openSUSE-SU-2019:2173

openSUSE-SU-2019:2181

http://packetstormsecurity.com/files/155890/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.5

https://github.com/torvalds/linux/commit/56897b217a1d0a91c9920cb418d6b3fe922f590a

[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update

[debian-lts-announce] 20200302 [SECURITY] [DLA 2114-1] linux-4.9 security update

20200109 [slackware-security] Slackware 14.2 kernel (SSA:2020-008-01)

https://security.netapp.com/advisory/ntap-20191004-0001/

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Heap-based buffer overflow     in the udf_load_logicalvol function in fs/udf/super.c     in the Linux kernel before 3.4.5 allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a crafted     UDF filesystem.(CVE-2012-3400)The     mmc_ioctl_cdrom_read_data function in     drivers/cdrom/cdrom.c in the Linux kernel through 3.10     allows local users to obtain sensitive information from     kernel memory via a read operation on a malfunctioning     CD-ROM drive.(CVE-2013-2164)The     sctp_sf_do_5_2_4_dupcook function in     net/sctp/sm_statefuns.c in the SCTP implementation in     the Linux kernel before 3.8.5 does not properly handle     associations during the processing of a duplicate     COOKIE ECHO chunk, which allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via crafted SCTP traffic.(CVE-2013-2206)The (1)     get_user and (2) put_user API functions in the Linux     kernel before 3.5.5 on the v6k and v7 ARM platforms do     not validate certain addresses, which allows attackers     to read or modify the contents of arbitrary kernel     memory locations via a crafted application, as     exploited in the wild against Android devices in     October and November 2013.(CVE-2013-6282)An issue was     discovered in the Linux kernel before 4.20. There is a     race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free.(CVE-2018-20836)The Siemens     R3964 line discipline driver in drivers/tty/n_r3964.c     in the Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The Linux kernel before     5.1-rc5 allows page->_refcount reference count     overflow, with resultant use-after-free issues, if     about 140 GiB of RAM exists. This is related to     fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It     can occur with FUSE requests.(CVE-2019-11487)The     coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly     have unspecified other impact by triggering a race     condition with mmget_not_zero or get_task_mm calls.
    This is related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A     n issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes     a Denial of Service, related to a     use-after-free.(CVE-2019-11810)An issue was discovered     in the Linux kernel before 5.0.4. There is a     use-after-free upon attempted read access to     /proc/ioports after the ipmi_si module is removed,     related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A     flaw was found in the Linux kernel's handle_rx()     function in the [vhost_net] driver. A malicious virtual     guest, under specific conditions, can trigger an     out-of-bounds write in a kmalloc-8 slab on a virtual     host which may lead to a kernel memory corruption and a     system panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out. Versions from     v4.16 and newer are vulnerable.(CVE-2018-16880)An issue     was discovered in rds_tcp_kill_sock in net/rds/tcp.c in     the Linux kernel before 5.0.8. There is a race     condition leading to a use-after-free, related to net     namespace cleanup.(CVE-2019-11815)A flaw was found in     the Linux kernel in the function     hid_debug_events_read() in drivers/hid/hid-debug.c file     which may enter an infinite loop with certain     parameters passed from a userspace. A local privileged     user ('root') can cause a system lock up and a denial     of service. Versions from v4.18 and newer are     vulnerable.(CVE-2019-3819)A flaw was found in the Linux     kernel's vfio interface implementation that permits     violation of the user's locked memory limit. If a     device is bound to a vfio driver, such as vfio-pci, and     the local attacker is administratively granted     ownership of the device, it may cause a system memory     exhaustion and thus a denial of service (DoS). Versions     3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An     infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It     could occur if one end sends packets faster than the     other end can process them. A guest user, maybe remote     one, could use this flaw to stall the vhost_net kernel     thread, resulting in a DoS scenario.(CVE-2019-3900)In     the Linux Kernel before versions 4.20.8 and 4.19.21 a     use-after-free error in the 'sctp_sendmsg()' function     (net/sctp/socket.c) when handling SCTP_SENDALL flag can     be exploited to corrupt memory.(CVE-2019-8956)A flaw     was found in the Linux kernel's implementation of ext4     extent management. The kernel doesn't correctly     initialize memory regions in the extent tree block     which may be exported to a local user to obtain     sensitive information by reading empty/uninitialized     data from the filesystem.(CVE-2019-11833)An issue was     discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)An issue was     discovered in the efi subsystem in the Linux kernel     through 5.1.5. phys_efi_set_virtual_address_map in     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in     arch/x86/platform/efi/efi_64.c mishandle memory     allocation failures. NOTE: This id is disputed as not     being an issue because ?All the code touched by the     referenced commit runs only at boot, before any user     processes are started. Therefore, there is no     possibility for an unprivileged user to control     it.(CVE-2019-12380)An issue was discovered in the Linux     kernel before 5.2.3. An out of bounds access exists in     the function hclge_tm_schd_mode_vnet_base_cfg in the     file drivers     et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019-     15925)An issue was discovered in     dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop-i1/4zname, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     net/ipv4/sysctl_net_ipv4.c in the Linux kernel before     5.0.11. There is a net/ipv4/tcp_input.c signed integer     overflow in tcp_ack_update_rtt() when userspace writes     a very large integer to     /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in     the way PTRACE_TRACEME functionality was handled in the     Linux kernel. The kernel's implementation of ptrace can     inadvertently grant elevated permissions to an attacker     who can then abuse the relationship between the tracer     and the process being traced. This flaw could allow a     local, unprivileged user to increase their privileges     on the system or cause a denial of     service.(CVE-2019-13272)An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)An issue was discovered in     ip_ra_control in net/ipv4/ip_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: this is disputed because new_ra is never used if     it is NULL.(CVE-2019-12381)An issue was discovered in     sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c     in the Linux kernel through 5.1.5. There is an     unchecked kstrndup of derived_name, which might allow     an attacker to cause a denial of service (NULL pointer     dereference and system crash). NOTE: This id is     disputed as not being an issue because 'The memory     allocation that was not checked is part of a code that     only runs at boot time, before user processes are     started. Therefore, there is no possibility for an     unprivileged user to control it, and no denial of     service.'.(CVE-2019-12455)An issue was discovered in     the MPT3COMMAND case in _ctl_ioctl_main in     drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel     through 5.1.5. It allows local users to cause a denial     of service or possibly have unspecified other impact by     changing the value of ioc_number between two kernel     reads of that value, aka a ''double fetch''     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in     the Linux kernel through 5.1.6. There is an unchecked     kstrdup_const of node_info-i1/4zvdev_port.name, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system     crash).(CVE-2019-12615)In parse_hid_report_descriptor     in drivers/input/tablet/gtco.c in the Linux kernel     through 5.2.1, a malicious USB device can send an HID     report that triggers an out-of-bounds write during     generation of debugging messages.(CVE-2019-13631)A     vulnerability was found in the Linux kernelaEURtms floppy     disk driver implementation. A local attacker with     access to the floppy device could call set_geometry in     drivers/block/floppy.c, which does not validate the     sect and head fields, causing an integer overflow and     out-of-bounds read. This flaw may crash the system or     allow an attacker to gather information causing     subsequent successful     attacks.(CVE-2019-14283)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)An issue was discovered in     the Linux kernel before 5.2.6. There is a     use-after-free caused by a malicious USB device in the     drivers/media/v4l2-core/v4l2-dev.c driver because     drivers/media/radio/radio-raremono.c does not properly     allocate memory.(CVE-2019-15211)An issue was discovered     in the Linux kernel before 5.0.10. There is a     use-after-free in the sound subsystem because card     disconnection causes certain data structures to be     deleted too early. This is related to sound/core/init.c     and sound/core/info.c.(CVE-2019-15214)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.2.1. There is a use-after-free     caused by a malicious USB device in the     driverset/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue     was discovered in the Linux kernel before 5.0.9. There     is a use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)An issue was discovered in the     Linux kernel before 5.0.19. There is an out-of-bounds     array access in __xfrm_policy_unlink, which will cause     denial of service, because verify_newpolicy_info in     net/xfrm/xfrm_user.c mishandles directory     validation.(CVE-2019-15666)In the Linux kernel before     5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)An issue was discovered in the     Linux kernel before 5.0.5. There is a use-after-free     issue when hci_uart_register_dev() fails in     hci_uart_set_proto() in     drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue     was discovered in the Linux kernel before 5.0.10.
    SMB2_write in fs/cifs/smb2pdu.c has a     use-after-free.(CVE-2019-15919)An issue was discovered     in the Linux kernel before 5.0.10. SMB2_read in     fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was     not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog,     which documents a memory leak.(CVE-2019-15920)An issue     was discovered in the Linux kernel before 5.0.4. The 9p     filesystem did not protect i_size_write() properly,     which causes an i_size_read() infinite loop and denial     of service on SMP systems.(CVE-2019-16413)An issue was     discovered in can_can_gw_rcv in net/can/gw.c in the     Linux kernel through 4.19.13. The CAN frame     modification rules allow bitwise logical operations     that can be also applied to the can_dlc field. Because     of a missing check, the CAN drivers may write arbitrary     content beyond the data registers in the CAN     controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection     fault).(CVE-2019-3701)A flaw was found in the Linux     kernel's Marvell wifi chip driver. A heap overflow in     mwifiex_update_bss_desc_with_ie function in     marvell/mwifiex/scan.c allows remote attackers to cause     a denial of service(system crash) or execute arbitrary     code.(CVE-2019-3846)A new software page cache side     channel attack scenario was discovered in operating     systems that implement the very common 'page cache'     caching mechanism. A malicious user/process could use     'in memory' page-cache knowledge to infer access     timings to shared memory and gain knowledge which can     be used to reduce effectiveness of cryptographic     strength by monitoring algorithmic behavior, infer     access patterns of memory to determine code paths     taken, and exfiltrate data to a blinded attacker     through page-granularity access times as a     side-channel.(CVE-2019-5489)In the Android kernel in     the video driver there is a kernel pointer leak due to     a WARN_ON statement. This could lead to local     information disclosure with System execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9455)A vulnerability was found     in the arch/x86/lib/insn-eval.c function in the Linux     kernel. An attacker could corrupt the memory due to a     flaw in use-after-free access to an LDT entry caused by     a race condition between modify_ldt() and a #BR     exception for an MPX bounds violation.(CVE-2019-13233)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-13093, CVE-2018-13094

Wen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash).

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-2215

The syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.

CVE-2019-10220

Various developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.

The kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.

CVE-2019-14615

It was discovered that Intel 9th and 10th generation GPUs did not clear user-visible state during a context switch, which resulted in information leaks between GPU tasks. This has been mitigated in the i915 driver.

The affected chips (gen9 and gen10) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_proces sing_units#Gen9>.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14895, CVE-2019-14901

ADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-14896, CVE-2019-14897

ADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.

CVE-2019-15098

Hui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15217

The syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15291

The syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15505

The syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-16746

It was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056

Ori Nimron reported that various network protocol implementations

  - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed     all users to create raw sockets. A local user could use     this to send arbitrary packets on networks using those     protocols.

CVE-2019-17075

It was found that the cxgb4 Infiniband driver requested DMA (Direct Memory Access) to a stack-allocated buffer, which is not supported and on some systems can result in memory corruption of the stack. A local user might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-17133

Nicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-17666

Nicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.

CVE-2019-18282

Jonathan Berger, Amit Klein, and Benny Pinkas discovered that the generation of UDP/IPv6 flow labels used a weak hash function, 'jhash'.
This could enable tracking individual computers as they communicate with different remote servers and from different networks. The 'siphash' function is now used instead.

CVE-2019-18683

Multiple race conditions were discovered in the vivid media driver, used for testing Video4Linux2 (V4L2) applications, These race conditions could result in a use-after-free. On a system where this driver is loaded, a user with permission to access media devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-18809

Navid Emamdoost discovered a potential memory leak in the af9005 media driver if the device fails to respond to a command. The security impact of this is unclear.

CVE-2019-19037

It was discovered that the ext4 filesystem driver did not correctly handle directories with holes (unallocated regions) in them. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (crash).

CVE-2019-19051

Navid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.

CVE-2019-19052

Navid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.

CVE-2019-19056, CVE-2019-19057

Navid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.

CVE-2019-19062

Navid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).

CVE-2019-19066

Navid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.

CVE-2019-19068

Navid Emamdoost discovered a potential memory leak in the rtl8xxxu wifi driver, in case it fails to submit an interrupt buffer to the device. The security impact of this is unclear.

CVE-2019-19227

Dan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.

CVE-2019-19332

The syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19447

It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19523

The syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19524

The syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19525

The syzkaller tool discovered a use-after-free bug in the atusb driver for IEEE 802.15.4 networking. An attacker able to add and remove USB devices could possibly use this to cause a denial of service (memory corruption or crash) or for privilege escalation.

CVE-2019-19527

The syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19530

The syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19531

The syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19532

The syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19533

The syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.

CVE-2019-19534, CVE-2019-19535, CVE-2019-19536

The syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19537

The syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19767

The syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-19947

It was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.

CVE-2019-19965

Gao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).

CVE-2019-20096

The Hulk Robot tool discovered a potential memory leak in the DCCP protocol implementation. This may be exploitable by local users, or by remote attackers if the system uses DCCP, to cause a denial of service (out of memory).

For Debian 8 'Jessie', these problems have been fixed in version 4.9.210-1~deb8u1. This update additionally fixes Debian bugs #869511 and 945023; and includes many more bug fixes from stable updates 4.9.190-4.9.210 inclusive.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix security issues.

This update for the Linux Kernel 3.12.74-60_64_124 fixes several issues.

The following security issues were fixed :

CVE-2019-15917: Fixed a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bsc#1156334).

CVE-2019-17133: Fixed Buffer Overflow to reject long SSID IE in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c(bsc#1153161).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.74-60_64_110 fixes several issues.

The following security issues were fixed :

CVE-2019-15917: Fixed a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bsc#1156334).

CVE-2019-10220: Fixed Samba servers that can inject relative paths in directory entry lists (bsc#1153108).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).

CVE-2019-15924: fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c had a NULL pointer dereference because there was no -ENOMEM upon an alloc_workqueue failure (bnc#1149612).

CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).

CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).

CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bnc#1149626).

CVE-2019-15921: There was a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c (bnc#1149602).

CVE-2018-21008: A use-after-free could have been caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).

CVE-2019-15926: An out-of-bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit in the file sound/usb/mixer.c (bnc#1149522).

CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandled directory validation (bnc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).

CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).

CVE-2019-14815: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code.
(bsc#1146514)

CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).

CVE-2019-15538: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).

  - Update reference for ath6kl fix     (CVE-2019-15290,bsc#1146543).

  - Update reference for ath6kl fix     (CVE-2019-15290,bsc#1146543).

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146368).

CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c (bnc#1146678).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).

CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).

CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).

CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the qedi_dbg_* family of functions, there is an out-of-bounds read (bnc#1146399).

CVE-2018-20976: An issue was discovered in fs/xfs/xfs_super.c. A use after free exists, related to xfs_fs_fill_super failure (bnc#1146285).

CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2c_smbus_xfer_emulated (bnc#1146163).

CVE-2019-15118: check_input_term in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).

CVE-2019-10207: Bluetooth/hci_uart was missing a check for tty operations (bsc#1142857).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 for Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540).

CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).

CVE-2017-18595: A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c (bnc#1149555).

CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permitted sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation.
This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and injected arbitrary ciphertext without the victim noticing (bnc#1137865 bnc#1146042).

CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could have used this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-15216: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1146361).

CVE-2019-15924: fm10k_init_module in drivers/net/ethernet/intel/fm10k/fm10k_main.c had a NULL pointer dereference because there was no -ENOMEM upon an alloc_workqueue failure (bnc#1149612).

CVE-2019-9456: In the Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have led to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1150025).

CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via an interrupt. To exploit the vulnerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE was misused in arch/powerpc/kernel/process.c (bnc#1149713).

CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user could have read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check (bnc#1149713).

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bnc#1149626).

CVE-2019-15921: There was a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c (bnc#1149602).

CVE-2018-21008: A use-after-free could have been caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free (bnc#1149552).

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c (bnc#1149539).

CVE-2019-15926: An out-of-bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c (bnc#1149527).

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit in the file sound/usb/mixer.c (bnc#1149522).

CVE-2019-15902: Misuse of the upstream 'x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()' commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandled directory validation (bnc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver (bnc#1146524).

CVE-2019-14814: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).

CVE-2019-14815: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code.
(bsc#1146514)

CVE-2019-14816: There was a heap-based buffer overflow in the Marvell wifi chip driver, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver (bnc#1146526).

CVE-2019-15538: An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS (bnc#1148093).

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15098: drivers/net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor (bnc#1146378).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver (bnc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c (bnc#1146678).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver (bnc#1146547).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory (bnc#1146519).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c (bnc#1146550).

CVE-2019-15221: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver (bnc#1146529).

CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver (bnc#1146531).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver (bnc#1146413).

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver (bnc#1146425).

CVE-2019-15090: An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the qedi_dbg_* family of functions, there is an out-of-bounds read (bnc#1146399).

CVE-2018-20976: An issue was discovered in fs/xfs/xfs_super.c. A use after free exists, related to xfs_fs_fill_super failure (bnc#1146285).

CVE-2017-18551: An issue was discovered in drivers/i2c/i2c-core-smbus.c. There was an out of bounds write in the function i2c_smbus_xfer_emulated (bnc#1146163).

CVE-2019-15118: check_input_term in sound/usb/mixer.c mishandled recursion, leading to kernel stack exhaustion (bnc#1145922).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c mishandled a short descriptor, leading to out-of-bounds memory access (bnc#1145920).

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10905

A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-20976

It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2018-21008

It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.

CVE-2019-0136

It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
A nearby attacker could use this for denial of service (loss of wifi connectivity).

CVE-2019-9506

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them.

This update mitigates the attack by requiring a minimum encryption key length of 56 bits.

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816

Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.

CVE-2019-14821

Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-14835

Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host.

CVE-2019-15117

Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash).

CVE-2019-15118

Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15211

The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15212

The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15215

The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15218

The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15219

The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).

CVE-2019-15220

The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15221

The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15292

The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear.

CVE-2019-15807

Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear.

CVE-2019-15917

The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-15926

It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.74-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following new features were implemented :

jsc#SLE-4875: [CML] New device IDs for CML

jsc#SLE-7294: Add cpufreq driver for Raspberry Pi

fate#326869: perf: pmu mem_load/store event support

fate#327380: KVM: Add hardware CPU Model - kernel part

fate#327377: KVM: Support for configurable virtio-crypto

fate#327775: vpmem: DRAM backed persistent volumes for improved SAP HANA on POWER restart times

fate#326472: Marvell Armada 7K/8K Ethernet (incl. 10G) kernel enablement

fate#326416: Hi1620 (Vendor: Huawei): RDMA kernel enablement

fate#326415: Hi1620 (Vendor: Huawei): HNS3 (100G) network kernel enablement

The following security bugs were fixed: CVE-2019-14835: Fix QEMU-KVM Guest to Host Kernel Escape. (bsc#1150112).

CVE-2019-15216: Fix a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bsc#1146361).

CVE-2019-15924: Fix a NULL pointer dereference because there was no

-ENOMEM upon an alloc_workqueue failure. (bsc#1149612).

CVE-2019-9456: In Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have lead to local escalation of privilege with System execution privileges needed.
(bsc#1150025 CVE-2019-9456).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt. (bsc#1149713)

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149626)

CVE-2019-15921: There was a memory leak issue when idr_alloc() failed (bsc#1149602)

CVE-2018-21008: A use-after-free can be caused by the function rsi_mac80211_detach (bsc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149552)

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() failed in hci_uart_set_proto() (bsc#1149539)

CVE-2019-15926: Out of bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx (bsc#1149527)

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit (bsc#1149522)

CVE-2019-15902: A backporting error reintroduced the Spectre vulnerability that it aimed to eliminate. (bnc#1149376)

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which would cause denial of service, because verify_newpolicy_info mishandled directory validation. (bsc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bsc#1146524)

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Fix three heap-based buffer overflows in marvell wifi chip driver kernel, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code. (bnc#1146516)

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
(bsc#1146526)

CVE-2019-15538: XFS partially wedged when a chgrp failed on account of being out of disk quota. This was primarily a local DoS attack vector, but it could result as well in remote DoS if the XFS filesystem was exported for instance via NFS. (bsc#1148032, bsc#1148093)

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15098: USB driver net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146378).

