http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cabfb3680f78981d26c078a26e5c748531257ebb

103378

https://bugzilla.redhat.com/show_bug.cgi?id=1539599

https://github.com/torvalds/linux/commit/cabfb3680f78981d26c078a26e5c748531257ebb

[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update

[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update

https://patchwork.kernel.org/patch/10187633/

USN-3880-1

USN-3880-2

DSA-4187

DSA-4188

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The Linux kernel has an undefined behavior when an     argument of INT_MIN is passed to the     kernel/signal.c:kill_something_info() function. A local     attacker may be able to exploit this to cause a denial     of service.(CVE-2018-10124)

  - The xfs_dinode_verify function in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel can     cause a NULL pointer dereference in     xfs_ilock_attr_map_shared function. An attacker could     trick a legitimate user or a privileged attacker could     exploit this by mounting a crafted xfs filesystem image     to cause a kernel panic and thus a denial of     service.(CVE-2018-10322)

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - The do_get_mempolicy() function in mm/mempolicy.c in     the Linux kernel allows local users to hit a     use-after-free bug via crafted system calls and thus     cause a denial of service (DoS) or possibly have     unspecified other impact. Due to the nature of the     flaw, privilege escalation cannot be fully ruled     out.(CVE-2018-10675)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bounds write and a     denial of service or unspecified other impact is     possible by mounting and operating a crafted ext4     filesystem image.(CVE-2018-10878)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10881)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the     ext4/mballoc.c:ext4_process_freed_data() function. An     attacker could trick a legitimate user or a privileged     attacker could exploit this by mounting a crafted ext4     image to cause a kernel panic.(CVE-2018-1092)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4     image.(CVE-2018-1094)

  - A flaw was found in the Linux kernel, before 4.16.6     where the cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c allows local attackers to use a     incorrect bounds check in the CDROM driver     CDROM_MEDIA_CHANGED ioctl to read out kernel     memory.(CVE-2018-10940)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel before     4.5.5 does not properly initialize a certain data     structure, which allows attackers to obtain sensitive     information from kernel stack memory via an X.25 Call     Request.(CVE-2016-4580i1/4%0

  - A flaw was found in the Linux kernel's implementation     of seq_file where a local attacker could manipulate     memory in the put() function pointer. This could lead     to memory corruption and possible privileged     escalation.(CVE-2016-7910i1/4%0

  - A flaw was found in the way the Linux kernel's     netfilter subsystem handled generic protocol tracking.
    As demonstrated in the Stream Control Transmission     Protocol (SCTP) case, a remote attacker could use this     flaw to bypass intended iptables rule restrictions when     the associated connection tracking module was not     loaded on the system.(CVE-2014-8160i1/4%0

  - The get_endpoints function in     drivers/usb/misc/usbtest.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16532i1/4%0

  - An integer overflow flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4656i1/4%0

  - The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in     the Linux kernel through 4.16.12 allows local users to     cause a denial of service (stack-based buffer overflow)     or possibly have unspecified other impact because sense     buffers have different sizes at the CDROM layer and the     SCSI layer.(CVE-2018-11506i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729i1/4%0

  - The Linux kernel before version 4.11 is vulnerable to a     NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response is mishandled during session     recovery.(CVE-2018-1066i1/4%0

  - drivers/hid/hid-sensor-hub.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows     physically proximate attackers to obtain sensitive     information from kernel memory via a crafted     device.(CVE-2013-2898i1/4%0

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. A buffer overflow in     truncate_inline_inode() in the fs/f2fs/inline.c     function, when umounting a crafted f2fs image, can     occur because a length value may be     negative.(CVE-2018-14615i1/4%0

  - The help function in net/netfilter/nf_nat_irc.c in the     Linux kernel before 3.12.8 allows remote attackers to     obtain sensitive information from kernel memory by     establishing an IRC DCC session in which incorrect     packet data is transmitted during use of the NAT mangle     feature.(CVE-2014-1690i1/4%0

  - It was found that the Linux kernel's keys subsystem did     not correctly garbage collect uninstantiated keyrings.
    A local attacker could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-7872i1/4%0

  - The TCP stack in the Linux kernel 3.x does not properly     implement a SYN cookie protection mechanism for the     case of a fast network connection, which allows remote     attackers to cause a denial of service (CPU     consumption) by sending many TCP SYN packets, as     demonstrated by an attack against the kernel-3.10.0     package in CentOS Linux 7. NOTE: third parties have     been unable to discern any relationship between the     GitHub Engineering finding and the Trigemini.c attack     code.(CVE-2017-5972i1/4%0

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact by sending a XFRM_MSG_MIGRATE netlink     message. This flaw is present in the Linux kernel since     an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up     to 4.13-rc3.(CVE-2017-11600i1/4%0

  - A use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the     system.(CVE-2016-10200i1/4%0

  - A flaw was found in the way the Linux kernel's VFS     subsystem handled file system locks. A local,     unprivileged user could use this flaw to trigger a     deadlock in the kernel, causing a denial of service on     the system.(CVE-2014-8559i1/4%0

  - Multiple buffer overflows in     drivers/staging/wlags49_h2/wl_priv.c in the Linux     kernel before 3.12 allow local users to cause a denial     of service or possibly have unspecified other impact by     leveraging the CAP_NET_ADMIN capability and providing a     long station-name string, related to the (1)     wvlan_uil_put_info and (2) wvlan_set_station_nickname     functions.(CVE-2013-4514i1/4%0

  - The udl_fb_mmap function in     drivers/gpu/drm/udl/udl_fb.c at the Linux kernel     version 3.4 and up to and including 4.15 has an     integer-overflow vulnerability allowing local users     with access to the udldrmfb driver to obtain full read     and write permissions on kernel physical pages,     resulting in a code execution in kernel     space.(CVE-2018-8781i1/4%0

  - A flaw was discovered in the Linux kernel where issuing     certain ioctl() -s commands to the '/dev/ppp' device     file could lead to a NULL pointer dereference. A     privileged user could use this flaw to cause a kernel     crash and denial of service.(CVE-2015-7799i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - ib_core: initialize shpd field when allocating 'struct     ib_pd' (Mukesh Kacker) [Orabug: 29384815]

  - Revert 'x86/apic: Make arch_setup_hwirq NUMA node aware'     (Brian Maly) [Orabug: 29542185]

  - qlcnic: fix Tx descriptor corruption on 82xx devices     (Shahed Shaikh) [Orabug: 27708787]

  - block: Fix a race between blk_cleanup_queue and timeout     handling (Bart Van Assche) [Orabug: 29158186]

  - can: gw: ensure DLC boundaries after CAN frame     modification (Oliver Hartkopp) [Orabug: 29215299]     (CVE-2019-3701) (CVE-2019-3701)

  - CIFS: Enable encryption during session setup phase     (Pavel Shilovsky) [Orabug: 29338239] (CVE-2018-1066)

  - ext4: clear i_data in ext4_inode_info when removing     inline data (Theodore Ts'o) [Orabug: 29540709]     (CVE-2018-10881) (CVE-2018-10881)

  - ext4: add more inode number paranoia checks (Theodore     Ts'o) [Orabug: 29545566] (CVE-2018-10882)     (CVE-2018-10882)

  - Revert 'KVM: nVMX: Eliminate vmcs02 pool' (Boris     Ostrovsky) [Orabug: 29542029]

  - Revert 'KVM: VMX: introduce alloc_loaded_vmcs' (Boris     Ostrovsky) [Orabug: 29542029]

  - Revert 'KVM: VMX: make MSR bitmaps per-VCPU' (Boris     Ostrovsky) [Orabug: 29542029]

  - Revert 'KVM: x86: pass host_initiated to functions that     read MSRs' (Boris Ostrovsky) [Orabug: 29542029]

  - Revert 'KVM/x86: Add IBPB support' (Boris Ostrovsky)     [Orabug: 29542029]

  - Revert 'KVM/VMX: Allow direct access to     MSR_IA32_SPEC_CTRL - reloaded' (Boris Ostrovsky)     [Orabug: 29542029]

  - Revert 'KVM/SVM: Allow direct access to     MSR_IA32_SPEC_CTRL' (Boris Ostrovsky) [Orabug: 29542029]

  - Revert 'KVM: SVM: Add MSR-based feature support for     serializing LFENCE' (Boris Ostrovsky) [Orabug: 29542029]

  - Revert 'x86/cpufeatures: rename X86_FEATURE_AMD_SSBD to     X86_FEATURE_LS_CFG_SSBD' (Boris Ostrovsky) [Orabug:
    29542029]

  - Revert 'x86/bugs: Add AMD's SPEC_CTRL MSR usage' (Boris     Ostrovsky) [Orabug: 29542029]

  - Revert 'x86/bugs: Fix the AMD SSBD usage of the     SPEC_CTRL MSR' (Boris Ostrovsky) [Orabug: 29542029]

  - arch: x86: remove unsued SET_IBPB from spec_ctrl.h     (Mihai Carabas) [Orabug: 29336760]

  - x86: cpu: microcode: fix late loading SpectreV2 bugs     eval (Mihai Carabas) [Orabug: 29336760]

  - x86: cpu: microcode: fix late loading SSBD and L1TF bugs     eval (Mihai Carabas) [Orabug: 29336760]

  - x86: cpu: microcode: Re-evaluate bugs in a CPU after     microcode loading (Mihai Carabas) [Orabug: 29336760]

  - x86: cpu: microcode: update flags for all cpus (Mihai     Carabas) [Orabug: 29336760]

  - x86/apic: Make arch_setup_hwirq NUMA node aware (Henry     Willard) [Orabug: 29292411]

Description of changes:

[4.1.12-124.26.7.el7uek]
- ib_core: initialize shpd field when allocating 'struct ib_pd' (Mukesh Kacker) [Orabug: 29384815] - Revert 'x86/apic: Make arch_setup_hwirq NUMA node aware' (Brian Maly) [Orabug: 29542185] - qlcnic: fix Tx descriptor corruption on 82xx devices (Shahed Shaikh) [Orabug: 27708787] 
- block: Fix a race between blk_cleanup_queue() and timeout handling (Bart Van Assche) [Orabug: 29158186] - can: gw: ensure DLC boundaries after CAN frame modification (Oliver Hartkopp) [Orabug: 29215299] {CVE-2019-3701} {CVE-2019-3701}
- CIFS: Enable encryption during session setup phase (Pavel Shilovsky) [Orabug: 29338239] {CVE-2018-1066}
- ext4: clear i_data in ext4_inode_info when removing inline data (Theodore Ts'o) [Orabug: 29540709] {CVE-2018-10881} {CVE-2018-10881}
- ext4: add more inode number paranoia checks (Theodore Ts'o) [Orabug: 29545566] {CVE-2018-10882} {CVE-2018-10882}
- Revert 'KVM: nVMX: Eliminate vmcs02 pool' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM: VMX: introduce alloc_loaded_vmcs' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM: VMX: make MSR bitmaps per-VCPU' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM: x86: pass host_initiated to functions that read MSRs' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM/x86: Add IBPB support' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'KVM: SVM: Add MSR-based feature support for serializing LFENCE' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'x86/cpufeatures: rename X86_FEATURE_AMD_SSBD to X86_FEATURE_LS_CFG_SSBD' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'x86/bugs: Add AMD's SPEC_CTRL MSR usage' (Boris Ostrovsky) [Orabug: 29542029] - Revert 'x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR' (Boris Ostrovsky) [Orabug: 29542029] - arch: x86: remove unsued SET_IBPB from spec_ctrl.h (Mihai Carabas) [Orabug: 29336760] - x86: cpu: microcode: fix late loading SpectreV2 bugs eval (Mihai Carabas) [Orabug: 29336760] - x86: cpu: microcode: fix late loading SSBD and L1TF bugs eval (Mihai Carabas) [Orabug: 29336760] - x86: cpu: microcode: Re-evaluate bugs in a CPU after microcode loading (Mihai Carabas) [Orabug: 29336760] - x86: cpu: microcode: update flags for all cpus (Mihai Carabas) [Orabug: 29336760]

[4.1.12-124.26.6.el7uek]
- x86/apic: Make arch_setup_hwirq NUMA node aware (Henry Willard) [Orabug: 29292411]

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Missing check in fs/inode.c:inode_init_owner() does not     clear SGID bit on non-directories for     non-members.(CVE-2018-13405)

  - A null pointer dereference in dccp_write_xmit()     function in net/dccp/output.c in the Linux kernel     allows a local user to cause a denial of service by a     number of certain crafted system calls.(CVE-2018-1130)

  - A flaw was found in the Linux kernel, before 4.16.6     where the cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c allows local attackers to use a     incorrect bounds check in the CDROM driver     CDROM_MEDIA_CHANGED ioctl to read out kernel     memory.(CVE-2018-10940)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

  - fuse-backed file mmap-ed onto process cmdline arguments     causes denial of service.(CVE-2018-1120)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A vulnerability was found in the Linux kernel's     kernel/events/core.c:perf_cpu_time_max_percent_handler(     ) function. Local privileged users could exploit this     flaw to cause a denial of service due to integer     overflow or possibly have unspecified other     impact.(CVE-2017-18255)

  - A flaw was found in the Linux kernel in the way a local     user could create keyrings for other users via keyctl     commands. This may allow an attacker to set unwanted     defaults, a denial of service, or possibly leak keyring     information between users.(CVE-2017-18270)

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.(CVE-2017-7889)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - A flaw was found in the alarm_timer_nsleep() function     in kernel/time/alarmtimer.c in the Linux kernel. The     ktime_add_safe() function is not used and an integer     overflow can happen causing an alarm not to fire or     possibly a denial-of-service if using a large relative     timeout.(CVE-2018-13053)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service.(CVE-2018-13094)

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the CIFS client implementation in the Linux kernel did not properly handle setup negotiation during session recovery, leading to a NULL pointer exception. An attacker could use this to create a malicious CIFS server that caused a denial of service (client system crash). (CVE-2018-1066)

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)

It was discovered that the socket implementation in the Linux kernel contained a type confusion error that could lead to memory corruption.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-9568).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - In the Linux Kernel before version 4.15.8, 4.14.25,     4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

  - ALSA sequencer core initializes the event pool on     demand by invoking snd_seq_pool_init() when the first     write happens and the pool is empty. A user can reset     the pool size manually via ioctl concurrently, and this     may lead to UAF or out-of-bound access.(CVE-2018-7566)

  - A flaw was found in the Linux kernel's implementation     of 32-bit syscall interface for bridging. This allowed     a privileged user to arbitrarily write to a limited     range of kernel memory.(CVE-2018-1068)

  - A vulnerability was found in the Linux kernel's     kernel/events/core.c:perf_cpu_time_max_percent_handler(     ) function. Local privileged users could exploit this     flaw to cause a denial of service due to integer     overflow or possibly have unspecified other     impact.(CVE-2017-18255)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The previous update to linux failed to build for the armhf (ARM EABI hard-float) architecture. This update corrects that. For all other architectures, there is no need to upgrade or reboot again. For reference, the relevant part of the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using new microcoded features.

This mitigation requires an update to the processor's microcode, which is non-free. For recent Intel processors, this is included in the intel-microcode package from version 3.20180425.1~deb8u1. For other processors, it may be included in an update to the system BIOS or UEFI firmware, or in a later update to the amd64-microcode package.

This vulnerability was already mitigated for the x86 architecture by the 'retpoline' feature.

CVE-2017-5753

Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated.

CVE-2018-1066

Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a NULL pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service.

The previously applied mitigation for this issue was not appropriate for Linux 3.16 and has been replaced by an alternate fix.

CVE-2018-1093

Wen Xu reported that a crafted ext4 filesystem image could trigger an out-of-bounds read in the ext4_valid_block_bitmap() function. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-1130

The syzbot software found that the DCCP implementation of sendmsg() does not check the socket state, potentially leading to a NULL pointer dereference. A local user could use this to cause a denial of service (crash). 

CVE-2018-3665

Multiple researchers have discovered that some Intel x86 processors can speculatively read floating-point and vector registers even when access to those registers is disabled. The Linux kernel's 'lazy FPU' feature relies on that access control to avoid saving and restoring those registers for tasks that do not use them, and was enabled by default on x86 processors that do not support the XSAVEOPT instruction.

If 'lazy FPU' is enabled on one of the affected processors, an attacker controlling an unprivileged process may be able to read sensitive information from other users' processes or the kernel. This specifically affects processors based on the 'Nehalem' and 'Westemere' core designs. This issue has been mitigated by disabling 'lazy FPU' by default on all x86 processors that support the FXSAVE and FXRSTOR instructions, which includes all processors known to be affected and most processors that perform speculative execution. It can also be mitigated by adding the kernel parameter: eagerfpu=on

CVE-2018-5814

Jakub Jirasek reported race conditions in the USB/IP host driver. A malicious client could use this to cause a denial of service (crash or memory corruption), and possibly to execute code, on a USB/IP server.

CVE-2018-9422

It was reported that the futex() system call could be used by an unprivileged user for privilege escalation.

CVE-2018-10853

Andy Lutomirski and Mika Penttil&auml; reported that KVM for x86 processors did not perform a necessary privilege check when emulating certain instructions. This could be used by an unprivileged user in a guest VM to escalate their privileges within the guest.

CVE-2018-10940

Dan Carpenter reported that the optical disc driver (cdrom) does not correctly validate the parameter to the CDROM_MEDIA_CHANGED ioctl. A user with access to a cdrom device could use this to cause a denial of service (crash).

CVE-2018-11506

Piotr Gabriel Kosinski and Daniel Shapira reported that the SCSI optical disc driver (sr) did not allocate a sufficiently large buffer for sense data. A user with access to a SCSI optical disc device that can produce more than 64 bytes of sense data could use this to cause a denial of service (crash or memory corruption), and possibly for privilege escalation.

CVE-2018-12233

Shankara Pailoor reported that a crafted JFS filesystem image could trigger a denial of service (memory corruption). This could possibly also be used for privilege escalation.

CVE-2018-1000204

The syzbot software found that the SCSI generic driver (sg) would in some circumstances allow reading data from uninitialised buffers, which could include sensitive information from the kernel or other tasks. However, only privileged users with the CAP_SYS_ADMIN or CAP_SYS_RAWIO capability were allowed to do this, so this has little or no security impact.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.57-1. This update additionally fixes Debian bug #898165, and includes many more bug fixes from stable update 3.16.57.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can     exploit this vulnerability in the host machine, causing     a crash in the network card.(CVE-2018-1000026)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service :

An error in the '_sctp_make_chunk()' function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS.
(CVE-2018-5803)

Mishandling mutex within libsas allowing local Denial of Service

The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code. (CVE-2017-18232)

A flaw was found in the Linux kernel's client-side implementation of the cifs protocol. This flaw allows an attacker controlling the server to kernel panic a client which has the CIFS server mounted.(CVE-2018-1066)

The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-1068: Fixed flaw in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2017-18221: The __munlock_pagevec function allowed     local users to cause a denial of service (NR_MLOCK     accounting corruption) via crafted use of mlockall and     munlockall system calls (bnc#1084323).

  - CVE-2018-1066: Prevent NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response was mishandled during session recovery     (bnc#1083640).

  - CVE-2017-13166: Prevent elevation of privilege     vulnerability in the kernel v4l2 video driver     (bnc#1072865).

  - CVE-2017-16911: The vhci_hcd driver allowed local     attackers to disclose kernel memory addresses.
    Successful exploitation required that a USB device was     attached over IP (bnc#1078674).

  - CVE-2017-15299: The KEYS subsystem mishandled use of     add_key for a key that already exists but is     uninstantiated, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted system call (bnc#1063416).

  - CVE-2017-18208: The madvise_willneed function kernel     allowed local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping (bnc#1083494).

  - CVE-2018-7566: The ALSA sequencer core initializes the     event pool on demand by invoking snd_seq_pool_init()     when the first write happens and the pool is empty. A     user could have reset the pool size manually via ioctl     concurrently, which may have lead UAF or out-of-bound     access (bsc#1083483).

  - CVE-2017-18204: The ocfs2_setattr function allowed local     users to cause a denial of service (deadlock) via DIO     requests (bnc#1083244).

  - CVE-2017-16644: The hdpvr_probe function allowed local     users to cause a denial of service (improper error     handling and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function allowed     attackers to cause a denial of service (integer     overflow) or possibly have unspecified other impact by     triggering a negative wake or requeue value     (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     allowed attackers to cause a denial of service (NULL     pointer dereference) via a specially crafted USB over IP     packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function allowed     physically proximate attackers to obtain sensitive     information from kernel memory or cause a denial of     service (out-of-bounds read) by connecting a device     (bnc#1010470).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions did unbalanced refcounting when a SCSI I/O     vector had small consecutive buffers belonging to the     same page. The bio_add_pc_page function merged them into     one, but the page reference was never dropped. This     caused a memory leak and possible system lockup     (exploitable against the host OS by a guest OS user, if     a SCSI disk is passed through to a virtual machine) due     to an out-of-memory condition (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function allowed     attackers to cause a denial of service (out-of-bounds     read) via a specially crafted USB over IP packet     (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     when handling CMD_SUBMIT packets allowed attackers to     cause a denial of service (arbitrary memory allocation)     via a specially crafted USB over IP packet     (bnc#1078672).

  - CVE-2018-5332: The rds_message_alloc_sgs() function did     not validate a value that is used during DMA page     allocation, leading to a heap-based out-of-bounds write     (related to the rds_rdma_extra_size function in     net/rds/rdma.c) (bnc#1075621).

  - CVE-2018-5333: The rds_cmsg_atomic function in     net/rds/rdma.c mishandled cases where page pinning fails     or an invalid address is supplied, leading to an     rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function     allowed remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-1068: Fixed flaw in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2017-18221: The __munlock_pagevec function allowed     local users to cause a denial of service (NR_MLOCK     accounting corruption) via crafted use of mlockall and     munlockall system calls (bnc#1084323).

  - CVE-2018-1066: Prevent NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response was mishandled during session recovery     (bnc#1083640).

  - CVE-2017-13166: Prevent elevation of privilege     vulnerability in the kernel v4l2 video driver     (bnc#1072865).

  - CVE-2017-16911: The vhci_hcd driver allowed local     attackers to disclose kernel memory addresses.
    Successful exploitation required that a USB device was     attached over IP (bnc#1078674).

  - CVE-2017-15299: The KEYS subsystem mishandled use of     add_key for a key that already exists but is     uninstantiated, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted system call (bnc#1063416).

  - CVE-2017-18208: The madvise_willneed function kernel     allowed local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping (bnc#1083494).

  - CVE-2018-7566: The ALSA sequencer core initializes the     event pool on demand by invoking snd_seq_pool_init()     when the first write happens and the pool is empty. A     user could have reset the pool size manually via ioctl     concurrently, which may have lead UAF or out-of-bound     access (bsc#1083483).

  - CVE-2017-18204: The ocfs2_setattr function allowed local     users to cause a denial of service (deadlock) via DIO     requests (bnc#1083244).

  - CVE-2017-16644: The hdpvr_probe function allowed local     users to cause a denial of service (improper error     handling and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function allowed     attackers to cause a denial of service (integer     overflow) or possibly have unspecified other impact by     triggering a negative wake or requeue value     (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     allowed attackers to cause a denial of service (NULL     pointer dereference) via a specially crafted USB over IP     packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function allowed     physically proximate attackers to obtain sensitive     information from kernel memory or cause a denial of     service (out-of-bounds read) by connecting a device     (bnc#1010470).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions did unbalanced refcounting when a SCSI I/O     vector had small consecutive buffers belonging to the     same page. The bio_add_pc_page function merged them into     one, but the page reference was never dropped. This     caused a memory leak and possible system lockup     (exploitable against the host OS by a guest OS user, if     a SCSI disk is passed through to a virtual machine) due     to an out-of-memory condition (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function allowed     attackers to cause a denial of service (out-of-bounds     read) via a specially crafted USB over IP packet     (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     when handling CMD_SUBMIT packets allowed attackers to     cause a denial of service (arbitrary memory allocation)     via a specially crafted USB over IP packet     (bnc#1078672).

  - CVE-2018-5332: The rds_message_alloc_sgs() function did     not validate a value that is used during DMA page     allocation, leading to a heap-based out-of-bounds write     (related to the rds_rdma_extra_size function in     net/rds/rdma.c) (bnc#1075621).

  - CVE-2018-5333: The rds_cmsg_atomic function in     net/rds/rdma.c mishandled cases where page pinning fails     or an invalid address is supplied, leading to an     rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function     allowed remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
130736	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)	Nessus	Huawei Local Security Checks	critical
124830	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1507)	Nessus	Huawei Local Security Checks	high
124798	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1474)	Nessus	Huawei Local Security Checks	high
124637	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0014)	Nessus	OracleVM Local Security Checks	high
123631	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4596)	Nessus	Oracle Linux Local Security Checks	high
122414	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062)	Nessus	Huawei Local Security Checks	high
121598	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3880-1)	Nessus	Ubuntu Local Security Checks	high
117569	EulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1260)	Nessus	Huawei Local Security Checks	high
111082	Debian DLA-1422-2 : linux security update (Spectre)	Nessus	Debian Local Security Checks	high
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical
109483	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1085)	Nessus	Huawei Local Security Checks	high
109183	Amazon Linux AMI : kernel (ALAS-2018-993)	Nessus	Amazon Linux Local Security Checks	high
108748	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0848-1)	Nessus	SuSE Local Security Checks	critical
108705	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)	Nessus	SuSE Local Security Checks	critical

CVE-2018-1066

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins