http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=654b404f2a222f918af9b0cd18ad469d0c941a8e

DSA-3886

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.4

98451

https://github.com/torvalds/linux/commit/654b404f2a222f918af9b0cd18ad469d0c941a8e

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka     GPU driver) for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, mishandles the     KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers     to gain privileges by leveraging accidental read-write     mappings, aka Qualcomm internal bug     CR988993.(CVE-2016-2067i1/4%0

  - Integer overflow in the mem_check_range function in     drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel     before 4.9.10 allows local users to cause a denial of     service (memory corruption), obtain sensitive     information from kernel memory, or possibly have     unspecified other impact via a write or read request     involving the 'RDMA protocol over infiniband' (aka Soft     RoCE) technology.(CVE-2016-8636i1/4%0

  - Heap-based buffer overflow in the     logi_dj_ll_raw_request function in     drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to     cause a denial of service (system crash) or possibly     execute arbitrary code via a crafted device that     specifies a large report size for an LED     report.(CVE-2014-3183i1/4%0

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2018-6927i1/4%0

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816i1/4%0

  - It was found that the blk_rq_map_user_iov() function in     the Linux kernel's block device implementation did not     properly restrict the type of iterator, which could     allow a local attacker to read or write to arbitrary     kernel memory locations or cause a denial of service     (use-after-free) by leveraging write access to a     /dev/sg device.(CVE-2016-9576i1/4%0

  - A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps 'rtnl_lock' spinlock for a very long time (up to     hour). This blocks many network-related operations,     including creation of new incoming ssh connections.The     problem is especially important for containers, as the     container owner has enough permissions to trigger this     and block a network access on a whole host, outside the     container.(CVE-2016-3156i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924i1/4%0

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728i1/4%0

  - net/ipv6/ip6_output.c in the Linux kernel through     3.11.4 does not properly determine the need for UDP     Fragmentation Offload (UFO) processing of small packets     after the UFO queueing of a large packet, which allows     remote attackers to cause a denial of service (memory     corruption and system crash) or possibly have     unspecified other impact via network traffic that     triggers a large response packet.(CVE-2013-4387i1/4%0

  - It was found that nfsd is missing permissions check     when setting ACL on files, this may allow a local users     to gain access to any file by setting a crafted     ACL.(CVE-2016-1237i1/4%0

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270i1/4%0

  - An issue was discovered in the Linux kernel where an     integer overflow in kernel/time/posix-timers.c in the     POSIX timer code is caused by the way the overrun     accounting works. Depending on interval and expiry time     values, the overrun can be larger than INT_MAX, but the     accounting is int based. This basically makes the     accounting values, which are visible to user space via     timer_getoverrun(2) and siginfo::si_overrun,     random.(CVE-2018-12896i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0

  - The netfilter subsystem in the Linux kernel through     4.15.7 mishandles the case of a rule blob that contains     a jump but lacks a user-defined chain, which allows     local users to cause a denial of service (NULL pointer     dereference) by leveraging the CAP_NET_RAW or     CAP_NET_ADMIN capability, related to arpt_do_table in     net/ipv4/netfilter/arp_tables.c, ipt_do_table in     net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in     net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0

  - The use of a kzalloc with an integer multiplication     allowed an integer overflow condition to be reached in     vfio_pci_intrs.c. This combined with CVE-2016-9083 may     allow an attacker to craft an attack and use     unallocated memory, potentially crashing the     machine.(CVE-2016-9084i1/4%0

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138i1/4%0

  - It was discovered that root can gain direct access to     an internal keyring, such as '.dns_resolver' in RHEL-7     or '.builtin_trusted_keys' upstream, by joining it as     its session keyring. This allows root to bypass module     signature verification by adding a new public key of     its own devising to the keyring.(CVE-2016-9604i1/4%0

  - An information leak flaw was found in the Linux     kernel's IEEE 802.11 wireless networking     implementation. When software encryption was used, a     remote attacker could use this flaw to leak up to 8     bytes of plaintext.(CVE-2014-8709i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in the Linux kernel where the     keyctl_set_reqkey_keyring() function leaks the thread     keyring. This allows an unprivileged local user to     exhaust kernel memory and thus cause a     DoS.(CVE-2017-7472)

  - A reference counter leak in Linux kernel in     ipxitf_ioctl function was found which results in a use     after free vulnerability that's triggerable from     unprivileged userspace when IPX interface is     configured.(CVE-2017-7487)

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495)

  - A race condition was found in the Linux kernel, present     since v3.14-rc1 through v4.12. The race happens between     threads of inotify_handle_event() and vfs_rename()     while running the rename operation against the same     file. As a result of the race the next slab data or the     slab's free list pointer can be corrupted with     attacker-controlled data, which may lead to the     privilege escalation.(CVE-2017-7533)

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this     flaw to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although it is unlikely.(CVE-2017-7541)

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function.(CVE-2017-7542)

  - Incorrect error handling in the set_mempolicy() and     mbind() compat syscalls in 'mm/mempolicy.c' in the     Linux kernel allows local users to obtain sensitive     information from uninitialized stack data by triggering     failure of a certain bitmap operation.(CVE-2017-7616)

  - The NFS2/3 RPC client could send long arguments to the     NFS server. These encoded arguments are stored in an     array of memory pages, and accessed using pointer     variables. Arbitrarily long arguments could make these     pointers point outside the array and cause an     out-of-bounds memory access. A remote user or program     could use this flaw to crash the kernel, resulting in     denial of service.(CVE-2017-7645)

  - The NFSv2 and NFSv3 server implementations in the Linux     kernel through 4.10.13 lacked certain checks for the     end of a buffer. A remote attacker could trigger a     pointer-arithmetic error or possibly cause other     unspecified impacts using crafted requests related to     fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.(CVE-2017-7895)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft-lockup the     system and thus cause denial of service.(CVE-2017-8797)

  - A use-after-free vulnerability was found in DCCP socket     code affecting the Linux kernel since 2.6.16. This     vulnerability could allow an attacker to their escalate     privileges.(CVE-2017-8824)

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allows attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call. An     unprivileged local user could use this flaw to induce     kernel memory corruption on the system, leading to a     crash. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-8890)

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924)

  - The IPv6 fragmentation implementation in the Linux     kernel does not consider that the nexthdr field may be     associated with an invalid option, which allows local     users to cause a denial of service (out-of-bounds read     and BUG) or possibly have unspecified other impact via     crafted socket and send system calls. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2017-9074)

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)

  - The IPv6 DCCP implementation in the Linux kernel     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9076)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9077)

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242)

  - The vmw_gb_surface_define_ioctl function (accessible     via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.11.4 defines a backup_handle variable     but does not give it an initial value. If one attempts     to create a GB surface, with a previously allocated DMA     buffer to be used as a backup buffer, the backup_handle     variable does not get written to and is then later     returned to user space, allowing local users to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.(CVE-2017-9605)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-1000004)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

  - The kernel_wait4 function in kernel/exit.c in the Linux     kernel, when an unspecified architecture and compiler     is used, might allow local users to cause a denial of     service by triggering an attempted use of the -INT_MIN     value.(CVE-2018-10087)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

  - CVE-2015-9004: kernel/events/core.c in the Linux kernel     mishandled counter grouping, which allowed local users     to gain privileges via a crafted application, related to     the perf_pmu_register and perf_event_open functions     (bnc#1037306).

  - CVE-2016-10229: udp.c in the Linux kernel allowed remote     attackers to execute arbitrary code via UDP traffic that     triggers an unsafe second checksum calculation during     execution of a recv system call with the MSG_PEEK flag     (bnc#1032268).

  - CVE-2016-9604: The handling of keyrings starting with     '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have     allowed local users to manipulate privileged keyrings,     was fixed (bsc#1035576)

  - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds     Write. Due to a missing bounds check, and the fact that     parport_ptr integer is static, a 'secure boot' kernel     command line adversary (can happen due to bootloader     vulns, e.g. Google Nexus 6's CVE-2016-10277, where due     to a vulnerability the adversary has partial control     over the command line) can overflow the parport_nr array     in the following code, by appending many (>LP_NO)     'lp=none' arguments to the command line (bnc#1039456).

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     is vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

  - CVE-2017-10661: Race condition in fs/timerfd.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (list corruption or     use-after-free) via simultaneous file-descriptor     operations that leverage improper might_cancel queueing     (bnc#1053152).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bnc#1048275).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A     user-controlled buffer is copied into a local buffer of     constant size using strcpy without a length check which     can cause a buffer overflow. (bnc#1053148).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14140: The move_pages system call in     mm/migrate.c in the Linux kernel doesn't check the     effective uid of the target process, enabling a local     attacker to learn the memory layout of a setuid     executable despite ASLR (bnc#1057179).

  - CVE-2017-15265: Use-after-free vulnerability in the     Linux kernel allowed local users to have unspecified     impact via vectors related to /dev/snd/seq     (bnc#1062520).

  - CVE-2017-15274: security/keys/keyctl.c in the Linux     kernel did not consider the case of a NULL payload in     conjunction with a nonzero length value, which allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192 (bnc#1045327).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c (bnc#1030593).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type (bnc#1029850).

  - CVE-2017-7482: A potential memory corruption was fixed     in decoding of krb5 principals in the kernels kerberos     handling. (bnc#1046107).

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879).

  - CVE-2017-7518: The Linux kernel was vulnerable to an     incorrect debug exception(#DB) error. It could occur     while emulating a syscall instruction and potentially     lead to guest privilege escalation. (bsc#1045922).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-7889: The mm subsystem in the Linux kernel did     not properly enforce the CONFIG_STRICT_DEVMEM protection     mechanism, which allowed local users to read or write to     kernel memory locations in the first megabyte (and     bypass slab-allocation access restrictions) via an     application that opens the /dev/mem file, related to     arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bnc#1035877).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1037182 bsc#1038982).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1037183 bsc#1038981).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-15274: security/keys/keyctl.c in the Linux     kernel did not consider the case of a NULL payload in     conjunction with a nonzero length value, which allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192 (bnc#1045327).

  - CVE-2017-15265: Use-after-free vulnerability in the     Linux kernel allowed local users to have unspecified     impact via vectors related to /dev/snd/seq     (bnc#1062520).

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14140: The move_pages system call in     mm/migrate.c in the Linux kernel doesn't check the     effective uid of the target process, enabling a local     attacker to learn the memory layout of a setuid     executable despite ASLR (bnc#1057179).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-10661: Race condition in fs/timerfd.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (list corruption or     use-after-free) via simultaneous file-descriptor     operations that leverage improper might_cancel queueing     (bnc#1053152).

  - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A     user-controlled buffer is copied into a local buffer of     constant size using strcpy without a length check which     can cause a buffer overflow. (bnc#1053148).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

  - CVE-2017-7482: A potential memory corruption was fixed     in decoding of krb5 principals in the kernels kerberos     handling. (bnc#1046107).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bnc#1048275).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-7518: The Linux kernel was vulnerable to an     incorrect debug exception(#DB) error. It could occur     while emulating a syscall instruction and potentially     lead to guest privilege escalation. (bsc#1045922).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1037182 bsc#1038982).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1037183 bsc#1038981).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     was vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents might have been disclosed     when a read and an ioctl happen at the same time     (bnc#1044125).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

  - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds     Write. Due to a missing bounds check, and the fact that     parport_ptr integer is static, a 'secure boot' kernel     command line adversary (could happen due to bootloader     vulns, e.g. Google Nexus 6's CVE-2016-10277, where due     to a vulnerability the adversary has partial control     over the command line) could overflow the parport_nr     array in the following code, by appending many (>LP_NO)     'lp=none' arguments to the command line (bnc#1039456).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544).

  - CVE-2017-7889: The mm subsystem in the Linux kernel did     not properly enforce the CONFIG_STRICT_DEVMEM protection     mechanism, which allowed local users to read or write to     kernel memory locations in the first megabyte (and     bypass slab-allocation access restrictions) via an     application that opens the /dev/mem file, related to     arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).
    The following new features were implemented :

  - the r8152 network driver was updated to support Realtek     RTL8152/RTL8153 Based USB Ethernet Adapters     (fate#321482)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212)

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c (bsc#1030593).

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914)

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bsc#1024938)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235)

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type (bsc#1029850).

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability (bsc#1030573)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-7482: Several missing length checks ticket     decode allowing for information leak or potentially code     execution (bsc#1046107).

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bsc#1038879).

  - CVE-2017-7533: Race condition in the fsnotify     implementation in the Linux kernel allowed local users     to gain privileges or cause a denial of service (memory     corruption) via a crafted application that leverages     simultaneous execution of the inotify_handle_event and     vfs_rename functions (bnc#1049483 1050677 ).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bsc#1033336)

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability. This requires a malicious PCI Card.
    (bnc#1037994).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bsc#1038544).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1037182).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1038981).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bsc#1039883).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bsc#1040069).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel was too late     in checking whether an overwrite of an skb data     structure may occur, which allowed local users to cause     a denial of service (system crash) via crafted system     calls (bnc#1041431).

  - CVE-2017-10661: Race condition in fs/timerfd.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (list corruption or     use-after-free) via simultaneous file-descriptor     operations that leverage improper might_cancel queueing     (bnc#1053152).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bnc#1048275).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A     user-controlled buffer is copied into a local buffer of     constant size using strcpy without a length check which     can cause a buffer overflow. (bnc#1053148).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-1000112: Fixed a race condition in net-packet     code that could have been exploited by unprivileged     users to gain root access. (bsc#1052311).

  - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds     Write. Due to a missing bounds check, and the fact that     parport_ptr integer is static, a 'secure boot' kernel     command line adversary could have overflowed the     parport_nr array in the following code (bnc#1039456).

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     was vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-7482: Several missing length checks ticket     decode allowing for information leak or potentially code     execution (bsc#1046107).

  - CVE-2016-10277: Potential privilege escalation due to a     missing bounds check in the lp driver. A kernel     command-line adversary can overflow the parport_nr array     to execute code (bsc#1039456).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bsc#1049882).

  - CVE-2017-7533: Bug in inotify code allowing privilege     escalation (bsc#1049483).

  - CVE-2017-11176: The mq_notify function in the Linux     kernel did not set the sock pointer to NULL upon entry     into the retry logic. During a user-space close of a     Netlink socket, it allowed attackers to cause a denial     of service (use-after-free) or possibly have unspecified     other impact (bsc#1048275).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-1000365: The Linux Kernel imposed a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354)

  - CVE-2014-9922: The eCryptfs subsystem in the Linux     kernel allowed local users to gain privileges via a     large filesystem stack that includes an overlayfs layer,     related to fs/ecryptfs/main.c and fs/overlayfs/super.c     (bnc#1032340)

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow     (bnc#1038982).

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling     (bnc#1038981).

  - CVE-2017-1000380: sound/core/timer.c was vulnerable to a     data race in the ALSA /dev/snd/timer driver resulting in     local users being able to read information belonging to     other users, i.e., uninitialized memory contents could     have bene disclosed when a read and an ioctl happen at     the same time (bnc#1044125)

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c was too late in checking whether     an overwrite of an skb data structure may occur, which     allowed local users to cause a denial of service (system     crash) via crafted system calls (bnc#1041431)

  - CVE-2017-1000363: A buffer overflow in kernel     commandline handling of the 'lp' parameter could be used     by local console attackers to bypass certain secure boot     settings. (bnc#1039456)

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885)

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069)

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883)

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882)

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879)

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544)

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c (bnc#1030593)

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type (bnc#1029850)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944)

It was discovered that a use-after-free vulnerability existed in the performance events and counters subsystem of the Linux kernel for ARM64. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8955)

It was discovered that the SCSI generic (sg) driver in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-8962)

Sasha Levin discovered that a race condition existed in the performance events and counters subsystem of the Linux kernel when handling CPU unplug events. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8963)

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2015-8964)

It was discovered that the fcntl64() system call in the Linux kernel did not properly set memory limits when returning on 32-bit ARM processors. A local attacker could use this to gain administrative privileges. (CVE-2015-8966)

It was discovered that the system call table for ARM 64-bit processors in the Linux kernel was not write-protected. An attacker could use this in conjunction with another kernel vulnerability to execute arbitrary code. (CVE-2015-8967)

It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2016-10088)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.i1/4^CVE-2014-9940i1/4%0

  - Race condition in the sctp_wait_for_sndbuf function in     net/sctp/socket.c in the Linux kernel before 4.9.11     allows local users to cause a denial of service     (assertion failure and panic) via a multithreaded     application that peels off an association in a certain     buffer-full state.i1/4^CVE-2017-5986i1/4%0

  - net/sctp/socket.c in the Linux kernel through 4.10.1     does not properly restrict association peel-off     operations during certain wait states, which allows     local users to cause a denial of service (invalid     unlock and double free) via a multithreaded     application. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2017-5986.i1/4^CVE-2017-6353i1/4%0

  - The ipxitf_ioctl function in net/ipx/af_ipx.c in the     Linux kernel through 4.11.1 mishandles reference     counts, which allows local users to cause a denial of     service (use-after-free) or possibly have unspecified     other impact via a failed SIOCGIFADDR ioctl call for an     IPX interface.i1/4^CVE-2017-7487i1/4%0

  - fs/ext4/inode.c in the Linux kernel before 4.6.2, when     ext4 data=ordered mode is used, mishandles a     needs-flushing-before-commit list, which allows local     users to obtain sensitive information from other users'     files in opportunistic circumstances by waiting for a     hardware reset, creating a new file, making write     system calls, and reading this file.i1/4^CVE-2017-7495i1/4%0

  - The NFSv2/NFSv3 server in the nfsd subsystem in the     Linux kernel through 4.10.11 allows remote attackers to     cause a denial of service (system crash) via a long RPC     reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c,     and fs/nfsd/nfsxdr.c.i1/4^CVE-2017-7645i1/4%0

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     through 4.10.15 allows attackers to cause a denial of     service (double free) or possibly have unspecified     other impact by leveraging use of the accept system     call.i1/4^CVE-2017-8890i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel before     4.10.4 allows local users to obtain sensitive     information (in the dmesg ringbuffer and syslog) from     uninitialized kernel memory by using a crafted USB     device (posing as an io_ti USB serial device) to     trigger an integer underflow.i1/4^CVE-2017-8924i1/4%0

  - The IPv6 fragmentation implementation in the Linux     kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option,     which allows local users to cause a denial of service     (out-of-bounds read and BUG) or possibly have     unspecified other impact via crafted socket and send     system calls.i1/4^CVE-2017-9074i1/4%0

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.i1/4^CVE-2017-9075i1/4%0

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.i1/4^CVE-2017-9077i1/4%0

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.i1/4^CVE-2017-9242i1/4%0

  - The ext4_fill_super function in fs/ext4/super.c in the     Linux kernel through 4.9.8 does not properly validate     meta block groups, which allows physically proximate     attackers to cause a denial of service (out-of-bounds     read and system crash) via a crafted ext4     image.i1/4^CVE-2016-10208i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     is vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

  - CVE-2017-7346: The vmw_gb_surface_define_ioctl function     in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate certain levels data, which     allowed local users to cause a denial of service (system     hang) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031796).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow.
    (bsc#1038982)

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling.
    (bsc#1038981)

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544).

  - CVE-2017-9150: The do_check function in     kernel/bpf/verifier.c in the Linux kernel did not make     the allow_ptr_leaks value available for restricting the     output of the print_bpf_insn function, which allowed     local users to obtain sensitive address information via     crafted bpf system calls (bnc#1040279).

  - CVE-2017-7618: crypto/ahash.c in the Linux kernel     allowed attackers to cause a denial of service (API     operation calling its own callback, and infinite     recursion) by triggering EBUSY on a full queue     (bnc#1033340).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bnc#1033336).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-7487     Li Qiang reported a reference counter leak in the     ipxitf_ioctl function which may result into a     use-after-free vulnerability, triggerable when a IPX     interface is configured.

  - CVE-2017-7645     Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd     discovered that the NFSv2 and NFSv3 server     implementations are vulnerable to an out-of-bounds     memory access issue while processing arbitrarily long     arguments sent by NFSv2/NFSv3 PRC clients, leading to a     denial of service.

  - CVE-2017-7895     Ari Kauppi from Synopsys Ltd discovered that the NFSv2     and NFSv3 server implementations do not properly handle     payload bounds checking of WRITE requests. A remote     attacker with write access to a NFS mount can take     advantage of this flaw to read chunks of arbitrary     memory from both kernel-space and user-space.

  - CVE-2017-8064     Arnd Bergmann found that the DVB-USB core misused the     device logging system, resulting in a use-after-free     vulnerability, with unknown security impact.

  - CVE-2017-8890     It was discovered that the net_csk_clone_lock() function     allows a remote attacker to cause a double free leading     to a denial of service or potentially have other impact.

  - CVE-2017-8924     Johan Hovold found that the io_ti USB serial driver     could leak sensitive information if a malicious USB     device was connected.

  - CVE-2017-8925     Johan Hovold found a reference counter leak in the     omninet USB serial driver, resulting in a use-after-free     vulnerability. This can be triggered by a local user     permitted to open tty devices.

  - CVE-2017-9074     Andrey Konovalov reported that the IPv6 fragmentation     implementation could read beyond the end of a packet     buffer. A local user or guest VM might be able to use     this to leak sensitive information or to cause a denial     of service (crash).

  - CVE-2017-9075     Andrey Konovalov reported that the SCTP/IPv6     implementation wrongly initialised address lists on     connected sockets, resulting in a use-after-free     vulnerability, a similar issue to CVE-2017-8890. This     can be triggered by any local user.

  - CVE-2017-9076 / CVE-2017-9077     Cong Wang found that the TCP/IPv6 and DCCP/IPv6     implementations wrongly initialised address lists on     connected sockets, a similar issue to CVE-2017-9075.

  - CVE-2017-9242     Andrey Konovalov reported a packet buffer overrun in the     IPv6 implementation. A local user could use this for     denial of service (memory corruption; crash) and     possibly for privilege escalation.

  - CVE-2017-1000364     The Qualys Research Labs discovered that the size of the     stack guard page is not sufficiently large. The     stack-pointer can jump over the guard-page and moving     from the stack into another memory region without     accessing the guard-page. In this case no page-fault     exception is raised and the stack extends into the other     memory region. An attacker can exploit this flaw for     privilege escalation.

  The default stack gap protection is set to 256 pages and can be   configured via the stack_guard_gap kernel parameter on the kernel   command line.

  Further details can be found at   https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-7487

Li Qiang reported a reference counter leak in the ipxitf_ioctl function which may result into a use-after-free vulnerability, triggerable when a IPX interface is configured.

CVE-2017-7645

Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations are vulnerable to an out-of-bounds memory access issue while processing arbitrarily long arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of service.

CVE-2017-7895

Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3 server implementations do not properly handle payload bounds checking of WRITE requests. A remote attacker with write access to a NFS mount can take advantage of this flaw to read chunks of arbitrary memory from both kernel-space and user-space.

CVE-2017-8890

It was discovered that the net_csk_clone_lock() function allows a remote attacker to cause a double free leading to a denial of service or potentially have other impact.

CVE-2017-8924

Johan Hovold found that the io_ti USB serial driver could leak sensitive information if a malicious USB device was connected.

CVE-2017-8925

Johan Hovold found a reference counter leak in the omninet USB serial driver, resulting in a use-after-free vulnerability. This can be triggered by a local user permitted to open tty devices.

CVE-2017-9074

Andrey Konovalov reported that the IPv6 fragmentation implementation could read beyond the end of a packet buffer. A local user or guest VM might be able to use this to leak sensitive information or to cause a denial of service (crash).

CVE-2017-9075

Andrey Konovalov reported that the SCTP/IPv6 implementation wrongly initialised address lists on connected sockets, resulting in a use-after-free vulnerability, a similar issue to CVE-2017-8890. This can be triggered by any local user.

CVE-2017-9076 / CVE-2017-9077 Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations wrongly initialised address lists on connected sockets, a similar issue to CVE-2017-9075.

CVE-2017-9242

Andrey Konovalov reported a packet buffer overrun in the IPv6 implementation. A local user could use this for denial of service (memory corruption; crash) and possibly for privilege escalation.

CVE-2017-1000364

The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation.

The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line.

Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx t

For Debian 7 'Wheezy', this problem has been fixed in version 3.2.89-2.

For Debian 8 'Jessie', this problem has been fixed in version 3.16.43-2+deb8u2.

For Debian 9 'Stretch', this problem has been fixed in version 4.9.30-2+deb9u2.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124975	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1522)	Nessus	Huawei Local Security Checks	high
124827	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1504)	Nessus	Huawei Local Security Checks	critical
104374	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)	Nessus	SuSE Local Security Checks	critical
104271	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2908-1) (KRACK) (Stack Clash)	Nessus	SuSE Local Security Checks	critical
103354	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)	Nessus	SuSE Local Security Checks	critical
103110	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2389-1) (Stack Clash)	Nessus	SuSE Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
101928	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)	Nessus	Ubuntu Local Security Checks	critical
101894	Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3359-1)	Nessus	Ubuntu Local Security Checks	critical
101853	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1123)	Nessus	Huawei Local Security Checks	high
101852	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1122)	Nessus	Huawei Local Security Checks	high
101762	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1853-1) (Stack Clash)	Nessus	SuSE Local Security Checks	high
100877	Debian DSA-3886-1 : linux - security update (Stack Clash)	Nessus	Debian Local Security Checks	critical
100876	Debian DLA-993-2 : linux regression update (Stack Clash)	Nessus	Debian Local Security Checks	critical

CVE-2017-8924

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins