http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.1

[oss-security] 20170228 Linux: ip: fix IP_CHECKSUM handling (CVE-2017-6347)

96487

https://bugzilla.redhat.com/show_bug.cgi?id=1427984

https://github.com/torvalds/linux/commit/ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5472i1/4%0

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. An out-of-bounds access vulnerability     is possible the in __remove_dirty_segment() in     fs/f2fs/segment.c function when mounting a crafted f2fs     image.(CVE-2018-14614i1/4%0

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963i1/4%0

  - The skbs processed by ip_cmsg_recv() are not guaranteed     to be linear (e.g. when sending UDP packets over     loopback with MSGMORE). Using csum_partial() on     potentially the whole skb len is dangerous instead be     on the safe side and use skb_checksum(). This may lead     to an infoleak as the kernel memory may be checksummed     and sent as part of the packet.(CVE-2017-6347i1/4%0

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in     the KVM subsystem in the Linux kernel through 3.12.5     allows guest OS users to cause a denial of service     (divide-by-zero error and host OS crash) via crafted     modifications of the TMICT value.(CVE-2013-6367i1/4%0

  - A use-after-free issue was found in the way the Linux     kernel's KVM hypervisor processed posted interrupts     when nested(=1) virtualization is enabled. In     nested_get_vmcs12_pages(), in case of an error while     processing posted interrupt address, it unmaps the     'pi_desc_page' without resetting 'pi_desc' descriptor     address, which is later used in pi_test_and_clear_on().
    A guest user/process could use this flaw to crash the     host kernel resulting in DoS or potentially gain     privileged access to a system.(CVE-2018-16882i1/4%0

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117i1/4%0

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573i1/4%0

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186i1/4%0

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610i1/4%0

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145i1/4%0

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446i1/4%0

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636i1/4%0

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940i1/4%0

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633i1/4%0

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495i1/4%0

  - drivers/media/platform/msm/broadcast/tsc.c in the TSC     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service (invalid pointer dereference) or     possibly have unspecified other impact via a crafted     application that makes a TSC_GET_CARD_STATUS ioctl     call.(CVE-2015-0573i1/4%0

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197i1/4%0

  - In net/socket.c in the Linux kernel through 4.17.1,     there is a race condition between fchownat and close in     cases where they target the same socket file     descriptor, related to the sock_close and     sockfs_setattr functions. fchownat does not increment     the file descriptor reference count, which allows close     to set the socket to NULL during fchownat's execution,     leading to a NULL pointer dereference and system     crash.(CVE-2018-12232i1/4%0

  - The ath9k_htc_set_bssid_mask function in     drivers/net/wireless/ath/ath9k/htc_drv_main.c in the     Linux kernel through 3.12 uses a BSSID masking approach     to determine the set of MAC addresses on which a Wi-Fi     device is listening, which allows remote attackers to     discover the original MAC address after spoofing by     sending a series of packets to MAC addresses with     certain bit manipulations.(CVE-2013-4579i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of [xcerces-c,linux] packages for PhotonOS has been released.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3609 advisory.

  - The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users     to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial     of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
    (CVE-2017-12134)

  - The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through     RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into     account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and     earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
    (CVE-2017-1000365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for Matrox G200eH3

  - Support for tcp_westwood The following security bugs     were fixed :

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7374: Use-after-free vulnerability in     fs/crypto/ in the Linux kernel allowed local users to     cause a denial of service (NULL pointer dereference) or     possibly gain privileges by revoking keyring keys being     used for ext4, f2fs, or ubifs encryption, causing     cryptographic transform objects to be freed prematurely     (bnc#1032006).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel had incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulated the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream Control Transmission Protocol (SCTP) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug:
    25698171]

  - ksplice: add sysctls for determining Ksplice features.
    (Jamie Iles) 

  - signal: protect SIGNAL_UNKILLABLE from unintentional     clearing. (Jamie Iles) [Orabug: 25698171]

  - KVM: x86: fix emulation of 'MOV SS, null selector'     (Paolo Bonzini) [Orabug: 25719659] (CVE-2017-2583)     (CVE-2017-2583)

  - ext4: store checksum seed in superblock (Darrick J.
    Wong) [Orabug: 25719728] (CVE-2016-10208)

  - ext4: reserve code points for the project quota feature     (Theodore Ts'o) [Orabug: 25719728] (CVE-2016-10208)

  - ext4: validate s_first_meta_bg at mount time (Eryu Guan)     [Orabug: 25719728] (CVE-2016-10208)

  - ext4: clean up feature test macros with predicate     functions (Darrick J. Wong) [Orabug: 25719728]     (CVE-2016-10208)

  - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo     Ricardo Leitner) [Orabug: 25719793] (CVE-2017-5986)

  - tcp: avoid infinite loop in tcp_splice_read (Eric     Dumazet) [Orabug: 25720805] (CVE-2017-6214)

  - ip: fix IP_CHECKSUM handling (Paolo Abeni) [Orabug:
    25720839] (CVE-2017-6347)

  - udp: fix IP_CHECKSUM handling (Eric Dumazet) [Orabug:
    25720839] (CVE-2017-6347)

  - udp: do not expect udp headers in recv cmsg     IP_CMSG_CHECKSUM (Willem de Bruijn) [Orabug: 25720839]     (CVE-2017-6347)

  - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size     harder (Andy Whitcroft) [Orabug: 25814641]     (CVE-2017-7184)

  - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL     replay_window (Andy Whitcroft) [Orabug: 25814641]     (CVE-2017-7184)

  - block: fix use-after-free in seq file (Vegard Nossum)     [Orabug: 25877509] (CVE-2016-7910)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3539 advisory.

  - Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before     4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even     if the corresponding start operation had failed. (CVE-2016-7910)

  - The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5     improperly emulates a MOV SS, NULL selector instruction, which allows guest OS users to cause a denial     of service (guest OS crash) or gain guest OS privileges via a crafted application. (CVE-2017-2583)

  - The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers     to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the     URG flag. (CVE-2017-6214)

  - The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has     incorrect expectations about skb data layout, which allows local users to cause a denial of service     (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by     use of the MSG_MORE flag in conjunction with loopback UDP transmission. (CVE-2017-6347)

  - The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not     validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root     privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-     image-* package 4.8.0.41.52. (CVE-2017-7184)

  - The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly     validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-     of-bounds read and system crash) via a crafted ext4 image. (CVE-2016-10208)

  - Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11     allows local users to cause a denial of service (assertion failure and panic) via a multithreaded     application that peels off an association in a certain buffer-full state. (CVE-2017-5986)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     manages lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-2583: The load_segment_descriptor     implementation in arch/x86/kvm/emulate.c in the Linux     kernel improperly emulates a 'MOV SS, NULL selector'     instruction, which allowed guest OS users to cause a     denial of service (guest OS crash) or gain guest OS     privileges via a crafted application (bnc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

The following non-security bugs were fixed :

  - Fix kABI breakage of musb struct in 4.1.39 (stable     4.1.39).

  - Revert 'ptrace: Capture the ptracer's creds not     PT_PTRACE_CAP' (stable 4.1.39).

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - ext4: validate s_first_meta_bg at mount time     (bsc#1023377).

  - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp     (bsc#1030118).

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs.

The following security bugs were fixed :

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application, as demonstrated by     trinity (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

The following non-security bugs were fixed :

  - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC     (bsc#1028819).

  - ACPI, ioapic: Clear on-stack resource before using it     (bsc#1028819).

  - ACPI: Remove platform devices from a bus on removal     (bsc#1028819).

  - add mainline tag to one hyperv patch

  - bnx2x: allow adding VLANs while interface is down     (bsc#1027273).

  - btrfs: backref: Fix soft lockup in __merge_refs function     (bsc#1017641).

  - btrfs: incremental send, do not delay rename when parent     inode is new (bsc#1028325).

  - btrfs: incremental send, do not issue invalid rmdir     operations (bsc#1028325).

  - btrfs: qgroup: Move half of the qgroup accounting time     out of commit trans (bsc#1017461).

  - btrfs: send, fix failure to rename top level inode due     to name collision (bsc#1028325).

  - btrfs: serialize subvolume mounts with potentially     mismatching rw flags (bsc#951844 bsc#1024015)

  - crypto: algif_hash - avoid zero-sized array     (bnc#1007962).

  - cxgb4vf: do not offload Rx checksums for IPv6 fragments     (bsc#1026692).

  - drivers: hv: vmbus: Prevent sending data on a rescinded     channel (fate#320485, bug#1028217).

  - drm/i915: Add intel_uncore_suspend / resume functions     (bsc#1011913).

  - drm/i915: Listen for PMIC bus access notifications     (bsc#1011913).

  - drm/mgag200: Added support for the new device G200eH3     (bsc#1007959, fate#322780)

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

  - futex: Add missing error handling to FUTEX_REQUEUE_PI     (bsc#969755).

  - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI     (bsc#969755).

  - i2c: designware-baytrail: Acquire P-Unit access on bus     acquire (bsc#1011913).

  - i2c: designware-baytrail: Call     pmic_bus_access_notifier_chain (bsc#1011913).

  - i2c: designware-baytrail: Fix race when resetting the     semaphore (bsc#1011913).

  - i2c: designware-baytrail: Only check     iosf_mbi_available() for shared hosts (bsc#1011913).

  - i2c: designware: Disable pm for PMIC i2c-bus even if     there is no _SEM method (bsc#1011913).

  - i2c-designware: increase timeout (bsc#1011913).

  - i2c: designware: Never suspend i2c-busses used for     accessing the system PMIC (bsc#1011913).

  - i2c: designware: Rename accessor_flags to flags     (bsc#1011913).

  - kABI: protect struct iscsi_conn (kabi).

  - kABI: protect struct se_node_acl (kabi).

  - kABI: restore can_rx_register parameters (kabi).

  - kgr/module: make a taint flag module-specific     (fate#313296).

  - kgr: remove all arch-specific kgraft header files     (fate#313296).

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip(,     6)_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - md/raid1: add rcu protection to rdev in fix_read_error     (References: bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: fix a use-after-free bug     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: handle flush request correctly     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: Refactor raid1_make_request     (bsc#998106,bsc#1020048,bsc#982783).

  - mm: fix set pageblock migratetype in deferred struct     page init (bnc#1027195).

  - mm/page_alloc: Remove useless parameter of
    __free_pages_boot_core (bnc#1027195).

  - module: move add_taint_module() to a header file     (fate#313296).

  - net/ena: change condition for host attribute     configuration (bsc#1026509).

  - net/ena: change driver's default timeouts (bsc#1026509).

  - net: ena: change the return type of ena_set_push_mode()     to be void (bsc#1026509).

  - net: ena: Fix error return code in ena_device_init()     (bsc#1026509).

  - net/ena: fix ethtool RSS flow configuration     (bsc#1026509).

  - net/ena: fix NULL dereference when removing the driver     after device reset failed (bsc#1026509).

  - net/ena: fix potential access to freed memory during     device reset (bsc#1026509).

  - net/ena: fix queues number calculation (bsc#1026509).

  - net/ena: fix RSS default hash configuration     (bsc#1026509).

  - net/ena: reduce the severity of ena printouts     (bsc#1026509).

  - net/ena: refactor ena_get_stats64 to be atomic context     safe (bsc#1026509).

  - net/ena: remove ntuple filter support from device     feature list (bsc#1026509).

  - net: ena: remove superfluous check in ena_remove()     (bsc#1026509).

  - net: ena: Remove unnecessary pci_set_drvdata()     (bsc#1026509).

  - net/ena: update driver version to 1.1.2 (bsc#1026509).

  - net/ena: use READ_ONCE to access completion descriptors     (bsc#1026509).

  - net: ena: use setup_timer() and mod_timer()     (bsc#1026509).

  - net/mlx4_core: Avoid command timeouts during VF driver     device shutdown (bsc#1028017).

  - net/mlx4_core: Avoid delays during VF driver device     shutdown (bsc#1028017).

  - net/mlx4_core: Fix racy CQ (Completion Queue) free     (bsc#1028017).

  - net/mlx4_core: Fix when to save some qp context flags     for dynamic VST to VGT transitions (bsc#1028017).

  - net/mlx4_core: Use cq quota in SRIOV when creating     completion EQs (bsc#1028017).

  - net/mlx4_en: Fix bad WQE issue (bsc#1028017).

  - NFS: do not try to cross a mountpount when there isn't     one there (bsc#1028041).

  - nvme: Do not suspend admin queue that wasn't created     (bsc#1026505).

  - nvme: Suspend all queues before deletion (bsc#1026505).

  - PCI: hv: Fix wslot_to_devfn() to fix warnings on device     removal (fate#320485, bug#1028217).

  - PCI: hv: Use device serial number as PCI domain     (fate#320485, bug#1028217).

  - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

  - RAID1: a new I/O barrier implementation to remove resync     window (bsc#998106,bsc#1020048,bsc#982783).

  - RAID1: avoid unnecessary spin locks in I/O barrier code     (bsc#998106,bsc#1020048,bsc#982783).

  - Revert 'give up on gcc ilog2() constant optimizations'     (kabi).

  - Revert 'net: introduce device min_header_len' (kabi).

  - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown     flow' (bsc#1028017).

  - Revert 'nfit, libnvdimm: fix interleave set cookie     calculation' (kabi).

  - Revert 'RDMA/core: Fix incorrect structure packing for     booleans' (kabi).

  - Revert 'target: Fix NULL dereference during LUN lookup +     active I/O shutdown' (kabi).

  - rtlwifi: rtl_usb: Fix missing entry in USB driver's     private data (bsc#1026462).

  - s390/kmsg: add missing kmsg descriptions (bnc#1025683,     LTC#151573).

  - s390/mm: fix zone calculation in arch_add_memory()     (bnc#1025683, LTC#152318).

  - sched/loadavg: Avoid loadavg spikes caused by delayed     NO_HZ accounting (bsc#1018419).

  - scsi_dh_alua: Do not modify the interval value for     retries (bsc#1012910).

  - scsi: do not print 'reservation conflict' for TEST UNIT     READY (bsc#1027054).

  - softirq: Let ksoftirqd do its job (bsc#1019618).

  - supported.conf: Add tcp_westwood as supported module     (fate#322432)

  - taint/module: Clean up global and module taint flags     handling (fate#313296).

  - Update mainline reference in     patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as     t_fb_create.patch See (bsc#1028158) for the context in     which this was discovered upstream.

  - x86/apic/uv: Silence a shift wrapping warning     (bsc#1023866).

  - x86/mce: Do not print MCEs when mcelog is active     (bsc#1013994).

  - x86, mm: fix gup_pte_range() vs DAX mappings     (bsc#1026405).

  - x86/mm/gup: Simplify get_user_pages() PTE bit handling     (bsc#1026405).

  - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit     access (bsc#1011913).

  - x86/platform/intel/iosf_mbi: Add a PMIC bus access     notifier (bsc#1011913).

  - x86/platform: Remove warning message for duplicate NMI     handlers (bsc#1029220).

  - x86/platform/UV: Add basic CPU NMI health check     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless NMIs     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless systems     (bsc#1023866).

  - x86/platform/UV: Clean up the NMI code to match current     coding style (bsc#1023866).

  - x86/platform/UV: Clean up the UV APIC code     (bsc#1023866).

  - x86/platform/UV: Ensure uv_system_init is called when     necessary (bsc#1023866).

  - x86/platform/UV: Fix 2 socket config problem     (bsc#1023866).

  - x86/platform/UV: Fix panic with missing UVsystab support     (bsc#1023866).

  - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be     NMI source (bsc#1023866).

  - x86/platform/UV: Verify NMI action is valid, default is     standard (bsc#1023866).

  - xen-blkfront: correct maximum segment accounting     (bsc#1018263).

  - xen-blkfront: do not call talk_to_blkback when already     connected to blkback.

  - xen/blkfront: Fix crash if backend does not follow the     right states.

  - xen-blkfront: free resources if xlvbd_alloc_gendisk     fails.

  - xen/netback: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xen/netfront: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xfs: do not take the IOLOCK exclusive for direct I/O     page invalidation (bsc#1015609).

The skbs processed by ip_cmsg_recv() are not guaranteed to be linear (e.g. when sending UDP packets over loopback with MSGMORE). Using csum_partial() on potentially the whole skb len is dangerous; instead be on the safe side and use skb_checksum(). This may lead to an infoleak as the kernel memory may be checksummed and sent as part of the packet. (CVE-2017-6347)

It was discovered that xfrm_replay_verify_len(), as called by xfrm_new_ae(), did not verify that the user-specified replay_window was within the replay state buffer. This allowed for out-of-bounds reads and writes of kernel memory.(CVE-2017-7184)

The 4.9.13 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.9.13 update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124810	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)	Nessus	Huawei Local Security Checks	high
111857	Photon OS 1.0: Linux PHSA-2017-0008 (deprecated)	Nessus	PhotonOS Local Security Checks	critical
102774	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102773	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609)	Nessus	Oracle Linux Local Security Checks	critical
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
100023	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)	Nessus	SuSE Local Security Checks	high
99658	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3265-2)	Nessus	Ubuntu Local Security Checks	critical
99657	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3265-1)	Nessus	Ubuntu Local Security Checks	critical
99392	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0062)	Nessus	OracleVM Local Security Checks	high
99389	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3539)	Nessus	Oracle Linux Local Security Checks	high
99157	openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)	Nessus	SuSE Local Security Checks	high
99156	openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)	Nessus	SuSE Local Security Checks	high
99038	Amazon Linux AMI : kernel (ALAS-2017-811)	Nessus	Amazon Linux Local Security Checks	high
97505	Fedora 25 : kernel (2017-d875ae8299)	Nessus	Fedora Local Security Checks	high
97503	Fedora 24 : kernel (2017-ad67543fc5)	Nessus	Fedora Local Security Checks	high

CVE-2017-6347

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

critical

critical

critical

high

critical

critical

high

high

high

high

high

high

high