http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfcb9f4f99f1e9a49e43398a7bfbf56927544af1

DSA-3804

[oss-security] 20170227 Linux: CVE-2017-6353: sctp: deny peeloff operation on asocs with threads sleeping on it

96473

https://github.com/torvalds/linux/commit/dfcb9f4f99f1e9a49e43398a7bfbf56927544af1

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823)

  - drivers/hid/hid-steelseries.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_STEELSERIES is enabled, allows     physically proximate attackers to cause a denial of     service (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2891)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575)

  - Integer overflow in the vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel before 4.9.7 allows local     users to cause a denial of service or possibly have     unspecified other impact via a crafted size value in a     VC4_SUBMIT_CL ioctl call.(CVE-2017-5576)

  - The KVM subsystem in the Linux kernel through 3.12.5     allows local users to gain privileges or cause a denial     of service (system crash) via a VAPIC synchronization     operation involving a page-end address.(CVE-2013-6368)

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux     kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call     to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error     function.(CVE-2014-2523)

  - Race condition vulnerability was found in     drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver     in the Linux kernel before 4.6.1. MIC VOP driver does     two successive reads from user space to read a variable     length data structure. Local user can obtain sensitive     information from kernel memory or can cause DoS by     corrupting kernel memory if the data structure changes     between the two reads.(CVE-2016-5728)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid pointer dereference in     io_ctl_map_page() when mounting and operating a crafted     btrfs image is due to a lack of block group item     validation in check_leaf_item() in     fs/btrfs/tree-checker.c function. This could lead to a     system crash and a denial of service.(CVE-2018-14613)

  - A flaw was found in the way the Linux kernel handled GS     segment register base switching when recovering from a     #SS (stack segment) fault on an erroneous return to     user space. A local, unprivileged user could use this     flaw to escalate their privileges on the     system.(CVE-2014-9322)

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A memory leak in the kernel_read_file function in     fs/exec.c in the Linux kernel through 4.20.11 allows     attackers to cause a denial of service (memory     consumption) by triggering vfs_read     failures.(CVE-2019-8980)

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700)

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153)

  - The atyfb_ioctl function in     drivers/video/fbdev/aty/atyfb_base.c in the Linux     kernel through 4.12.10 does not initialize a certain     data structure, which allows local users to obtain     sensitive information from kernel stack memory by     reading locations associated with padding     bytes.(CVE-2017-14156)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787)

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944)

  - Race condition in the ioctl_file_dedupe_range function     in fs/ioctl.c in the Linux kernel through 4.7 allows     local users to cause a denial of service (heap-based     buffer overflow) or possibly gain privileges by     changing a certain count value, aka a 'double fetch'     vulnerability.(CVE-2016-6516)

  - It was found that the timer functionality in the Linux     kernel ALSA subsystem is prone to a race condition     between read and ioctl system call handlers, resulting     in an uninitialized memory disclosure to user space. A     local user could use this flaw to read information     belonging to other users.(CVE-2017-1000380)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The perf_cpu_time_max_percent_handler function in     kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service     (integer overflow) or possibly have unspecified other     impact via a large value, as demonstrated by an     incorrect sample-rate calculation.(CVE-2017-18255)

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270)

  - The timer_create syscall implementation in     kernel/time/posix-timers.c in the Linux kernel doesn't     properly validate the sigevent->sigev_notify field,     which leads to out-of-bounds access in the show_timer     function.(CVE-2017-18344)

  - arch/x86/kvm/emulate.c in the Linux kernel through     4.9.3 allows local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt.(CVE-2017-2584)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to host memory leakage     issue. It could occur while emulating VMXON instruction     in 'handle_vmon'. An L1 guest user could use this flaw     to leak host memory potentially resulting in     DoS.(CVE-2017-2596)

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type->match is     NULL. A local user could use this flaw to crash the     system or, potentially, escalate their     privileges.(CVE-2017-2647)

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671)

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way; this     allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - The do_shmat function in ipc/shm.c in the Linux kernel,     through 4.9.12, does not restrict the address     calculated by a certain rounding operation. This allows     privileged local users to map page zero and,     consequently, bypass a protection mechanism that exists     for the mmap system call. This is possible by making     crafted shmget and shmat system calls in a privileged     context.(CVE-2017-5669)

  - A vulnerability was found in the Linux kernel where     having malicious IP options present would cause the     ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible     privilege escalation.(CVE-2017-5970)

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986)

  - It was found that the original fix for CVE-2016-6786     was incomplete. There exist a race between two     concurrent sys_perf_event_open() calls when both try     and move the same pre-existing software group into a     hardware context.(CVE-2017-6001)

  - A use-after-free flaw was found in the way the Linux     kernel's Datagram Congestion Control Protocol (DCCP)     implementation freed SKB (socket buffer) resources for     a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO     option is set on the socket. A local, unprivileged user     could use this flaw to alter the kernel memory,     allowing them to escalate their privileges on the     system.(CVE-2017-6074)

  - A flaw was found in the Linux kernel's handling of     packets with the URG flag. Applications using the     splice() and tcp_splice_read() functionality could     allow a remote attacker to force the kernel to enter a     condition in which it could loop     indefinitely.(CVE-2017-6214)

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348)

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353)

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel allows local users to cause a denial of service     (stack-based buffer overflow) or possibly have     unspecified other impacts via a large command size in     an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds     write access in the sg_write function.(CVE-2017-7187)

  - In was found that in the Linux kernel, in     vmw_surface_define_ioctl() function in     'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a     'num_sizes' parameter is assigned a user-controlled     value which is not checked if it is zero. This is used     in a call to kmalloc() and later leads to dereferencing     ZERO_SIZE_PTR, which in turn leads to a GPF and     possibly to a kernel panic.(CVE-2017-7261)

  - An out-of-bounds write vulnerability was found in the     Linux kernel's vmw_surface_define_ioctl() function, in     the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-7294)

  - It was found that the packet_set_ring() function of the     Linux kernel's networking implementation did not     properly validate certain block-size data. A local     attacker with CAP_NET_RAW capability could use this     flaw to trigger a buffer overflow, resulting in the     crash of the system. Due to the nature of the flaw,     privilege escalation cannot be fully ruled     out.(CVE-2017-7308)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212)

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c (bsc#1030593).

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914)

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bsc#1024938)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235)

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type (bsc#1029850).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability (bsc#1030573)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-7482: Several missing length checks ticket     decode allowing for information leak or potentially code     execution (bsc#1046107).

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bsc#1038879).

  - CVE-2017-7533: Race condition in the fsnotify     implementation in the Linux kernel allowed local users     to gain privileges or cause a denial of service (memory     corruption) via a crafted application that leverages     simultaneous execution of the inotify_handle_event and     vfs_rename functions (bnc#1049483 1050677 ).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bsc#1033336)

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability. This requires a malicious PCI Card.
    (bnc#1037994).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bsc#1038544).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1037182).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1038981).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bsc#1039883).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bsc#1040069).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel was too late     in checking whether an overwrite of an skb data     structure may occur, which allowed local users to cause     a denial of service (system crash) via crafted system     calls (bnc#1041431).

  - CVE-2017-10661: Race condition in fs/timerfd.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (list corruption or     use-after-free) via simultaneous file-descriptor     operations that leverage improper might_cancel queueing     (bnc#1053152).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bnc#1048275).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A     user-controlled buffer is copied into a local buffer of     constant size using strcpy without a length check which     can cause a buffer overflow. (bnc#1053148).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-1000112: Fixed a race condition in net-packet     code that could have been exploited by unprivileged     users to gain root access. (bsc#1052311).

  - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds     Write. Due to a missing bounds check, and the fact that     parport_ptr integer is static, a 'secure boot' kernel     command line adversary could have overflowed the     parport_nr array in the following code (bnc#1039456).

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     was vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux host is missing a security update for the kernel package(s).

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - Race condition in the sctp_wait_for_sndbuf function in     net/sctp/socket.c in the Linux kernel before 4.9.11     allows local users to cause a denial of service     (assertion failure and panic) via a multithreaded     application that peels off an association in a certain     buffer-full state.(CVE-2017-5986)

  - net/sctp/socket.c in the Linux kernel through 4.10.1     does not properly restrict association peel-off     operations during certain wait states, which allows     local users to cause a denial of service (invalid     unlock and double free) via a multithreaded     application. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2017-5986.(CVE-2017-6353)

  - The ipxitf_ioctl function in net/ipx/af_ipx.c in the     Linux kernel through 4.11.1 mishandles reference     counts, which allows local users to cause a denial of     service (use-after-free) or possibly have unspecified     other impact via a failed SIOCGIFADDR ioctl call for an     IPX interface.(CVE-2017-7487)

  - fs/ext4/inode.c in the Linux kernel before 4.6.2, when     ext4 data=ordered mode is used, mishandles a     needs-flushing-before-commit list, which allows local     users to obtain sensitive information from other users'     files in opportunistic circumstances by waiting for a     hardware reset, creating a new file, making write     system calls, and reading this file.(CVE-2017-7495)

  - The NFSv2/NFSv3 server in the nfsd subsystem in the     Linux kernel through 4.10.11 allows remote attackers to     cause a denial of service (system crash) via a long RPC     reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c,     and fs/nfsd/nfsxdr.c.(CVE-2017-7645)

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     through 4.10.15 allows attackers to cause a denial of     service (double free) or possibly have unspecified     other impact by leveraging use of the accept system     call.(CVE-2017-8890)

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel before     4.10.4 allows local users to obtain sensitive     information (in the dmesg ringbuffer and syslog) from     uninitialized kernel memory by using a crafted USB     device (posing as an io_ti USB serial device) to     trigger an integer underflow.(CVE-2017-8924)

  - The IPv6 fragmentation implementation in the Linux     kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option,     which allows local users to cause a denial of service     (out-of-bounds read and BUG) or possibly have     unspecified other impact via crafted socket and send     system calls.(CVE-2017-9074)

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.(CVE-2017-9075)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.(CVE-2017-9077)

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242)

  - The ext4_fill_super function in fs/ext4/super.c in the     Linux kernel through 4.9.8 does not properly validate     meta block groups, which allows physically proximate     attackers to cause a denial of service (out-of-bounds     read and system crash) via a crafted ext4     image.(CVE-2016-10208)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

- [3.10.0-514.21.1.0.1.el7.OL7]
- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF='https://oss.oracle.com/mailman/listinfo/el-errata'>alexey.petrenko at oracle.com</A>)
- Update x509.genkey [bug 24817676]

[3.10.0-514.21.1.el7]
- [kernel] sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (Gustavo Duarte) [1441547 1423400]
- [drivers] Set dev->device_rh to NULL after free (Prarit Bhargava) [1441544 1414064]
- [security] keys: request_key() should reget expired keys rather than give EKEYEXPIRED (David Howells) [1441287 1408330]
- [security] keys: Simplify KEYRING_SEARCH_{NO, DO}_STATE_CHECK flags (David Howells) [1441287 1408330]
- [net] packet: fix overflow in check for tp_reserve (Hangbin Liu) [1441171 1441172] {CVE-2017-7308}
- [net] packet: fix overflow in check for tp_frame_nr (Hangbin Liu) [1441171 1441172] {CVE-2017-7308}
- [net] packet: fix overflow in check for priv area size (Hangbin Liu) [1441171 1441172] {CVE-2017-7308}
- [powerpc] pseries: Use H_CLEAR_HPT to clear MMU hash table during kexec (Steve Best) [1439812 1423396]
- [netdrv] fjes: Fix wrong netdevice feature flags (Yasuaki Ishimatsu) [1439802 1435603]
- [kernel] mlx5e: Implement Fragmented Work Queue (WQ) (Don Dutile) [1439164 1368400]
- [netdrv] mlx5e: Copy all L2 headers into inline segment (Don Dutile) [1439161 1383013]
- [nvdimm] fix PHYS_PFN/PFN_PHYS mixup (Jeff Moyer) [1439160 1428115]
- [s390] scsi: zfcp: fix rport unblock race with LUN recovery (Hendrik Brueckner) [1433413 1421750]
- [fs] gfs2: Avoid alignment hole in struct lm_lockname (Robert S Peterson) [1432554 1425450]
- [fs] gfs2: Add missing rcu locking for glock lookup (Robert S Peterson) [1432554 1425450]
- [fs] ext4: fix fencepost in s_first_meta_bg validation (Lukas Czerner) [1430969 1332503] {CVE-2016-10208}
- [fs] ext4: sanity check the block and cluster size at mount time (Lukas Czerner) [1430969 1332503] {CVE-2016-10208}
- [fs] ext4: validate s_first_meta_bg at mount time (Lukas Czerner) [1430969 1332503] {CVE-2016-10208}
- [net] sctp: deny peeloff operation on asocs with threads sleeping on it (Hangbin Liu) [1429496 1429497] {CVE-2017-5986 CVE-2017-6353}
- [net] sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Hangbin Liu) [1429496 1429497] {CVE-2017-5986 CVE-2017-6353}
- [x86] perf/x86/intel/rapl: Make package handling more robust (Jiri Olsa) [1443902 1418688]
- [x86] perf/x86/intel/rapl: Convert to hotplug state machine (Jiri Olsa) [1443902 1418688]
- [x86] perf/x86: Set pmu->module in Intel PMU modules (Jiri Olsa) [1443902 1418688]
- [kernel] sched/core, x86/topology: Fix NUMA in package topology bug (Jiri Olsa) [1441645 1369832]
- [kernel] sched: Allow hotplug notifiers to be setup early (Jiri Olsa) [1441645 1369832]
- [x86] x86/smpboot: Make logical package management more robust (Prarit Bhargava) [1441643 1414054]
- [x86] x86/cpu: Deal with broken firmware (VMWare/XEN) (Prarit Bhargava) [1441643 1414054]
- [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738]
- [x86] revert 'perf/uncore: Disable uncore on kdump kernel' (Prarit Bhargava) [1426633 1373738]
- [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738]
- [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738]
- [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738]
- [block] fix use-after-free in seq file (Denys Vlasenko) [1418550 1418551] {CVE-2016-7910}
- [crypto] algif_hash - Only export and import on sockets with data (Herbert Xu) [1394101 1387632] {CVE-2016-8646}
- [char] hwrng: core - sleep interruptible in read (Amit Shah) [1443503 1376397]
- [char] hwrng: core - correct error check of kthread_run call (Amit Shah) [1443503 1376397]
- [char] hwrng: core - Move hwrng_init call into set_current_rng (Amit Shah) [1443503 1376397]
- [char] hwrng: core - Drop current rng in set_current_rng (Amit Shah) [1443503 1376397]
- [char] hwrng: core - Do not register device opportunistically (Amit Shah) [1443503 1376397]
- [char] hwrng: core - Fix current_rng init/cleanup race yet again (Amit Shah) [1443503 1376397]
- [char] hwrng: core - Use struct completion for cleanup_done (Amit Shah) [1443503 1376397]
- [char] hwrng: don't init list element we're about to add to list (Amit Shah) [1443503 1376397]
- [char] hwrng: don't double-check old_rng (Amit Shah) [1443503 1376397]
- [char] hwrng: fix unregister race (Amit Shah) [1443503 1376397]
- [char] hwrng: use reference counts on each struct hwrng (Amit Shah) [1443503 1376397]
- [char] hwrng: move some code out mutex_lock for avoiding underlying deadlock (Amit Shah) [1443503 1376397]
- [char] hwrng: place mutex around read functions and buffers (Amit Shah) [1443503 1376397]
- [char] virtio-rng: skip reading when we start to remove the device (Amit Shah) [1443503 1376397]
- [char] virtio-rng: fix stuck of hot-unplugging busy device (Amit Shah) [1443503 1376397]
- [infiniband] ib/mlx5: Resolve soft lock on massive reg MRs (Don Dutile) [1444347 1417285]

[3.10.0-514.20.1.el7]
- [powerpc] fadump: Fix the race in crash_fadump() (Steve Best) [1439810 1420077]
- [kernel] locking/mutex: Explicitly mark task as running after wakeup (Gustavo Duarte) [1439803 1423397]
- [netdrv] ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths (Ken Cox) [1438421 1383524]
- [fs] nfsv4.0: always send mode in SETATTR after EXCLUSIVE4 (Benjamin Coddington) [1437967 1415780]
- [net] fix creation adjacent device symlinks (Adrian Reber) [1436646 1412898]
- [net] prevent of emerging cross-namespace symlinks (Adrian Reber) [1436646 1412898]
- [netdrv] macvlan: unregister net device when netdev_upper_dev_link() fails (Adrian Reber) [1436646 1412898]
- [scsi] vmw_pvscsi: return SUCCESS for successful command aborts (Ewan Milne) [1435764 1394172]
- [infiniband] ib/uverbs: Fix race between uverbs_close and remove_one (Don Dutile) [1435187 1417284]
- [fs] gfs2: Prevent BUG from occurring when normal Withdraws occur (Robert S Peterson) [1433882 1404005]
- [fs] jbd2: fix incorrect unlock on j_list_lock (Lukas Czerner) [1433881 1403346]
- [fs] xfs: don't wrap ID in xfs_dq_get_next_id (Eric Sandeen) [1433415 1418182]
- [net] tcp/dccp: avoid starving bh on connect (Paolo Abeni) [1433320 1401419]
- [fs] xfs: fix up xfs_swap_extent_forks inline extent handling (Eric Sandeen) [1432154 1412945]
- [x86] kvm: vmx: handle PML full VMEXIT that occurs during event delivery (Radim Krcmar) [1431666 1421296]
- [virt] kvm: vmx: ensure VMCS is current while enabling PML (Radim Krcmar) [1431666 1421296]
- [net] ip_tunnel: Create percpu gro_cell (Jiri Benc) [1431197 1424076]
- [x86] kvm: x86: do not save guest-unsupported XSAVE state (Radim Krcmar) [1431150 1401767]
- [scsi] mpt3sas: Force request partial completion alignment (Tomas Henzl) [1430809 1418286]

[3.10.0-514.19.1.el7]
- [fs] gfs2: Wake up io waiters whenever a flush is done (Robert S Peterson) [1437126 1404301]
- [fs] gfs2: Made logd daemon take into account log demand (Robert S Peterson) [1437126 1404301]
- [fs] gfs2: Limit number of transaction blocks requested for truncates (Robert S Peterson) [1437126 1404301]
- [net] ipv6: addrconf: fix dev refcont leak when DAD failed (Hangbin Liu) [1436588 1416105]

[3.10.0-514.18.1.el7]
- [net] ipv6: don't increase size when refragmenting forwarded ipv6 skbs (Florian Westphal) [1434589 1430571]
- [net] bridge: drop netfilter fake rtable unconditionally (Florian Westphal) [1434589 1430571]
- [net] ipv6: avoid write to a possibly cloned skb (Florian Westphal) [1434589 1430571]
- [net] netfilter: bridge: honor frag_max_size when refragmenting (Florian Westphal) [1434589 1430571]
- [net] bridge: Add br_netif_receive_skb remove netif_receive_skb_sk (Ivan Vecera) [1434589 1352289]

[3.10.0-514.17.1.el7]
- [netdrv] i40e: Be much more verbose about what we can and cannot offload (Stefan Assmann) [1433273 1383521]
- [kernel] watchdog: prevent false hardlockup on overloaded system (Don Zickus) [1433267 1399881]
- [net] dccp/tcp: fix routing redirect race (Eric Garver) [1433265 1387485]

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for the tcp_westwood TCP scheduling algorithm     The following security bugs were fixed :

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bsc#1035877).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type. (bsc#1029850).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c. (bsc#1030593)

  - CVE-2016-9604: This fixes handling of keyrings starting     with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could     have allowed local users to manipulate privileged     keyrings (bsc#1035576)

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap     operation. (bnc#1033336).

  - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd     subsystem in the Linux kernel allowed remote attackers     to cause a denial of service (system crash) via a long     RPC reply, related to net/sunrpc/svc.c,     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanaged the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bsc#1015703).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bsc#1023762).

  - CVE-2017-5986: A race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacts with mm/migrate.c,     which allowed local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by triggering a certain     page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190)

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697)

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bsc#914939).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bsc#1003077).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable new features :

  - Toleration of newer crypto hardware for z Systems

  - USB 2.0 Link power management for Haswell-ULT The     following security bugs were fixed :

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability (bsc#1030573).

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bsc#1024938).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bsc#1033336).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178)

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914)

  - CVE-2015-3288: mm/memory.c in the Linux kernel     mishandled anonymous pages, which allowed local users to     gain privileges or cause a denial of service (page     tainting) via a crafted application that triggers     writing to page zero (bsc#979021).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application (bnc#1027066)

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235)

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket an accept system call is     processed, which allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted application that does not supply a key,     related to the lrw_crypt function in crypto/lrw.c     (bsc#1008374).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enabled scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacted with     mm/migrate.c, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact by     triggering a certain page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanages the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bnc#1015703).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel is too late in     obtaining a certain lock and consequently cannot ensure     that disconnect function calls are safe, which allowed     local users to cause a denial of service (panic) by     leveraging access to the protocol value of IPPROTO_ICMP     in a socket system call (bnc#1031003).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bnc#1023762).

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bnc#1024938).

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bnc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bnc#1033336).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for Matrox G200eH3

  - Support for tcp_westwood The following security bugs     were fixed :

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7374: Use-after-free vulnerability in     fs/crypto/ in the Linux kernel allowed local users to     cause a denial of service (NULL pointer dereference) or     possibly gain privileges by revoking keyring keys being     used for ext4, f2fs, or ubifs encryption, causing     cryptographic transform objects to be freed prematurely     (bnc#1032006).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel had incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulated the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - It was found that keyctl_set_reqkey_keyring() function     leaked thread keyring which could allow an unprivileged     local user to exhaust kernel memory.

  - net/sctp/socket.c in the Linux kernel through 4.10.1     did not properly restrict association peel-off     operations during certain wait states, which allowed     local users to cause a denial of service (invalid     unlock and double free) via a multithreaded     application.

  - Race condition in the sctp_wait_for_sndbuf function in     net/sctp/socket.c in the Linux kernel before 4.9.11     could allow local users to cause a denial of service     (assertion failure and panic) via a multithreaded     application that peeled off an association in a certain     buffer-full state.

  - Andrey Konovalov discovered that signed integer     overflows existed in the setsockopt() system call when     handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options.
    A local attacker with the CAP_NET_ADMIN capability     could use this to cause a denial of service (system     crash or memory corruption).

  - A vulnerability was discovered in the handling of pid     namespaces in the kernel. A privileged user inside a     container could trigger a kernel crash (NULL pointer     dereference in proc_flush_task()) using a sequence of     system calls including wait4().

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986) :

It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).

Reachable BUG_ON from userspace in sctp_wait_for_sndbuf :

It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986)

Shmat allows mmap null page protection bypass :

The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context. (CVE-2017-5669)

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     manages lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-2583: The load_segment_descriptor     implementation in arch/x86/kvm/emulate.c in the Linux     kernel improperly emulates a 'MOV SS, NULL selector'     instruction, which allowed guest OS users to cause a     denial of service (guest OS crash) or gain guest OS     privileges via a crafted application (bnc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

The following non-security bugs were fixed :

  - Fix kABI breakage of musb struct in 4.1.39 (stable     4.1.39).

  - Revert 'ptrace: Capture the ptracer's creds not     PT_PTRACE_CAP' (stable 4.1.39).

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - ext4: validate s_first_meta_bg at mount time     (bsc#1023377).

  - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip{,     6}_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp     (bsc#1030118).

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs.

The following security bugs were fixed :

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application, as demonstrated by     trinity (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

The following non-security bugs were fixed :

  - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC     (bsc#1028819).

  - ACPI, ioapic: Clear on-stack resource before using it     (bsc#1028819).

  - ACPI: Remove platform devices from a bus on removal     (bsc#1028819).

  - add mainline tag to one hyperv patch

  - bnx2x: allow adding VLANs while interface is down     (bsc#1027273).

  - btrfs: backref: Fix soft lockup in __merge_refs function     (bsc#1017641).

  - btrfs: incremental send, do not delay rename when parent     inode is new (bsc#1028325).

  - btrfs: incremental send, do not issue invalid rmdir     operations (bsc#1028325).

  - btrfs: qgroup: Move half of the qgroup accounting time     out of commit trans (bsc#1017461).

  - btrfs: send, fix failure to rename top level inode due     to name collision (bsc#1028325).

  - btrfs: serialize subvolume mounts with potentially     mismatching rw flags (bsc#951844 bsc#1024015)

  - crypto: algif_hash - avoid zero-sized array     (bnc#1007962).

  - cxgb4vf: do not offload Rx checksums for IPv6 fragments     (bsc#1026692).

  - drivers: hv: vmbus: Prevent sending data on a rescinded     channel (fate#320485, bug#1028217).

  - drm/i915: Add intel_uncore_suspend / resume functions     (bsc#1011913).

  - drm/i915: Listen for PMIC bus access notifications     (bsc#1011913).

  - drm/mgag200: Added support for the new device G200eH3     (bsc#1007959, fate#322780)

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

  - futex: Add missing error handling to FUTEX_REQUEUE_PI     (bsc#969755).

  - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI     (bsc#969755).

  - i2c: designware-baytrail: Acquire P-Unit access on bus     acquire (bsc#1011913).

  - i2c: designware-baytrail: Call     pmic_bus_access_notifier_chain (bsc#1011913).

  - i2c: designware-baytrail: Fix race when resetting the     semaphore (bsc#1011913).

  - i2c: designware-baytrail: Only check     iosf_mbi_available() for shared hosts (bsc#1011913).

  - i2c: designware: Disable pm for PMIC i2c-bus even if     there is no _SEM method (bsc#1011913).

  - i2c-designware: increase timeout (bsc#1011913).

  - i2c: designware: Never suspend i2c-busses used for     accessing the system PMIC (bsc#1011913).

  - i2c: designware: Rename accessor_flags to flags     (bsc#1011913).

  - kABI: protect struct iscsi_conn (kabi).

  - kABI: protect struct se_node_acl (kabi).

  - kABI: restore can_rx_register parameters (kabi).

  - kgr/module: make a taint flag module-specific     (fate#313296).

  - kgr: remove all arch-specific kgraft header files     (fate#313296).

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip{,     6}_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - md/raid1: add rcu protection to rdev in fix_read_error     (References: bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: fix a use-after-free bug     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: handle flush request correctly     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: Refactor raid1_make_request     (bsc#998106,bsc#1020048,bsc#982783).

  - mm: fix set pageblock migratetype in deferred struct     page init (bnc#1027195).

  - mm/page_alloc: Remove useless parameter of
    __free_pages_boot_core (bnc#1027195).

  - module: move add_taint_module() to a header file     (fate#313296).

  - net/ena: change condition for host attribute     configuration (bsc#1026509).

  - net/ena: change driver's default timeouts (bsc#1026509).

  - net: ena: change the return type of ena_set_push_mode()     to be void (bsc#1026509).

  - net: ena: Fix error return code in ena_device_init()     (bsc#1026509).

  - net/ena: fix ethtool RSS flow configuration     (bsc#1026509).

  - net/ena: fix NULL dereference when removing the driver     after device reset failed (bsc#1026509).

  - net/ena: fix potential access to freed memory during     device reset (bsc#1026509).

  - net/ena: fix queues number calculation (bsc#1026509).

  - net/ena: fix RSS default hash configuration     (bsc#1026509).

  - net/ena: reduce the severity of ena printouts     (bsc#1026509).

  - net/ena: refactor ena_get_stats64 to be atomic context     safe (bsc#1026509).

  - net/ena: remove ntuple filter support from device     feature list (bsc#1026509).

  - net: ena: remove superfluous check in ena_remove()     (bsc#1026509).

  - net: ena: Remove unnecessary pci_set_drvdata()     (bsc#1026509).

  - net/ena: update driver version to 1.1.2 (bsc#1026509).

  - net/ena: use READ_ONCE to access completion descriptors     (bsc#1026509).

  - net: ena: use setup_timer() and mod_timer()     (bsc#1026509).

  - net/mlx4_core: Avoid command timeouts during VF driver     device shutdown (bsc#1028017).

  - net/mlx4_core: Avoid delays during VF driver device     shutdown (bsc#1028017).

  - net/mlx4_core: Fix racy CQ (Completion Queue) free     (bsc#1028017).

  - net/mlx4_core: Fix when to save some qp context flags     for dynamic VST to VGT transitions (bsc#1028017).

  - net/mlx4_core: Use cq quota in SRIOV when creating     completion EQs (bsc#1028017).

  - net/mlx4_en: Fix bad WQE issue (bsc#1028017).

  - NFS: do not try to cross a mountpount when there isn't     one there (bsc#1028041).

  - nvme: Do not suspend admin queue that wasn't created     (bsc#1026505).

  - nvme: Suspend all queues before deletion (bsc#1026505).

  - PCI: hv: Fix wslot_to_devfn() to fix warnings on device     removal (fate#320485, bug#1028217).

  - PCI: hv: Use device serial number as PCI domain     (fate#320485, bug#1028217).

  - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

  - RAID1: a new I/O barrier implementation to remove resync     window (bsc#998106,bsc#1020048,bsc#982783).

  - RAID1: avoid unnecessary spin locks in I/O barrier code     (bsc#998106,bsc#1020048,bsc#982783).

  - Revert 'give up on gcc ilog2() constant optimizations'     (kabi).

  - Revert 'net: introduce device min_header_len' (kabi).

  - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown     flow' (bsc#1028017).

  - Revert 'nfit, libnvdimm: fix interleave set cookie     calculation' (kabi).

  - Revert 'RDMA/core: Fix incorrect structure packing for     booleans' (kabi).

  - Revert 'target: Fix NULL dereference during LUN lookup +     active I/O shutdown' (kabi).

  - rtlwifi: rtl_usb: Fix missing entry in USB driver's     private data (bsc#1026462).

  - s390/kmsg: add missing kmsg descriptions (bnc#1025683,     LTC#151573).

  - s390/mm: fix zone calculation in arch_add_memory()     (bnc#1025683, LTC#152318).

  - sched/loadavg: Avoid loadavg spikes caused by delayed     NO_HZ accounting (bsc#1018419).

  - scsi_dh_alua: Do not modify the interval value for     retries (bsc#1012910).

  - scsi: do not print 'reservation conflict' for TEST UNIT     READY (bsc#1027054).

  - softirq: Let ksoftirqd do its job (bsc#1019618).

  - supported.conf: Add tcp_westwood as supported module     (fate#322432)

  - taint/module: Clean up global and module taint flags     handling (fate#313296).

  - Update mainline reference in     patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as     t_fb_create.patch See (bsc#1028158) for the context in     which this was discovered upstream.

  - x86/apic/uv: Silence a shift wrapping warning     (bsc#1023866).

  - x86/mce: Do not print MCEs when mcelog is active     (bsc#1013994).

  - x86, mm: fix gup_pte_range() vs DAX mappings     (bsc#1026405).

  - x86/mm/gup: Simplify get_user_pages() PTE bit handling     (bsc#1026405).

  - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit     access (bsc#1011913).

  - x86/platform/intel/iosf_mbi: Add a PMIC bus access     notifier (bsc#1011913).

  - x86/platform: Remove warning message for duplicate NMI     handlers (bsc#1029220).

  - x86/platform/UV: Add basic CPU NMI health check     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless NMIs     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless systems     (bsc#1023866).

  - x86/platform/UV: Clean up the NMI code to match current     coding style (bsc#1023866).

  - x86/platform/UV: Clean up the UV APIC code     (bsc#1023866).

  - x86/platform/UV: Ensure uv_system_init is called when     necessary (bsc#1023866).

  - x86/platform/UV: Fix 2 socket config problem     (bsc#1023866).

  - x86/platform/UV: Fix panic with missing UVsystab support     (bsc#1023866).

  - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be     NMI source (bsc#1023866).

  - x86/platform/UV: Verify NMI action is valid, default is     standard (bsc#1023866).

  - xen-blkfront: correct maximum segment accounting     (bsc#1018263).

  - xen-blkfront: do not call talk_to_blkback when already     connected to blkback.

  - xen/blkfront: Fix crash if backend does not follow the     right states.

  - xen-blkfront: free resources if xlvbd_alloc_gendisk     fails.

  - xen/netback: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xen/netfront: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xfs: do not take the IOLOCK exclusive for direct I/O     page invalidation (bsc#1015609).

This is an update containing several CVE and other bug fixes,

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is an update containing several CVE and other misc fixes

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2016-9588

Jim Mattson discovered that the KVM implementation for Intel x86 processors does not properly handle #BP and #OF exceptions in an L2 (nested) virtual machine. A local attacker in an L2 guest VM can take advantage of this flaw to cause a denial of service for the L1 guest VM.

CVE-2017-2636

Alexander Popov discovered a race condition flaw in the n_hdlc line discipline that can lead to a double free. A local unprivileged user can take advantage of this flaw for privilege escalation. On systems that do not already have the n_hdlc module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false

CVE-2017-5669

Gareth Evans reported that privileged users can map memory at address 0 through the shmat() system call. This could make it easier to exploit other kernel security vulnerabilities via a set-UID program.

CVE-2017-5986

Alexander Popov reported a race condition in the SCTP implementation that can be used by local users to cause a denial of service (crash).
The initial fix for this was incorrect and introduced further security issues (CVE-2017-6353). This update includes a later fix that avoids those. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

CVE-2017-6214

Dmitry Vyukov reported a bug in the TCP implementation's handling of urgent data in the splice() system call. This can be used by a remote attacker for denial of service (hang) against applications that read from TCP sockets with splice().

CVE-2017-6345

Andrey Konovalov reported that the LLC type 2 implementation incorrectly assigns socket buffer ownership. This might be usable by a local user to cause a denial of service (memory corruption or crash) or privilege escalation. On systems that do not already have the llc2 module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-llc2.conf install llc2 false

CVE-2017-6346

Dmitry Vyukov reported a race condition in the raw packet (af_packet) fanout feature. Local users with the CAP_NET_RAW capability (in any user namespace) can use this for denial of service and possibly for privilege escalation.

CVE-2017-6348

Dmitry Vyukov reported that the general queue implementation in the IrDA subsystem does not properly manage multiple locks, possibly allowing local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.86-1.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1+deb8u2.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-9588     Jim Mattson discovered that the KVM implementation for     Intel x86 processors does not properly handle #BP and     #OF exceptions in an L2 (nested) virtual machine. A     local attacker in an L2 guest VM can take advantage of     this flaw to cause a denial of service for the L1 guest     VM.

  - CVE-2017-2636     Alexander Popov discovered a race condition flaw in the     n_hdlc line discipline that can lead to a double free. A     local unprivileged user can take advantage of this flaw     for privilege escalation. On systems that do not already     have the n_hdlc module loaded, this can be mitigated by     disabling it:echo >> /etc/modprobe.d/disable-n_hdlc.conf     install n_hdlc false

  - CVE-2017-5669     Gareth Evans reported that privileged users can map     memory at address 0 through the shmat() system call.
    This could make it easier to exploit other kernel     security vulnerabilities via a set-UID program.

  - CVE-2017-5986     Alexander Popov reported a race condition in the SCTP     implementation that can be used by local users to cause     a denial-of-service (crash). The initial fix for this     was incorrect and introduced further security issues (     CVE-2017-6353 ). This update includes a later fix that     avoids those. On systems that do not already have the     sctp module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-sctp.conf install     sctp false

  - CVE-2017-6214     Dmitry Vyukov reported a bug in the TCP implementation's     handling of urgent data in the splice() system call.
    This can be used by a remote attacker for     denial-of-service (hang) against applications that read     from TCP sockets with splice().

  - CVE-2017-6345     Andrey Konovalov reported that the LLC type 2     implementation incorrectly assigns socket buffer     ownership. This can be used by a local user to cause a     denial-of-service (crash). On systems that do not     already have the llc2 module loaded, this can be     mitigated by disabling it:echo >>     /etc/modprobe.d/disable-llc2.conf install llc2 false

  - CVE-2017-6346     Dmitry Vyukov reported a race condition in the raw     packet (af_packet) fanout feature. Local users with the     CAP_NET_RAW capability (in any user namespace) can use     this for denial-of-service and possibly for privilege     escalation.

  - CVE-2017-6348     Dmitry Vyukov reported that the general queue     implementation in the IrDA subsystem does not properly     manage multiple locks, possibly allowing local users to     cause a denial-of-service (deadlock) via crafted     operations on IrDA devices.

ID	Name	Product	Family	Severity
124829	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1506)	Nessus	Huawei Local Security Checks	critical
124825	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)	Nessus	Huawei Local Security Checks	high
103354	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)	Nessus	SuSE Local Security Checks	critical
102511	Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
101853	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1123)	Nessus	Huawei Local Security Checks	high
101852	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1122)	Nessus	Huawei Local Security Checks	high
100506	Oracle Linux 7 : kernel (ELSA-2017-1308-1)	Nessus	Oracle Linux Local Security Checks	high
100320	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)	Nessus	SuSE Local Security Checks	critical
100214	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)	Nessus	SuSE Local Security Checks	high
100150	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)	Nessus	SuSE Local Security Checks	critical
100023	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)	Nessus	SuSE Local Security Checks	high
99599	Virtuozzo 7 : readykernel-patch (VZA-2017-029)	Nessus	Virtuozzo Local Security Checks	high
99418	Amazon Linux AMI : kernel (ALAS-2017-814)	Nessus	Amazon Linux Local Security Checks	high
99157	openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)	Nessus	SuSE Local Security Checks	high
99156	openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)	Nessus	SuSE Local Security Checks	high
97677	Fedora 25 : kernel (2017-387ff46a66)	Nessus	Fedora Local Security Checks	high
97675	Fedora 24 : kernel (2017-2e1f3694b2)	Nessus	Fedora Local Security Checks	high
97640	Debian DLA-849-1 : linux security update	Nessus	Debian Local Security Checks	high
97615	Debian DSA-3804-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2017-6353

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins