103959

https://bugzilla.kernel.org/show_bug.cgi?id=199423

USN-3752-1

USN-3752-2

USN-3752-3

USN-3754-1

DSA-4188

https://www.spinics.net/lists/linux-xfs/msg17254.html

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A buffer overflow was discovered in tpacket_rcv()     function in the Linux kernel since v4.6-rc1 through     v4.13. A number of socket-related syscalls can be made     to set up a configuration when each packet received by     a network interface can cause writing up to 10 bytes to     a kernel memory outside of a kernel buffer. This can     cause unspecified kernel data corruption effects,     including damage of in-memory and on-disk XFS     data.(CVE-2017-14497)

  - The qmi_wwan_bind function in     drivers/net/usb/qmi_wwan.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16650)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled sctp_accept()     during the processing of heartbeat timeout events. A     remote attacker could use this flaw to prevent further     connections to be accepted by the SCTP server running     on the system, resulting in a denial of     service.(CVE-2015-8767)

  - A race condition flaw was found in the way the Linux     kernel's KVM subsystem handled PIT (Programmable     Interval Timer) emulation. A guest user who has access     to the PIT I/O ports could use this flaw to crash the     host.(CVE-2014-3611)

  - The Linux kernel is vulnerable to a memory leak in the     drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_n     l() function. An attacker could exploit this to cause a     potential denial of service.(CVE-2018-8087)

  - An integer underflow flaw was found in the way the     Linux kernel's Stream Control Transmission Protocol     (SCTP) implementation processed certain COOKIE_ECHO     packets. By sending a specially crafted SCTP packet, a     remote attacker could use this flaw to prevent     legitimate connections to a particular SCTP server     socket to be made.(CVE-2014-4667)

  - The cx231xx_usb_probe function in     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16536)

  - The snd_usb_create_streams function in sound/usb/card.c     in the Linux kernel, before 4.13.6, allows local users     to cause a denial of service (out-of-bounds read and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16529)

  - A flaw was found in the Linux kernel's random number     generator API. A null pointer dereference in the     rngapi_reset function may result in denial of service,     crashing the system.(CVE-2017-15116)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON     is enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system.(CVE-2017-17449)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The aac_compat_ioctl function in     drivers/scsi/aacraid/linit.c in the Linux kernel before     3.11.8 does not require the CAP_SYS_RAWIO capability,     which allows local users to bypass intended access     restrictions via a crafted ioctl call.(CVE-2013-6383)

  - Linux kernel before version 4.16-rc7 is vulnerable to a     null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in that allows a local user to     cause a denial of service by a number of certain     crafted system calls.(CVE-2018-1130)

  - The Linux kernel is vulerable to a use-after-free flaw     when Transformation User configuration     interface(CONFIG_XFRM_USER) compile-time configuration     were enabled. This vulnerability occurs while closing a     xfrm netlink socket in xfrm_dump_policy_done. A     user/process could abuse this flaw to potentially     escalate their privileges on a system.(CVE-2017-16939)

  - A vulnerability was found in the Linux kernel in     function rds_inc_info_copy of file net/rds/recv.c. The     last field 'flags' of object 'minfo' is not     initialized. This can leak data previously at the flags     location to userspace.(CVE-2016-5244)

  - A flaw was found in the kernel's ACPI interpreter when     it does not flush the operand cache and causes a kernel     stack dump. This allows local users to obtain sensitive     information from kernel memory and bypass the KASLR     protection mechanism.(CVE-2017-13693)

  - It was found that kernel/events/core.c in the Linux     kernel mishandles counter grouping, which allows local     users to gain privileges via a crafted application,     related to the perf_pmu_register and perf_event_open     functions.(CVE-2015-9004)

  - The xfs_bmap_extents_to_btree function in     fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through     4.16.3 allows local users to cause a denial of service     (xfs_bmapi_write NULL pointer dereference) via a     crafted xfs image.(CVE-2018-10323)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux     kernel before 4.5 allows local users to cause a system     crash and a denial of service by the NULL pointer     dereference via accept(2) system call for AF_ALG socket     without calling setkey() first to set a cipher     key.(CVE-2015-8970)

  - The IPv6 fragmentation implementation in the Linux     kernel does not consider that the nexthdr field may be     associated with an invalid option, which allows local     users to cause a denial of service (out-of-bounds read     and BUG) or possibly have unspecified other impact via     crafted socket and send system calls. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2017-9074)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

The v4.16.8 update contains important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Jann Horn discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep xattr information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-11412)

Piotr Gabriel Kosinski and Daniel Shapira discovered a stack-based buffer overflow in the CDROM driver implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-11506)

Shankara Pailoor discovered that a race condition existed in the socket handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-12232)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Felix Wilhelm discovered that the KVM implementation in the Linux kernel did not properly perform permission checks in some situations when nested virtualization is used. An attacker in a guest VM could possibly use this to escape into an outer VM or the host OS.
(CVE-2018-12904)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Jakub Jirasek discovered that multiple use-after-free errors existed in the USB/IP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5814)

It was discovered that a race condition existed in the ARM Advanced Microcontroller Bus Architecture (AMBA) driver in the Linux kernel that could result in a double free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-9415)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

Jann Horn discovered that the Linux kernel's implementation of random seed data reported that it was in a ready state before it had gathered sufficient entropy. An attacker could use this to expose sensitive information. (CVE-2018-1108)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Jann Horn discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep xattr information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-11412)

Piotr Gabriel Kosinski and Daniel Shapira discovered a stack-based buffer overflow in the CDROM driver implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-11506)

Shankara Pailoor discovered that a race condition existed in the socket handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-12232)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Felix Wilhelm discovered that the KVM implementation in the Linux kernel did not properly perform permission checks in some situations when nested virtualization is used. An attacker in a guest VM could possibly use this to escape into an outer VM or the host OS.
(CVE-2018-12904)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Jakub Jirasek discovered that multiple use-after-free errors existed in the USB/IP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5814)

It was discovered that a race condition existed in the ARM Advanced Microcontroller Bus Architecture (AMBA) driver in the Linux kernel that could result in a double free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-9415)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of 'linux-aws', 'linux', 'linux-esx', 'linux-secure' packages of Photon OS has been released.

An update of 'linux', 'linux-esx' packages of Photon OS has been released.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - dm: fix race between dm_get_from_kobject and
    __dm_destroy (Hou Tao) (CVE-2017-18203)

  - drm: udl: Properly check framebuffer mmap offsets (Greg     Kroah-Hartman) [Orabug: 27986407] (CVE-2018-8781)

  - kernel/exit.c: avoid undefined behaviour when calling     wait4 wait4(-2147483648, 0x20, 0, 0xdd0000) triggers:
    UBSAN: Undefined behaviour in kernel/exit.c:1651:9     (mridula shastry) [Orabug: 27875488] (CVE-2018-10087)

  - kernel/signal.c: avoid undefined behaviour in     kill_something_info When running kill(72057458746458112,     0) in userspace I hit the following issue. (mridula     shastry) (CVE-2018-10124)

  - bluetooth: Validate socket address length in     sco_sock_bind. (mlevatic) [Orabug: 28130293]     (CVE-2015-8575)

  - dccp: check sk for closed state in dccp_sendmsg (Alexey     Kodanev) [Orabug: 28220402] (CVE-2017-8824)     (CVE-2018-1130)

  - sctp: verify size of a new chunk in _sctp_make_chunk     (Alexey Kodanev) [Orabug: 28240075] (CVE-2018-5803)

  - mm/mempolicy.c: fix error handling in set_mempolicy and     mbind. (Chris Salls) [Orabug: 28242478] (CVE-2017-7616)

  - xfrm: policy: check policy direction value (Vladis     Dronov) [Orabug: 28264121] (CVE-2017-11600)     (CVE-2017-11600)

  - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug:
    28156176] (CVE-2018-3665)

  - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng     Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741)

  - xfs: set format back to extents if     xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
    27989498] (CVE-2018-10323)

  - Bluetooth: Prevent stack info leak from the EFS element.
    (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410)     (CVE-2017-1000410)

  - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2549)

  - ALSA: timer: Harden slave timer list handling (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548)

  - ALSA: timer: Fix double unlink of active_list (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2545)

  - ALSA: seq: Fix missing NULL check at remove_events ioctl     (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543)

  - ALSA: seq: Fix race at timer setup and close (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2544)

  - ALSA: usb-audio: avoid freeing umidi object twice     (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384)

  - perf/hwbp: Simplify the perf-hwbp code, fix     documentation (Linus Torvalds) [Orabug: 27947608]     (CVE-2018-1000199)

  - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix     documentation' (Brian Maly) [Orabug: 27947608]

Description of changes:

kernel-uek kernel-uek [3.8.13-118.22.1.el7uek]
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao)   {CVE-2017-18203}
- drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman)   [Orabug: 27986407]  {CVE-2018-8781}
- kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry)  [Orabug: 27875488] {CVE-2018-10087}
- kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry)   {CVE-2018-10124}
- bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic)  [Orabug: 28130293]  {CVE-2015-8575}
- dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220402]  {CVE-2017-8824} {CVE-2018-1130}
- sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey Kodanev)  [Orabug: 28240075]  {CVE-2018-5803}
- mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls)  [Orabug: 28242478]  {CVE-2017-7616}
- xfrm: policy: check policy direction value (Vladis Dronov)  [Orabug: 28264121]  {CVE-2017-11600} {CVE-2017-11600}
- x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156176] {CVE-2018-3665}
- KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li)  [Orabug: 27951287]  {CVE-2017-17741} {CVE-2017-17741}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen)  [Orabug: 27989498]  {CVE-2018-10323}
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520]  {CVE-2017-1000410} {CVE-2017-1000410}
- ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2549}
- ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2547} {CVE-2016-2548}
- ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2545}
- ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2543}
- ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2544}
- ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229]  {CVE-2016-2384}
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds)  [Orabug: 27947608]  {CVE-2018-1000199}
- Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly)  [Orabug: 27947608]

Description of changes:

kernel-uek [3.8.13-118.21.4.el7uek]
- x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156176] {CVE-2018-3665}

[3.8.13-118.21.3.el7uek]
- KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li)  [Orabug: 27951287]  {CVE-2017-17741} {CVE-2017-17741}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen)  [Orabug: 27989498]  {CVE-2018-10323}
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520]  {CVE-2017-1000410} {CVE-2017-1000410}
- ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2549}
- ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2547} {CVE-2016-2548}
- ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2545}
- ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2543}
- ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 28058229]  {CVE-2016-2544}
- ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229]  {CVE-2016-2384}

[3.8.13-118.21.2.el7uek]
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds)  [Orabug: 27947608]  {CVE-2018-1000199}
- Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' (Brian Maly)  [Orabug: 27947608]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug:
    28156176] (CVE-2018-3665)

  - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng     Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741)

  - xfs: set format back to extents if     xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
    27989498] (CVE-2018-10323)

  - Bluetooth: Prevent stack info leak from the EFS element.
    (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410)     (CVE-2017-1000410)

  - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2549)

  - ALSA: timer: Harden slave timer list handling (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548)

  - ALSA: timer: Fix double unlink of active_list (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2545)

  - ALSA: seq: Fix missing NULL check at remove_events ioctl     (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543)

  - ALSA: seq: Fix race at timer setup and close (Takashi     Iwai) [Orabug: 28058229] (CVE-2016-2544)

  - ALSA: usb-audio: avoid freeing umidi object twice     (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384)

  - perf/hwbp: Simplify the perf-hwbp code, fix     documentation (Linus Torvalds) [Orabug: 27947608]     (CVE-2018-1000199)

  - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix     documentation' (Brian Maly) [Orabug: 27947608]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - KVM: SVM: Move spec control call after restore of GS     (Thomas Gleixner) (CVE-2018-3639)

  - x86/bugs: Fix the parameters alignment and missing void     (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Make cpu_show_common static (Jiri Kosina)     (CVE-2018-3639)

  - x86/bugs: Fix __ssb_select_mitigation return type (Jiri     Kosina) (CVE-2018-3639)

  - Documentation/spec_ctrl: Do some minor cleanups     (Borislav Petkov) (CVE-2018-3639)

  - proc: Use underscores for SSBD in 'status' (Konrad     Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk)     (CVE-2018-3639)

  - x86/speculation: Make 'seccomp' the default mode for     Speculative Store Bypass (Kees Cook) (CVE-2018-3639)

  - seccomp: Move speculation migitation control to arch     code (Thomas Gleixner) (CVE-2018-3639)

  - seccomp: Add filter flag to opt-out of SSB mitigation     (Kees Cook) (CVE-2018-3639)

  - seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner)     (CVE-2018-3639)

  - prctl: Add force disable speculation (Konrad Rzeszutek     Wilk) (CVE-2018-3639)

  - seccomp: Enable speculation flaw mitigations (Kees Cook)     (CVE-2018-3639)

  - proc: Provide details on speculation flaw mitigations     (Kees Cook) (CVE-2018-3639)

  - nospec: Allow getting/setting on non-current task (Kees     Cook) (CVE-2018-3639)

  - x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for     spectre_v2. (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/speculation: Add prctl for Speculative Store Bypass     mitigation (Thomas Gleixner) (CVE-2018-3639)

  - x86: thread_info.h: move RDS from index 5 to 23 (Mihai     Carabas) (CVE-2018-3639)

  - x86/process: Allow runtime control of Speculative Store     Bypass (Thomas Gleixner) (CVE-2018-3639)

  - prctl: Add speculation control prctls (Thomas Gleixner)     (CVE-2018-3639)

  - x86/speculation: Create spec-ctrl.h to avoid include     hell (Thomas Gleixner) (CVE-2018-3639)

  - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest     (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs/AMD: Add support to disable RDS on     Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk)     (CVE-2018-3639)

  - x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad     Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs/intel: Set proper CPU features and setup RDS     (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Provide boot parameters for the     spec_store_bypass_disable mitigation (Konrad Rzeszutek     Wilk) (CVE-2018-3639)

  - x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek     Wilk) (CVE-2018-3639)

  - x86/bugs: Expose /sys/../spec_store_bypass (Konrad     Rzeszutek Wilk) (CVE-2018-3639)

  - x86/cpu/intel: Add Knights Mill to Intel family (Piotr     Luc) (CVE-2018-3639)

  - x86/cpu: Rename Merrifield2 to Moorefield (Andy     Shevchenko) (CVE-2018-3639)

  - x86/bugs, KVM: Support the combination of guest and host     IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs/IBRS: Warn if IBRS is enabled during boot.
    (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs/IBRS: Use variable instead of defines for     enabling IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Read SPEC_CTRL MSR during boot and re-use     reserved bits (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Concentrate bug reporting into a separate     function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs: Concentrate bug detection into a separate     function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

  - x86/bugs/IBRS: Turn on IBRS in     spectre_v2_select_mitigation (Konrad Rzeszutek Wilk)     (CVE-2018-3639)

  - x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk)     (CVE-2018-3639)

  - scsi: libfc: Revisit kref handling (Hannes Reinecke)

  - scsi: libfc: reset exchange manager during LOGO handling     (Hannes Reinecke)

  - scsi: libfc: send LOGO for PLOGI failure (Hannes     Reinecke)

  - scsi: libfc: Issue PRLI after a PRLO has been received     (Hannes Reinecke)

  - libfc: Update rport reference counting (Hannes Reinecke)

  - amd/kvm: do not intercept new MSRs for spectre v2     mitigation (Elena Ufimtseva)

  - RDS: null pointer dereference in rds_atomic_free_op     (Mohamed Ghannam) [Orabug: 27422832] (CVE-2018-5333)

  - ACPI: sbshc: remove raw pointer from printk message     (Greg Kroah-Hartman) [Orabug: 27501257] (CVE-2018-5750)

  - futex: Prevent overflow by strengthen input validation     (Li Jinyue) [Orabug: 27539548] (CVE-2018-6927)

  - net: ipv4: add support for ECMP hash policy choice     (Venkat Venkatsubra) [Orabug: 27547114]

  - net: ipv4: Consider failed nexthops in multipath routes     (David Ahern) 

  - ipv4: L3 hash-based multipath (Peter N&oslash rlund)     [Orabug: 27547114]

  - dm: fix race between dm_get_from_kobject and
    __dm_destroy (Hou Tao) [Orabug: 27677556]     (CVE-2017-18203)

  - NFS: only invalidate dentrys that are clearly invalid.
    (NeilBrown) 

  - net: Improve handling of failures on link and route     dumps (David Ahern) [Orabug: 27959177]

  - mm/mempolicy: fix use after free when calling     get_mempolicy (zhong jiang) [Orabug: 27963519]     (CVE-2018-10675)

  - drm: udl: Properly check framebuffer mmap offsets (Greg     Kroah-Hartman) [Orabug: 27963530] (CVE-2018-8781)

  - xfs: set format back to extents if     xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
    27963576] (CVE-2018-10323)

  - Revert 'mlx4: change the ICM table allocations to lowest     needed size' (H&aring kon Bugge) [Orabug: 27980030]

  - Bluetooth: Prevent stack info leak from the EFS element.
    (Ben Seri) [Orabug: 28030514] (CVE-2017-1000410)     (CVE-2017-1000410)

Description of changes:
[4.1.12-124.15.2.el7uek]
- KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner)    {CVE-2018-3639}
- x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Make cpu_show_common() static (Jiri Kosina)   {CVE-2018-3639}
- x86/bugs: Fix __ssb_select_mitigation() return type (Jiri Kosina) {CVE-2018-3639}
- Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) {CVE-2018-3639}
- proc: Use underscores for SSBD in 'status' (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/speculation: Make 'seccomp' the default mode for Speculative Store Bypass (Kees Cook)   {CVE-2018-3639}
- seccomp: Move speculation migitation control to arch code (Thomas Gleixner)   {CVE-2018-3639}
- seccomp: Add filter flag to opt-out of SSB mitigation (Kees Cook) {CVE-2018-3639}
- seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner)   {CVE-2018-3639}
- prctl: Add force disable speculation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- seccomp: Enable speculation flaw mitigations (Kees Cook)   {CVE-2018-3639}
- proc: Provide details on speculation flaw mitigations (Kees Cook) {CVE-2018-3639}
- nospec: Allow getting/setting on non-current task (Kees Cook) {CVE-2018-3639}
- x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for spectre_v2. (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/speculation: Add prctl for Speculative Store Bypass mitigation (Thomas Gleixner)   {CVE-2018-3639}
- x86: thread_info.h: move RDS from index 5 to 23 (Mihai Carabas) {CVE-2018-3639}
- x86/process: Allow runtime control of Speculative Store Bypass (Thomas Gleixner)   {CVE-2018-3639}
- prctl: Add speculation control prctls (Thomas Gleixner)   {CVE-2018-3639}
- x86/speculation: Create spec-ctrl.h to avoid include hell (Thomas Gleixner)   {CVE-2018-3639}
- x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs/intel: Set proper CPU features and setup RDS (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Expose /sys/../spec_store_bypass (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/cpu/intel: Add Knights Mill to Intel family (Piotr Luc) {CVE-2018-3639}
- x86/cpu: Rename Merrifield2 to Moorefield (Andy Shevchenko) {CVE-2018-3639}
- x86/bugs, KVM: Support the combination of guest and host IBRS (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs/IBRS: Warn if IBRS is enabled during boot. (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs/IBRS: Use variable instead of defines for enabling IBRS (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Concentrate bug reporting into a separate function (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs: Concentrate bug detection into a separate function (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/bugs/IBRS: Turn on IBRS in spectre_v2_select_mitigation (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk)   {CVE-2018-3639}
- scsi: libfc: Revisit kref handling (Hannes Reinecke)
- scsi: libfc: reset exchange manager during LOGO handling (Hannes Reinecke)
- scsi: libfc: send LOGO for PLOGI failure (Hannes Reinecke)
- scsi: libfc: Issue PRLI after a PRLO has been received (Hannes Reinecke)
- libfc: Update rport reference counting (Hannes Reinecke)
- amd/kvm: do not intercept new MSRs for spectre v2 mitigation (Elena Ufimtseva)
- RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 27422832]  {CVE-2018-5333}
- ACPI: sbshc: remove raw pointer from printk() message (Greg Kroah-Hartman)  [Orabug: 27501257]  {CVE-2018-5750}
- futex: Prevent overflow by strengthen input validation (Li Jinyue) [Orabug: 27539548]  {CVE-2018-6927}
- net: ipv4: add support for ECMP hash policy choice (Venkat Venkatsubra)  [Orabug: 27547114]
- net: ipv4: Consider failed nexthops in multipath routes (David Ahern) [Orabug: 27547114]
- ipv4: L3 hash-based multipath (Peter N&oslash rlund)  [Orabug: 27547114]
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao)  [Orabug: 27677556]  {CVE-2017-18203}
- NFS: only invalidate dentrys that are clearly invalid. (NeilBrown) [Orabug: 27870824]
- net: Improve handling of failures on link and route dumps (David Ahern)  [Orabug: 27959177]
- mm/mempolicy: fix use after free when calling get_mempolicy (zhong jiang)  [Orabug: 27963519]  {CVE-2018-10675}
- drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman)   [Orabug: 27963530]  {CVE-2018-8781}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen)  [Orabug: 27963576]  {CVE-2018-10323}
- Revert 'mlx4: change the ICM table allocations to lowest needed size' (H&aring kon Bugge)  [Orabug: 27980030]
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030514]  {CVE-2017-1000410} {CVE-2017-1000410}

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

ID	Name	Product	Family	Severity
124990	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1537)	Nessus	Huawei Local Security Checks	high
123226	openSUSE Security Update : the Linux Kernel (openSUSE-2019-536) (Spectre)	Nessus	SuSE Local Security Checks	high
121966	Photon OS 2.0: Linux PHSA-2018-2.0-0072	Nessus	PhotonOS Local Security Checks	medium
121857	Photon OS 1.0: Linux PHSA-2018-1.0-0161	Nessus	PhotonOS Local Security Checks	medium
120700	Fedora 28 : kernel (2018-ac3b4c7605)	Nessus	Fedora Local Security Checks	medium
112189	Ubuntu 16.04 LTS / 18.04 LTS : linux-azure, linux-oem, linux-gcp vulnerabilities (USN-3752-3)	Nessus	Ubuntu Local Security Checks	high
112113	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)	Nessus	Ubuntu Local Security Checks	high
112110	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3752-2)	Nessus	Ubuntu Local Security Checks	high
112109	Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3752-1)	Nessus	Ubuntu Local Security Checks	high
111956	Photon OS 2.0: Linux PHSA-2018-2.0-0072 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
111943	Photon OS 1.0: Linux PHSA-2018-1.0-0161 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
111414	openSUSE Security Update : the Linux Kernel (openSUSE-2018-762) (Spectre)	Nessus	SuSE Local Security Checks	high
111022	OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0237)	Nessus	OracleVM Local Security Checks	high
110998	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164)	Nessus	Oracle Linux Local Security Checks	high
110583	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4134)	Nessus	Oracle Linux Local Security Checks	medium
110581	OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0231)	Nessus	OracleVM Local Security Checks	medium
110072	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0223) (Spectre)	Nessus	OracleVM Local Security Checks	high
110071	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4114) (Spectre)	Nessus	Oracle Linux Local Security Checks	high
109881	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4110) (Meltdown) (Spectre)	Nessus	Oracle Linux Local Security Checks	high
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high

CVE-2018-10323

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins