https://bugzilla.redhat.com/show_bug.cgi?id=1905155

[debian-lts-announce] 20210212 [SECURITY] [DLA 2557-1] linux-4.19 security update

[debian-lts-announce] 20210309 [SECURITY] [DLA 2586-1] linux security update

DSA-4843

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2019-19318, CVE-2019-19813, CVE-2019-19816

'Team bobfuzzer' reported bugs in Btrfs that could lead to a use-after-free or heap buffer overflow, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use these to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2020-27815

A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service.

CVE-2020-27825

Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak.

CVE-2020-28374

David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings.

CVE-2020-29568 (XSA-349)

Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path.

CVE-2020-29569 (XSA-350)

Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend.

CVE-2020-29660

Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID.

CVE-2020-29661

Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation.

CVE-2020-36158

A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value.

CVE-2021-3178

&#x5434;&#x5F02; reported an information leak in the NFSv3 server.
When only a subdirectory of a filesystem volume is exported, an NFS client listing the exported directory would obtain a file handle to the parent directory, allowing it to access files that were not meant to be exported.

Even after this update, it is still possible for NFSv3 clients to guess valid file handles and access files outside an exported subdirectory, unless the 'subtree_check' export option is enabled. It is recommended that you do not use that option but only export whole filesystem volumes.

CVE-2021-3347

It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

CVE-2021-26930 (XSA-365)

Olivier Benjamin, Norbert Manthey, Martin Mazein, and Jan H.
Sch&ouml;nherr discovered that the Xen block backend driver (xen-blkback) did not handle grant mapping errors correctly. A malicious guest could exploit this bug to cause a denial of service (crash), or possibly an information leak or privilege escalation, within the domain running the backend, which is typically dom0.

CVE-2021-26931 (XSA-362), CVE-2021-26932 (XSA-361), CVE-2021-28038 (XSA-367)

Jan Beulich discovered that the Xen support code and various Xen backend drivers did not handle grant mapping errors correctly. A malicious guest could exploit these bugs to cause a denial of service (crash) within the domain running the backend, which is typically dom0.

CVE-2021-27363

Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to transport handle attributes in sysfs. On a system acting as an iSCSI initiator, this is an information leak to local users and makes it easier to exploit CVE-2021-27364.

CVE-2021-27364

Adam Nichols reported that the iSCSI initiator subsystem did not properly restrict access to its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to cause a denial of service (disconnection of storage) or possibly for privilege escalation.

CVE-2021-27365

Adam Nichols reported that the iSCSI initiator subsystem did not correctly limit the lengths of parameters or 'passthrough PDUs' sent through its netlink management interface. On a system acting as an iSCSI initiator, a local user could use these to leak the contents of kernel memory, to cause a denial of service (kernel memory corruption or crash), and probably for privilege escalation.

For Debian 9 stretch, these problems have been fixed in version 4.9.258-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of kernel installed on the remote host is prior to 4.14.219-161.340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1600 advisory.

  - A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was     a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a     denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege     to a kernel information leak threat. (CVE-2020-27825)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

  - ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a     subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via     READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this     attack; see also the exports(5) no_subtree_check default behavior. (CVE-2021-3178)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of kernel installed on the remote host is prior to 4.14.219-119.340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1480 advisory.

  - A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was     a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a     denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege     to a kernel information leak threat. (CVE-2020-27825)

  - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking     in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal     in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker     has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are     proxied via an attacker-selected backstore. (CVE-2020-28374)

  - ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a     subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via     READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this     attack; see also the exports(5) no_subtree_check default behavior. (CVE-2021-3178)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2020-27815

A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service.

CVE-2020-27825

Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak.

CVE-2020-27830

Shisong Qin reported a NULL pointer dereference flaw in the Speakup screen reader core driver.

CVE-2020-28374

David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings.

CVE-2020-29568 (XSA-349)

Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path.

CVE-2020-29569 (XSA-350)

Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend.

CVE-2020-29660

Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID.

CVE-2020-29661

Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation.

CVE-2020-36158

A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value.

CVE-2021-3347

It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.

CVE-2021-20177

A flaw was discovered in the Linux implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) can take advantage of this flaw to cause a kernel panic when inserting iptables rules.

For Debian 9 stretch, these problems have been fixed in version 4.19.171-2~deb9u1.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-25285: A race condition between hugetlb sysctl handlers in mm/hugetlb.c could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact (bnc#1176485 ).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service (bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).

CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() which could eventually have allowed attackers to cause a denial of service (memory consumption) (bnc#1157298 ).

CVE-2019-6133: Fixed an issue where the 'start time' protection mechanism could have been bypassed and therefore authorization decisions are improperly cached (bsc#1128172).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-10781: A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device.
With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable (bnc#1173074).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-29371: An issue was discovered in romfs_dev_read in fs/romfs/storage.c where uninitialized memory leaks to userspace (bnc#1179429).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

CVE-2019-20806: Fixed a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service (bnc#1172199).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3348: Fixed a use-after-free in nbd_add_socket() that could be triggered by local attackers (with access to the nbd device) via an I/O request (bnc#1181504).

CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).

CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).

CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).

CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).

CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).

CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update syncs the RT kernel from the SUSE Linux Enterprise 15-SP2 codestream. This update was imported from the SUSE:SLE-15-SP2:Update update project.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2020-27815     A flaw was reported in the JFS filesystem code allowing     a local attacker with the ability to set extended     attributes to cause a denial of service.

  - CVE-2020-27825     Adam 'pi3' Zabrocki reported a use-after-free flaw in     the ftrace ring buffer resizing logic due to a race     condition, which could result in denial of service or     information leak.

  - CVE-2020-27830     Shisong Qin reported a NULL pointer dereference flaw in     the Speakup screen reader core driver.

  - CVE-2020-28374     David Disseldorp discovered that the LIO SCSI target     implementation performed insufficient checking in     certain XCOPY requests. An attacker with access to a LUN     and knowledge of Unit Serial Number assignments can take     advantage of this flaw to read and write to any LIO     backstore, regardless of the SCSI transport settings.

  - CVE-2020-29568 (XSA-349)     Michael Kurth and Pawel Wieczorkiewicz reported that     frontends can trigger OOM in backends by updating a     watched path.

  - CVE-2020-29569 (XSA-350)     Olivier Benjamin and Pawel Wieczorkiewicz reported a     use-after-free flaw which can be triggered by a block     frontend in Linux blkback. A misbehaving guest can     trigger a dom0 crash by continuously connecting /     disconnecting a block frontend.

  - CVE-2020-29660     Jann Horn reported a locking inconsistency issue in the     tty subsystem which may allow a local attacker to mount     a read-after-free attack against TIOCGSID.

  - CVE-2020-29661     Jann Horn reported a locking issue in the tty subsystem     which can result in a use-after-free. A local attacker     can take advantage of this flaw for memory corruption or     privilege escalation.

  - CVE-2020-36158     A buffer overflow flaw was discovered in the mwifiex     WiFi driver which could result in denial of service or     the execution of arbitrary code via a long SSID value.

  - CVE-2021-3347     It was discovered that PI futexes have a kernel stack     use-after-free during fault handling. An unprivileged     user could use this flaw to crash the kernel (resulting     in denial of service) or for privilege escalation.

  - CVE-2021-20177     A flaw was discovered in the Linux implementation of     string matching within a packet. A privileged user (with     root or CAP_NET_ADMIN) can take advantage of this flaw     to cause a kernel panic when inserting iptables rules.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a LIO security issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-29373: Fixed an unsafe handling of the root directory during path lookups in fs/io_uring.c (bnc#1179434).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-27830: Fixed a NULL pointer dereference in speakup (bsc#1179656).

CVE-2020-29370: Fixed a race condition in kmem_cache_alloc_bulk (bnc#1179435).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-28374: Fixed a Linux SCSI target issue (bsc#1178372).

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-29373: Fixed an unsafe handling of the root directory during path lookups in fs/io_uring.c (bnc#1179434).

CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).

CVE-2020-27830: Fixed a NULL pointer dereference in speakup (bsc#1179656).

CVE-2020-29370: Fixed a race condition in kmem_cache_alloc_bulk (bnc#1179435).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
147532	Debian DLA-2586-1 : linux security update	Nessus	Debian Local Security Checks	high
146631	Amazon Linux 2 : kernel (ALAS-2021-1600)	Nessus	Amazon Linux Local Security Checks	high
146569	Amazon Linux AMI : kernel (ALAS-2021-1480)	Nessus	Amazon Linux Local Security Checks	high
146512	Debian DLA-2557-1 : linux-4.19 security update	Nessus	Debian Local Security Checks	high
146511	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0452-1)	Nessus	SuSE Local Security Checks	high
146476	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0437-1)	Nessus	SuSE Local Security Checks	high
146474	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0438-1)	Nessus	SuSE Local Security Checks	high
146470	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0434-1)	Nessus	SuSE Local Security Checks	high
146282	openSUSE Security Update : RT kernel (openSUSE-2021-242)	Nessus	SuSE Local Security Checks	high
146052	Debian DSA-4843-1 : linux - security update	Nessus	Debian Local Security Checks	high
145320	openSUSE Security Update : the Linux Kernel (openSUSE-2021-60)	Nessus	SuSE Local Security Checks	high
145287	openSUSE Security Update : the Linux Kernel (openSUSE-2021-75)	Nessus	SuSE Local Security Checks	high
145120	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0133-1)	Nessus	SuSE Local Security Checks	high
145025	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0117-1)	Nessus	SuSE Local Security Checks	high
145018	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:0118-1)	Nessus	SuSE Local Security Checks	high
144959	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0108-1)	Nessus	SuSE Local Security Checks	high
144914	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0098-1)	Nessus	SuSE Local Security Checks	high
144908	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:0095-1)	Nessus	SuSE Local Security Checks	high

CVE-2020-27825

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high