigated by disabling it:echo >>     /etc/modprobe.d/disable-llc2.conf install llc2 false

  - CVE-2017-6346     Dmitry Vyukov reported a race condition in the raw     packet (af_packet) fanout feature. Local users with the     CAP_NET_RAW capability (in any user namespace) can use     this for denial-of-service and possibly for privilege     escalation.

  - CVE-2017-6348     Dmitry Vyukov reported that the general queue     implementation in the IrDA subsystem does not properly     manage multiple locks, possibly allowing local users to     cause a denial-of-service (deadlock) via crafted     operations on IrDA devices.

ID	Name	Product	Family	Severity
125301	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)	Nessus	Huawei Local Security Checks	high
112113	Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3754-1)	Nessus	Ubuntu Local Security Checks	high
102774	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102773	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
100320	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)	Nessus	SuSE Local Security Checks	critical
100238	OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)	Nessus	OracleVM Local Security Checks	critical
100235	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)	Nessus	Oracle Linux Local Security Checks	critical
100150	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)	Nessus	SuSE Local Security Checks	critical
100023	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)	Nessus	SuSE Local Security Checks	high
99658	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3265-2)	Nessus	Ubuntu Local Security Checks	high
99657	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3265-1)	Nessus	Ubuntu Local Security Checks	high
99164	OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)	Nessus	OracleVM Local Security Checks	high
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	high
99161	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)	Nessus	Oracle Linux Local Security Checks	high
99160	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)	Nessus	Oracle Linux Local Security Checks	high
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	high
99157	openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)	Nessus	SuSE Local Security Checks	high
99156	openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)	Nessus	SuSE Local Security Checks	high
97640	Debian DLA-849-1 : linux security update	Nessus	Debian Local Security Checks	high
97615	Debian DSA-3804-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2017-6345

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

critical

critical

critical

critical

critical

critical

high

high

high

high

critical

high

high

high

high

high

high

high

high