CVE-2019-15221, CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
(bsc#1146529, bsc#1146531)

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access. (bsc#1145920).

CVE-2019-15118: check_input_term in sound/usb/mixer.c in the Linux kernel mishandled recursion, leading to kernel stack exhaustion.
(bsc#1145922).

CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated. (bsc#1146163).

CVE-2019-15090: In the qedi_dbg_* family of functions, there was an out-of-bounds read. (bsc#1146399)

CVE-2018-20976: A use after free existed, related to xfs_fs_fill_super failure. (bsc#1146285)

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (bsc#1135642 bsc#1146425)

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bsc#1051510 bsc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit (bsc#1146678)

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bsc#1146547).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. (bsc#1146550)

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
(bsc#1051510 bsc#1146413)

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory.
(bsc#1146519).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146368)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following new features were implemented :

jsc#SLE-4875: [CML] New device IDs for CML

jsc#SLE-7294: Add cpufreq driver for Raspberry Pi

fate#321840: Reduce memory required to boot capture kernel while using fadump

fate#326869: perf: pmu mem_load/store event support

fate:327775: vpmem: DRAM backed persistent volumes for improved SAP HANA on POWER restart times

The following security bugs were fixed: CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Fix three heap-based buffer overflows in marvell wifi chip driver kernel, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code.
(bnc#1146516)

CVE-2019-15216: Fix a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bsc#1146361).

CVE-2019-14835: Fix QEMU-KVM Guest to Host Kernel Escape.
(bsc#1150112).

CVE-2019-15924: Fix a NULL pointer dereference because there was no

-ENOMEM upon an alloc_workqueue failure. (bsc#1149612).

CVE-2019-9456: In Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have lead to local escalation of privilege with System execution privileges needed.
(bsc#1150025 CVE-2019-9456).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt. (bsc#1149713)

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149626)

CVE-2019-15921: There was a memory leak issue when idr_alloc() failed (bsc#1149602)

CVE-2018-21008: A use-after-free can be caused by the function rsi_mac80211_detach (bsc#1149591).

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149552)

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() failed in hci_uart_set_proto() (bsc#1149539)

CVE-2019-15926: Out of bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx (bsc#1149527)

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit (bsc#1149522)

CVE-2019-15902: A backporting error reintroduced the Spectre vulnerability that it aimed to eliminate. (bnc#1149376)

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which would cause denial of service, because verify_newpolicy_info mishandled directory validation. (bsc#1148394).

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bsc#1146524)

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
(bsc#1146526)

CVE-2019-15538: XFS partially wedged when a chgrp failed on account of being out of disk quota. This was primarily a local DoS attack vector, but it could result as well in remote DoS if the XFS filesystem was exported for instance via NFS. (bsc#1148032, bsc#1148093)

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15098: USB driver net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146378).

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bsc#1051510 bsc#1146391).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit (bsc#1146678)

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bsc#1146547).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory.
(bsc#1146519).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. (bsc#1146550)

CVE-2019-15221, CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
(bsc#1146529, bsc#1146531)

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
(bsc#1051510 bsc#1146413)

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (bsc#1135642 bsc#1146425)

CVE-2019-15090: In the qedi_dbg_* family of functions, there was an out-of-bounds read. (bsc#1146399)

CVE-2018-20976: A use after free existed, related to xfs_fs_fill_super failure. (bsc#1146285)

CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated. (bsc#1146163).

CVE-2019-15118: check_input_term in sound/usb/mixer.c in the Linux kernel mishandled recursion, leading to kernel stack exhaustion.
(bsc#1145922).

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access. (bsc#1145920).

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following new features were implemented :

jsc#SLE-4875: [CML] New device IDs for CML

jsc#SLE-7294: Add cpufreq driver for Raspberry Pi

fate#322438: Integrate P9 XIVE support (on PowerVM only)

fate#322447: Add memory protection keys (MPK) support on POWER (on PowerVM only)

fate#322448, fate#321438: P9 hardware counter (performance counters) support (on PowerVM only)

fate#325306, fate#321840: Reduce memory required to boot capture kernel while using fadump

fate#326869: perf: pmu mem_load/store event support

The following security bugs were fixed: CVE-2017-18551: There was an out of bounds write in the function i2c_smbus_xfer_emulated.
(bsc#1146163).

CVE-2018-20976: A use after free existed, related to xfs_fs_fill_super failure. (bsc#1146285)

CVE-2018-21008: A use-after-free can be caused by the function rsi_mac80211_detach (bsc#1149591).

CVE-2019-9456: In Pixel C USB monitor driver there was a possible OOB write due to a missing bounds check. This could have lead to local escalation of privilege with System execution privileges needed.
(bsc#1150025 CVE-2019-9456).

CVE-2019-10207: Fix a NULL pointer dereference in hci_uart bluetooth driver (bsc#1142857 bsc#1123959).

CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Fix three heap-based buffer overflows in marvell wifi chip driver kernel, that allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code. (bnc#1146516)

CVE-2019-14835: Fix QEMU-KVM Guest to Host Kernel Escape.
(bsc#1150112).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt. (bsc#1149713)

CVE-2019-15090: In the qedi_dbg_* family of functions, there was an out-of-bounds read. (bsc#1146399)

CVE-2019-15098: USB driver net/wireless/ath/ath6kl/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146378).

CVE-2019-15099: drivers/net/wireless/ath/ath10k/usb.c had a NULL pointer dereference via an incomplete address in an endpoint descriptor. (bsc#1146368)

CVE-2019-15117: parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel mishandled a short descriptor, leading to out-of-bounds memory access. (bsc#1145920).

CVE-2019-15118: check_input_term in sound/usb/mixer.c in the Linux kernel mishandled recursion, leading to kernel stack exhaustion.
(bsc#1145922).

CVE-2019-15211: There was a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c did not properly allocate memory.
(bsc#1146519).

CVE-2019-15212: There was a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (bsc#1051510 bsc#1146391).

CVE-2019-15214: There was a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. (bsc#1146550)

CVE-2019-15215: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (bsc#1135642 bsc#1146425)

CVE-2019-15216: Fix a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (bsc#1146361).

CVE-2019-15217: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (bsc#1146547).

CVE-2019-15218: There was a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.
(bsc#1051510 bsc#1146413)

CVE-2019-15219: There was a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (bsc#1146524)

CVE-2019-15220: There was a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver.
(bsc#1146526)

CVE-2019-15221, CVE-2019-15222: There was a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.
(bsc#1146529, bsc#1146531)

CVE-2019-15239: An incorrect backport of a certain net/ipv4/tcp_output.c fix allowed a local attacker to trigger multiple use-after-free conditions. This could result in a kernel crash, or potentially in privilege escalation. (bsc#1146589)

CVE-2019-15290: There was a NULL pointer dereference caused by a malicious USB device in the ath6kl_usb_alloc_urb_from_pipe function (bsc#1146543).

CVE-2019-15292: There was a use-after-free in atalk_proc_exit (bsc#1146678)

CVE-2019-15538: XFS partially wedged when a chgrp failed on account of being out of disk quota. This was primarily a local DoS attack vector, but it could result as well in remote DoS if the XFS filesystem was exported for instance via NFS. (bsc#1148032, bsc#1148093)

CVE-2019-15666: There was an out-of-bounds array access in
__xfrm_policy_unlink, which would cause denial of service, because verify_newpolicy_info mishandled directory validation. (bsc#1148394).

CVE-2019-15902: A backporting error reintroduced the Spectre vulnerability that it aimed to eliminate. (bnc#1149376)

CVE-2019-15917: There was a use-after-free issue when hci_uart_register_dev() failed in hci_uart_set_proto() (bsc#1149539)

CVE-2019-15919: SMB2_write in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149552)

CVE-2019-15920: SMB2_read in fs/cifs/smb2pdu.c had a use-after-free.
(bsc#1149626)

CVE-2019-15921: There was a memory leak issue when idr_alloc() failed (bsc#1149602)

CVE-2019-15924: Fix a NULL pointer dereference because there was no

-ENOMEM upon an alloc_workqueue failure. (bsc#1149612).

CVE-2019-15926: Out of bounds access existed in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx (bsc#1149527)

CVE-2019-15927: An out-of-bounds access existed in the function build_audio_procunit (bsc#1149522)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel before     5.1.8. There is a double-free caused by a malicious USB     device in the drivers/usb/misc/rio500.c     driver.(CVE-2019-15212)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a use-after-free caused by a malicious     USB device in the     drivers/media/usb/dvb-usb/dvb-usb-init.c     driver.(CVE-2019-15213)

  - An issue was discovered in the Linux kernel before     5.2.6. There is a use-after-free caused by a malicious     USB device in the drivers/media/usb/cpia2/cpia2_usb.c     driver.(CVE-2019-15215)

  - An issue was discovered in the Linux kernel before     5.0.14. There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)

  - An issue was discovered in the Linux kernel before     5.2.3. There is a NULL pointer dereference caused by a     malicious USB device in the     drivers/media/usb/zr364xx/zr364xx.c     driver.(CVE-2019-15217)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c     in the Linux kernel before 5.1.12. In the qedi_dbg_*     family of functions, there is an out-of-bounds     read.(CVE-2019-15090)

  - An issue was discovered in the Linux kernel before     4.14.11. A double free may be caused by the function     allocate_trace_buffer in the file     kernel/trace/trace.c.(CVE-2017-18595)

  - The acpi_ns_evaluate() function in     drivers/acpi/acpica/nseval.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13695)

  - The acpi_ps_complete_final_op() function in     drivers/acpi/acpica/psobject.c in the Linux kernel     through 4.12.9 does not flush the node and node_ext     caches and causes a kernel stack dump, which allows     local users to obtain sensitive information from kernel     memory and bypass the KASLR protection mechanism (in     the kernel through 4.9) via a crafted ACPI     table.(CVE-2017-13694)

  - The acpi_ds_create_operands() function in     drivers/acpi/acpica/dsutils.c in the Linux kernel     through 4.12.9 does not flush the operand cache and     causes a kernel stack dump, which allows local users to     obtain sensitive information from kernel memory and     bypass the KASLR protection mechanism (in the kernel     through 4.9) via a crafted ACPI table.(CVE-2017-13693)

  - Heap-based buffer overflow in the     logi_dj_ll_raw_request function in     drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to     cause a denial of service (system crash) or possibly     execute arbitrary code via a crafted device that     specifies a large report size for an LED     report.(CVE-2014-3183)

  - An issue was discovered in the Linux kernel before     5.0.5. There is a use-after-free issue when     hci_uart_register_dev() fails in hci_uart_set_proto()     in drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)

  - An issue was discovered in the Linux kernel before     5.0.10. There is a use-after-free in the sound     subsystem because card disconnection causes certain     data structures to be deleted too early. This is     related to sound/core/init.c and     sound/core/info.c.(CVE-2019-15214)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
134387	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)	Nessus	Huawei Local Security Checks	critical
134240	Debian DLA-2114-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	critical
132741	Slackware 14.2 : Slackware 14.2 kernel (SSA:2020-008-01)	Nessus	Slackware Local Security Checks	medium
132003	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3237-1)	Nessus	SuSE Local Security Checks	high
132002	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3233-1)	Nessus	SuSE Local Security Checks	high
130163	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2738-1)	Nessus	SuSE Local Security Checks	critical
129845	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2648-1)	Nessus	SuSE Local Security Checks	critical
129361	Debian DLA-1930-1 : linux security update	Nessus	Debian Local Security Checks	critical
129345	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2181)	Nessus	SuSE Local Security Checks	critical
129339	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2173)	Nessus	SuSE Local Security Checks	critical
129157	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2424-1)	Nessus	SuSE Local Security Checks	critical
129156	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2414-1)	Nessus	SuSE Local Security Checks	critical
129154	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:2412-1)	Nessus	SuSE Local Security Checks	critical
129129	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1972)	Nessus	Huawei Local Security Checks	high

CVE-2019-15917

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins