Newest Plugins

macOS : Apple Safari < 11.0 Multiple Vulnerabilities


Synopsis:

A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.

Description:

The version of Apple Safari installed on the remote macOS or Mac OS X
host is prior to 11.0. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified flaw exists that allows an unauthenticated, remote
attacker to spoof the address bar via a specially crafted website.
(CVE-2017-7085, CVE-2017-7106)

- A cross-site scripting (XSS) vulnerability exists in the WebKit
component in the handling of the parent-tab. An unauthenticated,
remote attacker can exploit these issue, via a specially crafted
URL, to execute arbitrary script code in a user's browser session.
(CVE-2017-7089)

See also :

https://support.apple.com/en-us/HT208116
http://www.nessus.org/u?8e4748a9

Solution :

Upgrade to Apple Safari version 11.0 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Apple Xcode < 9.0 Multiple RCE (macOS)


Synopsis:

An IDE application installed on the remote macOS or Mac OS X host is
affected by multiple remote code execution vulnerabilities.

Description:

The version of Apple Xcode installed on the remote macOS or Mac OS X
host is prior to 9.0. It is, therefore, affected by multiple remote
code execution vulnerabilities in the git, Id64, and subversion components.
An unauthenticated, remote attacker can exploit these vulnerabilities to
cause execution of arbitrary code.

See also :

https://support.apple.com/en-us/HT208103
http://www.nessus.org/u?f9703a45

Solution :

Upgrade to Apple Xcode version 9.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

WordPress 4.8.x < 4.8.2 Multiple Vulnerabilities


Synopsis:

A PHP application running on the remote web server is affected by
multiple vulnerabilities.

Description:

According to its self-reported version number, the WordPress
application running on the remote web server is 4.8.x prior to 4.8.2.
It is, therefore, affected by multiple vulnerabilities :

- A flaw in $wpdb->prepare() can create unsafe queries
leading to potential SQL injection flaws with plugins
and themes.

- Multiple cross-site scripting (XSS) vulnerabilities
exists due to improper sanitization of user-supplied
input. An unauthenticated, remote attacker can
exploit this, via a specially crafted request, to
execute arbitrary script code in a user's browser
session.

- Multiple path traversal vulnerabilities exist in the
file unzipping code and customizer. A remote attacker
may be able to read arbitrary files subject to the
privileges under which the web server runs.

- An open redirect flaw exists on the user and term edit
screens. A remote attacker can exploit this, by
tricking a user into following a specially crafted link,
to redirect a user to an arbitrary website.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?dadf2914
https://codex.wordpress.org/Version_4.8.2

Solution :

Upgrade to WordPress version 4.8.2 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

VMSA-2017-0015 : VMware ESXi, vCenter Server, Fusion & Workstation updates resolve multiple security vulnerabilities


Synopsis:

The remote VMware ESXi host is missing one or more security-related
patches.

Description:

a. Out-of-bounds write vulnerability in SVGA

VMware ESXi, Workstation & Fusion contain an out-of-bounds write
vulnerability in SVGA device. This issue may allow a guest to
execute code on the host.

VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of
Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting
this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4924 to this issue.

b. Guest RPC NULL pointer dereference vulnerability

VMware ESXi, Workstation & Fusion contain a NULL pointer dereference
vulnerability. This issue occurs when handling guest RPC requests.
Successful exploitation of this issue may allow attackers with
normal user privileges to crash their VMs.

VMware would like to thank Zhang Haitao for reporting this issue
to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4925 to this issue.

c. Stored XSS in H5 Client

vCenter Server H5 Client contains a vulnerability that may allow for
stored cross-site scripting (XSS). An attacker with VC user
privileges can inject malicious java-scripts which will get executed
when other VC users access the page.

VMware would like to thank Thomas Ornetzeder for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4926 to this issue.

See also :

http://lists.vmware.com/pipermail/security-announce/2017/000387.html

Solution :

Apply the missing patches.

Risk factor :

High / CVSS Base Score : 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.1
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : apache2 vulnerability (USN-3425-1) (Optionsbleed)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Hanno Bock discovered that the Apache HTTP Server incorrectly handled
Limit directives in .htaccess files. In certain configurations, a
remote attacker could possibly use this issue to read arbitrary server
memory, including sensitive information. This issue is known as
Optionsbleed.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected apache2-bin package.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

SUSE SLED12 / SLES12 Security Update : gcc48 (SUSE-SU-2017:2526-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

This update for gcc48 fixes the following issues: Security issues
fixed :

- A new option -fstack-clash-protection is now offered,
which mitigates the stack clash type of attacks.
[bnc#1039513] Future maintenance releases of packages
will be built with this option.

- CVE-2017-11671: Fixed rdrand/rdseed code generation
issue [bsc#1050947] Bugs fixed :

- Enable LFS support in 32bit libgcov.a. [bsc#1044016]

- Bump libffi version in libffi.pc to 3.0.11.

- Fix libffi issue for armv7l. [bsc#988274]

- Properly diagnose missing -fsanitize=address support on
ppc64le. [bnc#1028744]

- Backport patch for PR65612. [bnc#1022062]

- Fixed DR#1288. [bnc#1011348]

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1011348
https://bugzilla.suse.com/1022062
https://bugzilla.suse.com/1028744
https://bugzilla.suse.com/1039513
https://bugzilla.suse.com/1044016
https://bugzilla.suse.com/1050947
https://bugzilla.suse.com/988274
https://www.suse.com/security/cve/CVE-2017-11671.html
http://www.nessus.org/u?cff2273f

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE OpenStack Cloud 6:zypper in -t patch
SUSE-OpenStack-Cloud-6-2017-1564=1

SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch
SUSE-SLE-WE-12-SP3-2017-1564=1

SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch
SUSE-SLE-WE-12-SP2-2017-1564=1

SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
patch SUSE-SLE-SDK-12-SP3-2017-1564=1

SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
patch SUSE-SLE-SDK-12-SP2-2017-1564=1

SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
SUSE-SLE-SAP-12-SP1-2017-1564=1

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
patch SUSE-SLE-RPI-12-SP2-2017-1564=1

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
SUSE-SLE-SERVER-12-SP3-2017-1564=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
SUSE-SLE-SERVER-12-SP2-2017-1564=1

SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
SUSE-SLE-SERVER-12-SP1-2017-1564=1

SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
SUSE-SLE-SERVER-12-2017-1564=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP3-2017-1564=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP2-2017-1564=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.6
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2017 Tenable Network Security, Inc.

SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive
various security and bugfixes. The following security bugs were
fixed :

- CVE-2016-5243: The tipc_nl_compat_link_dump function in
net/tipc/netlink_compat.c in the Linux kernel did not
properly copy a certain string, which allowed local
users to obtain sensitive information from kernel stack
memory by reading a Netlink message (bnc#983212)

- CVE-2016-10200: Race condition in the L2TPv3 IP
Encapsulation feature in the Linux kernel allowed local
users to gain privileges or cause a denial of service
(use-after-free) by making multiple bind system calls
without properly ascertaining whether a socket has the
SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and
net/l2tp/l2tp_ip6.c (bnc#1028415)

- CVE-2017-2647: The KEYS subsystem in the Linux kernel
allowed local users to gain privileges or cause a denial
of service (NULL pointer dereference and system crash)
via vectors involving a NULL value for a certain match
field, related to the keyring_search_iterator function
in keyring.c (bsc#1030593).

- CVE-2017-2671: The ping_unhash function in
net/ipv4/ping.c in the Linux kernel was too late in
obtaining a certain lock and consequently could not
ensure that disconnect function calls are safe, which
allowed local users to cause a denial of service (panic)
by leveraging access to the protocol value of
IPPROTO_ICMP in a socket system call (bnc#1031003)

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the
Linux kernel did not restrict the address calculated by
a certain rounding operation, which allowed local users
to map page zero, and consequently bypass a protection
mechanism that exists for the mmap system call, by
making crafted shmget and shmat system calls in a
privileged context (bnc#1026914)

- CVE-2017-5970: The ipv4_pktinfo_prepare function in
net/ipv4/ip_sockglue.c in the Linux kernel allowed
attackers to cause a denial of service (system crash)
via (1) an application that made crafted system calls or
possibly (2) IPv4 traffic with invalid IP options
(bsc#1024938)

- CVE-2017-5986: Race condition in the
sctp_wait_for_sndbuf function in net/sctp/socket.c in
the Linux kernel allowed local users to cause a denial
of service (assertion failure and panic) via a
multithreaded application that peels off an association
in a certain buffer-full state (bsc#1025235)

- CVE-2017-6074: The dccp_rcv_state_process function in
net/dccp/input.c in the Linux kernel mishandled
DCCP_PKT_REQUEST packet data structures in the LISTEN
state, which allowed local users to obtain root
privileges or cause a denial of service (double free)
via an application that made an IPV6_RECVPKTINFO
setsockopt system call (bnc#1026024)

- CVE-2017-6214: The tcp_splice_read function in
net/ipv4/tcp.c in the Linux kernel allowed remote
attackers to cause a denial of service (infinite loop
and soft lockup) via vectors involving a TCP packet with
the URG flag (bnc#1026722)

- CVE-2017-6348: The hashbin_delete function in
net/irda/irqueue.c in the Linux kernel improperly
managed lock dropping, which allowed local users to
cause a denial of service (deadlock) via crafted
operations on IrDA devices (bnc#1027178)

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did
not properly restrict association peel-off operations
during certain wait states, which allowed local users to
cause a denial of service (invalid unlock and double
free) via a multithreaded application. NOTE: this
vulnerability exists because of an incorrect fix for
CVE-2017-5986 (bnc#1027066)

- CVE-2017-6951: The keyring_search_aux function in
security/keys/keyring.c in the Linux kernel allowed
local users to cause a denial of service (NULL pointer
dereference and OOPS) via a request_key system call for
the 'dead' type (bsc#1029850).

- CVE-2017-7184: The xfrm_replay_verify_len function in
net/xfrm/xfrm_user.c in the Linux kernel did not
validate certain size data after an XFRM_MSG_NEWAE
update, which allowed local users to obtain root
privileges or cause a denial of service (heap-based
out-of-bounds access) by leveraging the CAP_NET_ADMIN
capability (bsc#1030573)

- CVE-2017-7187: The sg_ioctl function in
drivers/scsi/sg.c in the Linux kernel allowed local
users to cause a denial of service (stack-based buffer
overflow) or possibly have unspecified other impact via
a large command size in an SG_NEXT_CMD_LEN ioctl call,
leading to out-of-bounds write access in the sg_write
function (bnc#1030213)

- CVE-2017-7261: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux
kernel did not check for a zero value of certain levels
data, which allowed local users to cause a denial of
service (ZERO_SIZE_PTR dereference, and GPF and possibly
panic) via a crafted ioctl call for a /dev/dri/renderD*
device (bnc#1031052)

- CVE-2017-7294: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux
kernel did not validate addition of certain levels data,
which allowed local users to trigger an integer overflow
and out-of-bounds write, and cause a denial of service
(system hang or crash) or possibly gain privileges, via
a crafted ioctl call for a /dev/dri/renderD* device
(bnc#1031440)

- CVE-2017-7308: The packet_set_ring function in
net/packet/af_packet.c in the Linux kernel did not
properly validate certain block-size data, which allowed
local users to cause a denial of service (overflow) or
possibly have unspecified other impact via crafted
system calls (bnc#1031579)

- CVE-2017-7482: Several missing length checks ticket
decode allowing for information leak or potentially code
execution (bsc#1046107).

- CVE-2017-7487: The ipxitf_ioctl function in
net/ipx/af_ipx.c in the Linux kernel mishandled
reference counts, which allowed local users to cause a
denial of service (use-after-free) or possibly have
unspecified other impact via a failed SIOCGIFADDR ioctl
call for an IPX interface (bsc#1038879).

- CVE-2017-7533: Race condition in the fsnotify
implementation in the Linux kernel allowed local users
to gain privileges or cause a denial of service (memory
corruption) via a crafted application that leverages
simultaneous execution of the inotify_handle_event and
vfs_rename functions (bnc#1049483 1050677 ).

- CVE-2017-7542: The ip6_find_1stfragopt function in
net/ipv6/output_core.c in the Linux kernel allowed local
users to cause a denial of service (integer overflow and
infinite loop) by leveraging the ability to open a raw
socket (bnc#1049882).

- CVE-2017-7616: Incorrect error handling in the
set_mempolicy and mbind compat syscalls in
mm/mempolicy.c in the Linux kernel allowed local users
to obtain sensitive information from uninitialized stack
data by triggering failure of a certain bitmap operation
(bsc#1033336)

- CVE-2017-8831: The saa7164_bus_get function in
drivers/media/pci/saa7164/saa7164-bus.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds array access) or possibly have
unspecified other impact by changing a certain
sequence-number value, aka a 'double fetch'
vulnerability. This requires a malicious PCI Card.
(bnc#1037994).

- CVE-2017-8890: The inet_csk_clone_lock function in
net/ipv4/inet_connection_sock.c in the Linux kernel
allowed attackers to cause a denial of service (double
free) or possibly have unspecified other impact by
leveraging use of the accept system call (bsc#1038544).

- CVE-2017-8924: The edge_bulk_in_callback function in
drivers/usb/serial/io_ti.c in the Linux kernel allowed
local users to obtain sensitive information (in the
dmesg ringbuffer and syslog) from uninitialized kernel
memory by using a crafted USB device (posing as an io_ti
USB serial device) to trigger an integer underflow
(bnc#1037182).

- CVE-2017-8925: The omninet_open function in
drivers/usb/serial/omninet.c in the Linux kernel allowed
local users to cause a denial of service (tty
exhaustion) by leveraging reference count mishandling
(bnc#1038981).

- CVE-2017-9074: The IPv6 fragmentation implementation in
the Linux kernel did not consider that the nexthdr field
may be associated with an invalid option, which allowed
local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact
via crafted socket and send system calls (bnc#1039882).

- CVE-2017-9075: The sctp_v6_create_accept_sk function in
net/sctp/ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bsc#1039883).

- CVE-2017-9076: The dccp_v6_request_recv_sock function in
net/dccp/ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bnc#1039885).

- CVE-2017-9077: The tcp_v6_syn_recv_sock function in
net/ipv6/tcp_ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bsc#1040069).

- CVE-2017-9242: The __ip6_append_data function in
net/ipv6/ip6_output.c in the Linux kernel was too late
in checking whether an overwrite of an skb data
structure may occur, which allowed local users to cause
a denial of service (system crash) via crafted system
calls (bnc#1041431).

- CVE-2017-10661: Race condition in fs/timerfd.c in the
Linux kernel allowed local users to gain privileges or
cause a denial of service (list corruption or
use-after-free) via simultaneous file-descriptor
operations that leverage improper might_cancel queueing
(bnc#1053152).

- CVE-2017-11176: The mq_notify function in the Linux
kernel did not set the sock pointer to NULL upon entry
into the retry logic. During a user-space close of a
Netlink socket, it allowed attackers to cause a denial
of service (use-after-free) or possibly have unspecified
other impact (bnc#1048275).

- CVE-2017-11473: Buffer overflow in the
mp_override_legacy_irq() function in
arch/x86/kernel/acpi/boot.c in the Linux kernel allowed
local users to gain privileges via a crafted ACPI table
(bnc#1049603).

- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A
user-controlled buffer is copied into a local buffer of
constant size using strcpy without a length check which
can cause a buffer overflow. (bnc#1053148).

- CVE-2017-14051: An integer overflow in the
qla2x00_sysfs_write_optrom_ctl function in
drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel
allowed local users to cause a denial of service (memory
corruption and system crash) by leveraging root access
(bnc#1056588).

- CVE-2017-1000112: Fixed a race condition in net-packet
code that could have been exploited by unprivileged
users to gain root access. (bsc#1052311).

- CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds
Write. Due to a missing bounds check, and the fact that
parport_ptr integer is static, a 'secure boot' kernel
command line adversary could have overflowed the
parport_nr array in the following code (bnc#1039456).

- CVE-2017-1000365: The Linux Kernel imposes a size
restriction on the arguments and environmental strings
passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the
size), but did not take the argument and environment
pointers into account, which allowed attackers to bypass
this limitation (bnc#1039354).

- CVE-2017-1000380: sound/core/timer.c in the Linux kernel
was vulnerable to a data race in the ALSA /dev/snd/timer
driver resulting in local users being able to read
information belonging to other users, i.e.,
uninitialized memory contents may be disclosed when a
read and an ioctl happen at the same time (bnc#1044125).
The following non-security bugs were fixed :

- acpi: Disable APEI error injection if securelevel is set
(bsc#972891, bsc#1023051).

- blkback/blktap: do not leak stack data via response ring
(bsc#1042863 XSA-216).

- btrfs: cleanup code of btrfs_balance_delayed_items()
(bsc#1034838).

- btrfs: do not run delayed nodes again after all nodes
flush (bsc#1034838).

- btrfs: remove btrfs_end_transaction_dmeta()
(bsc#1034838).

- btrfs: remove residual code in delayed inode async
helper (bsc#1034838).

- btrfs: use flags instead of the bool variants in delayed
node (bsc#1034838).

- cifs: cifs_get_root shouldn't use path with tree name,
alternate fix (bsc#963655, bsc#979681, bsc#1027406).

- dentry name snapshots (bsc#1049483).

- firmware: fix directory creation rule matching with make
3.80 (bsc#1012422).

- firmware: fix directory creation rule matching with make
3.82 (bsc#1012422).

- Fix vmalloc_fault oops during lazy MMU updates
(bsc#948562) (bsc#948562).

- hv: do not lose pending heartbeat vmbus packets
(bnc#1006919, bnc#1053760).

- jbd: do not wait (forever) for stale tid caused by
wraparound (bsc#1020229).

- jbd: Fix oops in journal_remove_journal_head()
(bsc#1017143).

- kernel-binary.spec: Propagate MAKE_ARGS to %build
(bsc#1012422)

- keys: Disallow keyrings beginning with '.' to be joined
as session keyrings (bnc#1035576).

- nfs: Avoid getting confused by confused server
(bsc#1045416).

- nfsd4: minor NFSv2/v3 write decoding cleanup
(bsc#1034670).

- nfsd: check for oversized NFSv2/v3 arguments
(bsc#1034670).

- nfsd: do not risk using duplicate owner/file/delegation
ids (bsc#1029212).

- nfsd: stricter decoding of write-like NFSv2/v3 ops
(bsc#1034670).

- nfs: Make nfs_readdir revalidate less often
(bsc#1048232).

- pciback: check PF instead of VF for PCI_COMMAND_MEMORY
(bsc#957990).

- pciback: only check PF if actually dealing with a VF
(bsc#999245).

- pciback: Save the number of MSI-X entries to be copied
later (bsc#957988).

- Remove superfluous make flags (bsc#1012422)

- Return short read or 0 at end of a raw device, not EIO
(bsc#1039594).

- Revert 'fs/cifs: fix wrongly prefixed path to root
(bsc#963655, bsc#979681)

- scsi: lpfc: avoid double free of resource identifiers
(bsc#989896).

- scsi: virtio_scsi: fix memory leak on full queue
condition (bsc#1028880).

- sunrpc: Clean up the slot table allocation
(bsc#1013862).

- sunrpc: Initalise the struct xprt upon allocation
(bsc#1013862).

- usb: serial: kl5kusb105: fix line-state error handling
(bsc#1021256).

- usb: wusbcore: fix NULL-deref at probe (bsc#1045487).

- Use make --output-sync feature when available
(bsc#1012422).

- Use PF_LESS_THROTTLE in loop device thread
(bsc#1027101).

- xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1006919
https://bugzilla.suse.com/1012422
https://bugzilla.suse.com/1013862
https://bugzilla.suse.com/1017143
https://bugzilla.suse.com/1020229
https://bugzilla.suse.com/1021256
https://bugzilla.suse.com/1023051
https://bugzilla.suse.com/1024938
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1025235
https://bugzilla.suse.com/1026024
https://bugzilla.suse.com/1026722
https://bugzilla.suse.com/1026914
https://bugzilla.suse.com/1027066
https://bugzilla.suse.com/1027101
https://bugzilla.suse.com/1027178
https://bugzilla.suse.com/1027179
https://bugzilla.suse.com/1027406
https://bugzilla.suse.com/1028415
https://bugzilla.suse.com/1028880
https://bugzilla.suse.com/1029212
https://bugzilla.suse.com/1029850
https://bugzilla.suse.com/1030213
https://bugzilla.suse.com/1030573
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1030593
https://bugzilla.suse.com/1031003
https://bugzilla.suse.com/1031052
https://bugzilla.suse.com/1031440
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031579
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1033287
https://bugzilla.suse.com/1033336
https://bugzilla.suse.com/1034670
https://bugzilla.suse.com/1034838
https://bugzilla.suse.com/1035576
https://bugzilla.suse.com/1037182
https://bugzilla.suse.com/1037183
https://bugzilla.suse.com/1037994
https://bugzilla.suse.com/1038544
https://bugzilla.suse.com/1038564
https://bugzilla.suse.com/1038879
https://bugzilla.suse.com/1038883
https://bugzilla.suse.com/1038981
https://bugzilla.suse.com/1038982
https://bugzilla.suse.com/1039349
https://bugzilla.suse.com/1039354
https://bugzilla.suse.com/1039456
https://bugzilla.suse.com/1039594
https://bugzilla.suse.com/1039882
https://bugzilla.suse.com/1039883
https://bugzilla.suse.com/1039885
https://bugzilla.suse.com/1040069
https://bugzilla.suse.com/1041431
https://bugzilla.suse.com/1042364
https://bugzilla.suse.com/1042863
https://bugzilla.suse.com/1042892
https://bugzilla.suse.com/1044125
https://bugzilla.suse.com/1045416
https://bugzilla.suse.com/1045487
https://bugzilla.suse.com/1046107
https://bugzilla.suse.com/1048232
https://bugzilla.suse.com/1048275
https://bugzilla.suse.com/1049483
https://bugzilla.suse.com/1049603
https://bugzilla.suse.com/1049882
https://bugzilla.suse.com/1050677
https://bugzilla.suse.com/1052311
https://bugzilla.suse.com/1053148
https://bugzilla.suse.com/1053152
https://bugzilla.suse.com/1053760
https://bugzilla.suse.com/1056588
https://bugzilla.suse.com/870618
https://bugzilla.suse.com/948562
https://bugzilla.suse.com/957988
https://bugzilla.suse.com/957990
https://bugzilla.suse.com/963655
https://bugzilla.suse.com/972891
https://bugzilla.suse.com/979681
https://bugzilla.suse.com/983212
https://bugzilla.suse.com/986924
https://bugzilla.suse.com/989896
https://bugzilla.suse.com/999245
https://www.suse.com/security/cve/CVE-2016-10200.html
https://www.suse.com/security/cve/CVE-2016-5243.html
https://www.suse.com/security/cve/CVE-2017-1000112.html
https://www.suse.com/security/cve/CVE-2017-1000363.html
https://www.suse.com/security/cve/CVE-2017-1000365.html
https://www.suse.com/security/cve/CVE-2017-1000380.html
https://www.suse.com/security/cve/CVE-2017-10661.html
https://www.suse.com/security/cve/CVE-2017-11176.html
https://www.suse.com/security/cve/CVE-2017-11473.html
https://www.suse.com/security/cve/CVE-2017-12762.html
https://www.suse.com/security/cve/CVE-2017-14051.html
https://www.suse.com/security/cve/CVE-2017-2647.html
https://www.suse.com/security/cve/CVE-2017-2671.html
https://www.suse.com/security/cve/CVE-2017-5669.html
https://www.suse.com/security/cve/CVE-2017-5970.html
https://www.suse.com/security/cve/CVE-2017-5986.html
https://www.suse.com/security/cve/CVE-2017-6074.html
https://www.suse.com/security/cve/CVE-2017-6214.html
https://www.suse.com/security/cve/CVE-2017-6348.html
https://www.suse.com/security/cve/CVE-2017-6353.html
https://www.suse.com/security/cve/CVE-2017-6951.html
https://www.suse.com/security/cve/CVE-2017-7184.html
https://www.suse.com/security/cve/CVE-2017-7187.html
https://www.suse.com/security/cve/CVE-2017-7261.html
https://www.suse.com/security/cve/CVE-2017-7294.html
https://www.suse.com/security/cve/CVE-2017-7308.html
https://www.suse.com/security/cve/CVE-2017-7482.html
https://www.suse.com/security/cve/CVE-2017-7487.html
https://www.suse.com/security/cve/CVE-2017-7533.html
https://www.suse.com/security/cve/CVE-2017-7542.html
https://www.suse.com/security/cve/CVE-2017-7616.html
https://www.suse.com/security/cve/CVE-2017-8831.html
https://www.suse.com/security/cve/CVE-2017-8890.html
https://www.suse.com/security/cve/CVE-2017-8924.html
https://www.suse.com/security/cve/CVE-2017-8925.html
https://www.suse.com/security/cve/CVE-2017-9074.html
https://www.suse.com/security/cve/CVE-2017-9075.html
https://www.suse.com/security/cve/CVE-2017-9076.html
https://www.suse.com/security/cve/CVE-2017-9077.html
https://www.suse.com/security/cve/CVE-2017-9242.html
http://www.nessus.org/u?2ad28a4c

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
slessp3-kernel-source-13284=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
slexsp3-kernel-source-13284=1

SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
sleposp3-kernel-source-13284=1

SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
dbgsp3-kernel-source-13284=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Scientific Linux Security Update : emacs on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Security Fix(es) :

- A command injection flaw within the Emacs 'enriched
mode' handling has been discovered. By tricking an
unsuspecting user into opening a specially crafted file
using Emacs, a remote attacker could exploit this flaw
to execute arbitrary commands with the privileges of the
Emacs user. (CVE-2017-14482)

See also :

http://www.nessus.org/u?0cba499b

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

RHEL 7 : emacs (RHSA-2017:2771)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for emacs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

GNU Emacs is a powerful, customizable, self-documenting text editor.
It provides special code editing features, a scripting language
(elisp), and the capability to read e-mail and news.

Security Fix(es) :

* A command injection flaw within the Emacs 'enriched mode' handling
has been discovered. By tricking an unsuspecting user into opening a
specially crafted file using Emacs, a remote attacker could exploit
this flaw to execute arbitrary commands with the privileges of the
Emacs user. (CVE-2017-14482)

See also :

http://rhn.redhat.com/errata/RHSA-2017-2771.html
https://www.redhat.com/security/data/cve/CVE-2017-14482.html

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

RHEL 7 : kernel (RHSA-2017:2770)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for kernel is now available for Red Hat Enterprise Linux 7.3
Extended Update Support.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es) :

* A race condition was found in the Linux kernel, present since
v3.14-rc1 through v4.12. The race happens between threads of
inotify_handle_event() and vfs_rename() while running the rename
operation against the same file. As a result of the race the next slab
data or the slab's free list pointer can be corrupted with
attacker-controlled data, which may lead to the privilege escalation.
(CVE-2017-7533, Important)

Red Hat would like to thank Leilei Lin (Alibaba Group), Fan Wu (The
University of Hong Kong), and Shixiong Zhao (The University of Hong
Kong) for reporting this issue.

Bug Fix(es) :

* Previously, the sha1-avx2 optimized hashing, which is used on
processors supporting avx2, under certain conditions miscalculated an
offset. Consequently, a kernel crash occasionally occurred on the NFS
clients or servers using the krb5 security. With this update, the
optimized hashing path for sha1-avx2 has been disabled, and the NFS
clients and servers with krb5 security no longer experience the
miscalculation and subsequent crash. (BZ#1446230)

* When virt boundary limit was set, lots of small bios could not be
merged even though they were contiguous physically. In some workload,
such as mkfs.ntfs, system performance could be ten times degraded. The
proposed patch fixes the bug by allowing to merge these small bios,
which improves performance of mkfs.ntfs on devices significantly.
(BZ#1472674)

* When executing the mkfs.btrfs command to create a btrfs file system
over Non-Volatile Memory Express (NVMe), kernel panic was previously
triggered. The underlying code has been patched to fix this
regression, and btrfs is now created successfully in the described
scenario. (BZ#1472675)

* As a side effect of BZ#147263, the system previously crashed when
creating a container device. The provided patch transforms the
resched_task() function into resched_curr(), and the chance of kernel
crash is thus reduced in the aforementioned situation. (BZ#1473742)

* Due to incorrectly used memory in VXLAN driver (a use-after-free bug
and list corruption), the kernel could previously panic under some
circumstances while bringing the VXLAN interfaces down. The provided
patch fixes the memory corruptions, and the panic no longer occurs in
this situation. (BZ#1474263)

* A race condition could cause the in-flight asynchronous buffers
count (bt_io_count) to become negative. This caused the umount
operation to hang in the xfs_wait_buftarg() function. The provided
patch fixes the buffer I/O accounting release race, and XFS umount no
longer hangs. (BZ#1478253)

* Kernel version 3.10.0-498.el7 separated CPU and TSC frequency and
introduced the x86_platform.calibrate_cpu function pointer which
points by default to the native_calibrate_cpu() function. As a
consequence, time synchronization bugs appeared on Red Hat Enterprise
Linux 7.3 ESXi guest causing a time offset shortly after boot. An
upstream patch has been applied, which sets x86_platform.calibrate_cpu
pointer on ESXi guests to the proper function, thus fixing this bug.
(BZ#1479245)

* A system having more than 128 CPUs could previously experience a
crash during shutdown after the Intelligent Platform Management
Interface (IPMI) service was stopped. The provided patch fixes a race
condition in the IPMI smi_timeout() function, allowing the system to
shut down as expected. (BZ# 1479760)

See also :

http://rhn.redhat.com/errata/RHSA-2017-2770.html
https://www.redhat.com/security/data/cve/CVE-2017-7533.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

RHEL 6 : kernel (RHSA-2017:2760)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for kernel is now available for Red Hat Enterprise Linux 6.7
Extended Update Support.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es) :

* It was found that stacking a file system over procfs in the Linux
kernel could lead to a kernel stack overflow due to deep nesting, as
demonstrated by mounting ecryptfs over procfs and creating a recursion
by mapping /proc/ environ. An unprivileged, local user could
potentially use this flaw to escalate their privileges on the system.
(CVE-2016-1583, Important)

Bug Fix(es) :

* Previously, while the MAP_GROWSDOWN flag was set, writing to the
memory which was mapped with the mmap system call failed with the
SIGBUS signal. This update fixes memory management in the Linux kernel
by backporting an upstream patch that enlarges the stack guard page
gap. As a result, mmap now works as expected under the described
circumstances. (BZ#1474721)

See also :

http://rhn.redhat.com/errata/RHSA-2017-2760.html
https://www.redhat.com/security/data/cve/CVE-2016-1583.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

RHEL 7 : Mobile Application Platform (RHSA-2017:2674)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update is now available for Red Hat Mobile Application Platform
4.5.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Red Hat Mobile Application Platform (RHMAP) 4.5 is delivered as a set
of Docker-formatted container images.

In addition to the images, several components are delivered as RPMs :

* OpenShift templates used to deploy an RHMAP Core and MBaaS

* The fh-system-dump-tool allows you to analyze all the projects
running in an OpenShift cluster and reports any problems discovered.
For more information, see the Operations Guide

The following RPMs are included in the RHMAP container images, and are
provided here only for completeness :

* The Nagios server, which is used to monitor the status of RHMAP
components, is installed inside the Nagios container image.

This release serves as an update for Red Hat Mobile Application
Platform 4.4.3. It includes bug fixes and enhancements. Refer to the
Red Hat Mobile Application Platform 4.5.0 Release Notes for
information about the most significant bug fixes and enhancements
included in this release.

Nagios is a program that monitors hosts and services on your network,
and has the ability to send email or page alerts when a problem arises
or is resolved.

Security Fix(es) :

* A shell command injection flaw related to the handling of 'ssh' URLs
has been discovered in Git. An attacker could use this flaw to execute
shell commands with the privileges of the user running the Git client,
for example, when performing a 'clone' action on a malicious
repository or a legitimate repository containing a malicious commit.
(CVE-2017-1000117)

* A flaw was discovered in the file editor of millicore which allows
files to be executed as well as created. An attacker could use this
flaw to compromise other users or teams projects stored in source
control management of the RHMAP Core installation. (CVE-2017-7552)

* The external_request api call in App Studio (millicore) allows
server side request forgery (SSRF). An attacker could use this flaw to
probe the network internal resources and access restricted endpoints.
(CVE-2017-7553)

* A flaw was found where the App Studio component of RHMAP 4.4
executes JavaScript provided by a user. An attacker could use this
flaw to execute a stored XSS attack on an application administrator
using App Studio. (CVE-2017-7554)

Red Hat would like to thank Tomas Rzepka for reporting CVE-2017-7552,
CVE-2017-7553 and CVE-2017-7554.

See also :

https://access.redhat.com/documentation/en-US/
http://rhn.redhat.com/errata/RHSA-2017-2674.html
https://www.redhat.com/security/data/cve/CVE-2017-1000117.html
https://www.redhat.com/security/data/cve/CVE-2017-7552.html
https://www.redhat.com/security/data/cve/CVE-2017-7553.html
https://www.redhat.com/security/data/cve/CVE-2017-7554.html

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3620) (BlueBorne)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

kernel-uek
[4.1.12-103.3.8.1.el7uek]
- Bluetooth: Properly check L2CAP config option output buffer length
(Ben Seri) [Orabug: 26796363] {CVE-2017-1000251}

See also :

https://oss.oracle.com/pipermail/el-errata/2017-September/007211.html
https://oss.oracle.com/pipermail/el-errata/2017-September/007212.html

Solution :

Update the affected unbreakable enterprise kernel packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Oracle Linux 7 : emacs (ELSA-2017-2771)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

From Red Hat Security Advisory 2017:2771 :

An update for emacs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

GNU Emacs is a powerful, customizable, self-documenting text editor.
It provides special code editing features, a scripting language
(elisp), and the capability to read e-mail and news.

Security Fix(es) :

* A command injection flaw within the Emacs 'enriched mode' handling
has been discovered. By tricking an unsuspecting user into opening a
specially crafted file using Emacs, a remote attacker could exploit
this flaw to execute arbitrary commands with the privileges of the
Emacs user. (CVE-2017-14482)

See also :

https://oss.oracle.com/pipermail/el-errata/2017-September/007210.html

Solution :

Update the affected emacs packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

FreeBSD : asterisk -- RTP/RTCP information leak (c2ea3b31-9d75-11e7-bb13-001999f8d30b)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Asterisk project reports :

This is a follow up advisory to AST-2017-005.

Insufficient RTCP packet validation could allow reading stale buffer
contents and when combined with the 'nat' and 'symmetric_rtp' options
allow redirecting where Asterisk sends the next RTCP report.

The RTP stream qualification to learn the source address of media
always accepted the first RTP packet as the new source and allowed
what AST-2017-005 was mitigating. The intent was to qualify a series
of packets before accepting the new source address.

The RTP/RTCP stack will now validate RTCP packets before processing
them.

See also :

https://downloads.asterisk.org/pub/security/AST-2017-008.html
http://www.nessus.org/u?e09f9c26

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

FreeBSD : ruby -- multiple vulnerabilities (95b01379-9d52-11e7-a25c-471bafc3262f)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Ruby blog :

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

If a malicious format string which contains a precious specifier (*)
is passed and a huge minus value is also passed to the specifier,
buffer underrun may be caused. In such situation, the result may
contains heap, or the Ruby interpreter may crash.

CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick

When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user
name intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victim's terminal emulator.

This vulnerability is similar to a vulnerability already fixed, but it
had not been fixed in the Basic authentication.

CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.

CVE-2017-14064: Heap exposure vulnerability in generating JSON

The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malicious instance is passed,
the result may include contents of heap.

See also :

https://www.ruby-lang.org/en/security/
http://www.nessus.org/u?0909107e
http://www.nessus.org/u?90a3a566
http://www.nessus.org/u?5429c6d6
http://www.nessus.org/u?5d043841
http://www.nessus.org/u?1b742eff

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

FreeBSD : Apache -- HTTP OPTIONS method can leak server memory (76b085e2-9d33-11e7-9260-000c292ee6b8) (Optionsbleed)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Fuzzing Project reports :

Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file,
or if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through
2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request
when attempting to read secret data. This is a use-after-free issue
and thus secret data is not always sent, and the specific data depends
on many factors including configuration. Exploitation with .htaccess
can be blocked with a patch to the ap_limit_section function in
server/core.c.

See also :

https://nvd.nist.gov/vuln/detail/CVE-2017-9798
http://www.nessus.org/u?211ff8aa

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

FreeBSD : rubygem-geminabox -- XSS & CSRF vulnerabilities (2bffdf2f-9d45-11e7-a25c-471bafc3262f)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Gem in a box XSS vulenrability - CVE-2017-14506 :

Malicious attacker create GEM file with crafted homepage value
(gem.homepage in .gemspec file) includes XSS payload.

The attacker access geminabox system and uploads the gem file (or uses
CSRF/SSRF attack to do so).

From now on, any user access Geminabox web server, executes the
malicious XSS payload, that will delete any gems on the server, and
won't let users use the geminabox anymore. (make victim's browser
crash or redirect them to other hosts).

See also :

http://www.nessus.org/u?8d7615c8
http://www.nessus.org/u?a92d6469

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : xen (2017-ed735463e3)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Qemu: usb: ohci: infinite loop due to incorrect return value
[CVE-2017-9330] (#1457698) Qemu: qemu-nbd: server breaks with SIGPIPE
upon client abort [CVE-2017-10664] (#1466466) revised full fix for
XSA-226 (regressed 32-bit Dom0 or backend domains)

----

full fix for XSA-226, replacing workaround drop conflict of xendomain
and libvirtd as can cause problems (#1398590) add-to-physmap error
paths fail to release lock on ARM [XSA-235] (#1484476) Qemu: audio:
host memory leakage via capture buffer [CVE-2017-8309] (#1446521)
Qemu: input: host memory leakage via keyboard events [CVE-2017-8379]
(#1446561)

----

Qemu: serial: host memory leakage 16550A UART emulation
[CVE-2017-5579] (#1416162) Qemu: display: cirrus: OOB read access
issue [CVE-2017-7718] (#1443444) xen: various flaws (#1481765)
multiple problems with transitive grants [XSA-226, CVE-2017-12135]
x86: PV privilege escalation via map_grant_ref [XSA-227,
CVE-2017-12137] grant_table: Race conditions with maptrack free list
handling [XSA-228, CVE-2017-12136] grant_table: possibly premature
clearing of GTF_writing / GTF_reading [XSA-230, CVE-2017-12855]

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed735463e3

Solution :

Update the affected xen package.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : ruby (2017-e136d63c99)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- Fix ANSI escape sequence vulnerability (CVE-2017-0899).

- Fix DoS vulnerability in the query command
(CVE-2017-0900).

- Fix a vulnerability in the gem installer that allowed a
malicious gem to overwrite arbitrary files
(CVE-2017-0901).

- Fix DNS request hijacking vulnerability (CVE-2017-0902).

- Fix arbitrary heap exposure during a JSON.generate call
(CVE-2017-14064).

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-e136d63c99

Solution :

Update the affected ruby package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : LibRaw (2017-c5d7fd07c5)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Patch for CVE-2017-13735.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5d7fd07c5

Solution :

Update the affected LibRaw package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : mingw-libzip (2017-bb5d87e9de)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes CVE-2017-14107.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-bb5d87e9de

Solution :

Update the affected mingw-libzip package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : freexl (2017-b7e6e4cfc1)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes a Cisco Talos CVE :

'A specially crafted XLS file can cause a memory corruption resulting
in remote code execution. An attacker can send malicious XLS file to
trigger this vulnerability.'

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-b7e6e4cfc1

Solution :

Update the affected freexl package.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 26 : rawtherapee (2017-b10e1a9166)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2017-13735

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-b10e1a9166

Solution :

Update the affected rawtherapee package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 26 : jasper (2017-769793738f)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Rebase to the latest upstream version 2.0.14. This update contains
security fix for CVS -2017-1000050.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-769793738f

Solution :

Update the affected jasper package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 26 : libwpd (2017-63ff51c0dc)


Synopsis:

The remote Fedora host is missing a security update.

Description:

new upstream release

----

- heap overflow in libwpd

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-63ff51c0dc

Solution :

Update the affected libwpd package.

Risk factor :

High

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 26 : mingw-libzip (2017-4d4914a260)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to version 1.3.0, see https://nih.at/libzip/NEWS.html for
details.

----

This update backports security fix for CVE-2017-14107.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d4914a260
https://nih.at/libzip/NEWS.html

Solution :

Update the affected mingw-libzip package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : 1:emacs / ImageMagick / WindowMaker / autotrace / converseen / etc (2017-3a568adb31)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

Many security fixes, bug fixes, and other changes from the previous
version 6.9.3.0. See the [6.9 branch
ChangeLog](https://github.com/ImageMagick/ImageMagick/blob/3fd358e2ac3
4977fda38a2cf4d88a1cb4dd2d7c7/ChangeLog).

Dependent packages are mostly straight rebuilds, a couple also include
bugfix version updates.

----

rhbz#1490649 - emacs-25.3 is available

rhbz#1490410 - unsafe enriched mode translations (security)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-3a568adb31

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Fedora 25 : FlightGear (2017-292c77b3c1)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes a security bug in the FGLogger subsystem, to prevent
it from overwriting arbitrary files the user has write access to
(CVE-2017-13709)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.

See also :

https://bodhi.fedoraproject.org/updates/FEDORA-2017-292c77b3c1

Solution :

Update the affected FlightGear package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Debian DSA-3979-1 : pyjwt - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

It was discovered that PyJWT, a Python implementation of JSON Web
Token performed insufficient validation of some public key types,
which could allow a remote attacker to craft JWTs from scratch.

See also :

https://packages.debian.org/source/jessie/pyjwt
https://packages.debian.org/source/stretch/pyjwt
http://www.debian.org/security/2017/dsa-3979

Solution :

Upgrade the pyjwt packages.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.2.1-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 1.4.2-1+deb9u1.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Debian DLA-1100-1 : gdk-pixbuf security update


Synopsis:

The remote Debian host is missing a security update.

Description:

Marcin Noga discovered a buffer overflow in the JPEG loader of the GDK
Pixbuf library, which may result in the execution of arbitrary code if
a malformed file is opened.

For Debian 7 'Wheezy', these problems have been fixed in version
2.26.1-1+deb7u6.

We recommend that you upgrade your gdk-pixbuf packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2017/09/msg00016.html
https://packages.debian.org/source/wheezy/gdk-pixbuf

Solution :

Upgrade the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Apache Tomcat 7.0.x < 7.0.81 Multiple Vulnerabilities


Synopsis:

The remote Apache Tomcat server is affected by multiple
vulnerabilities.

Description:

The version of Apache Tomcat installed on the remote host is 7.0.x
prior to 7.0.81. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified vulnerability when running on Windows with HTTP
PUTs enabled (e.g. via setting the readonly initialization
parameter of the Default to false) makes it possible to upload a
JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be
executed by the server. (CVE-2017-12615)

- When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources
served by the VirtualDirContext using a specially crafted request.
(CVE-2017-12616)

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?d6b65377

Solution :

Upgrade to Apache Tomcat version 7.0.81 or later.

Note that the remote code execution issue was fixed in Apache Tomcat
7.0.80 but the release vote for the 7.0.81 release candidate did not
pass. Therefore, although users must download 7.0.81 to obtain a
version that includes the fix for this issue, version 7.0.80 is not
included in the list of affected versions.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Xen Hypervisor Multiple Vulnerabilities (XSA-231 - XSA-234)


Synopsis:

The remote Xen hypervisor installation is missing a security update.

Description:

According to its self-reported version number, the Xen hypervisor
installed on the remote host is affected by multiple vulnerabilities :

- A flaw exists in the alloc_heap_pages() function due to
improper handling when 'node >= MAX_NUMNODES'. A guest
attacker can use crafted hypercalls to execute arbitrary
code on the host system. (CVE-2017-14316)

- A double-free flaw exists in the domain_cleanup()
function within 'xenstored_domain.c'. A local attacker
can use this flaw to crash the xenstored daemon which
potentially could cause a denial of service.
(CVE-2017-14317)

- A null pointer dereference flaw exists in the
__gnttab_cache_flush() function. An attacker could
potentially leverage this flaw to crash the host system
from a guest system. (CVE-2017-14318)

- A flaw exists within 'arch/x86/mm.c'. An attacker could
leverage this vulnerability to gain elevated privileges
on the host system from a guest system. (CVE-2017-14319)

Note that Nessus has checked the changeset versions based on the
xen.git change log. Nessus did not check guest hardware configurations
or if patches were applied manually to the source code before a
recompile and reinstall.

See also :

http://xenbits.xen.org/xsa/advisory-231.html
http://xenbits.xen.org/xsa/advisory-232.html
http://xenbits.xen.org/xsa/advisory-233.html
http://xenbits.xen.org/xsa/advisory-234.html
https://xenbits.xen.org/gitweb/?p=xen.git;a=summary

Solution :

Apply the appropriate patch according to the vendor advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : libxml2 vulnerabilities (USN-3424-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that could
cause a denial of service or possibly execute arbitrary code.
(CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML data
that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Bohme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to
specially construct XML data that could cause a denial of service or
possibly execute arbitrary code. (CVE-2017-9047)

Marcel Bohme and Van-Thuan Pham discovered a buffer overread in
libxml2 when handling elements. An attacker could use this to
specially construct XML data that could cause a denial of service.
(CVE-2017-9048)

Marcel Bohme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected libxml2 package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

It was discovered that a buffer overflow existed in the Bluetooth
stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-1000251)

It was discovered that the asynchronous I/O (aio) subsystem of the
Linux kernel did not properly set permissions on aio memory mappings
in some situations. An attacker could use this to more easily exploit
other vulnerabilities. (CVE-2016-10044)

Baozeng Ding and Andrey Konovalov discovered a race condition in the
L2TPv3 IP Encapsulation implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-10200)

Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during
a setxattr call. A local attacker could use this to possibly elevate
group privileges. (CVE-2016-7097)

Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered
that the key management subsystem in the Linux kernel did not properly
allocate memory in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2016-8650)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the
VFIO PCI driver for the Linux kernel. A local attacker with access to
a vfio PCI device file could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2016-9083,
CVE-2016-9084)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use
this to expose sensitive information. (CVE-2016-9178)

CAI Qian discovered that the sysctl implementation in the Linux kernel
did not properly perform reference counting in some situations. An
unprivileged attacker could use this to cause a denial of service
(system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel
in some situations did not prevent special internal keyrings from
being joined by userspace keyrings. A privileged local attacker could
use this to bypass module verification. (CVE-2016-9604)

It was discovered that an integer overflow existed in the trace
subsystem of the Linux kernel. A local privileged attacker could use
this to cause a denial of service (system crash). (CVE-2016-9754)

Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2017-5970)

Dmitry Vyukov discovered that the Linux kernel did not properly handle
TCP packets with the URG flag. A remote attacker could use this to
cause a denial of service. (CVE-2017-6214)

It was discovered that a race condition existed in the AF_PACKET
handling code in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-6346)

It was discovered that the keyring implementation in the Linux kernel
did not properly restrict searches for dead keys. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2017-6951)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the
Linux kernel contained a stack-based buffer overflow. A local attacker
with access to an sg device could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

Eric Biggers discovered a memory leak in the keyring implementation in
the Linux kernel. A local attacker could use this to cause a denial of
service (memory consumption). (CVE-2017-7472)

It was discovered that a buffer overflow existed in the Broadcom
FullMAC WLAN driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 17.04 : libidn2-0 vulnerability (USN-3421-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

It was discovered that Libidn2 incorrectly handled certain input. A
remote attacker could possibly use this issue to cause Libidn2 to
crash, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected idn2 and / or libidn2-0 packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3420-2) (BlueBorne)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

USN-3420-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that a buffer overflow existed in the Bluetooth
stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-1000251)

It was discovered that the Flash-Friendly File System (f2fs)
implementation in the Linux kernel did not properly validate
superblock metadata. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-10663)

It was discovered that a buffer overflow existed in the ioctl handling
code in the ISDN subsystem of the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-12762)

Pengfei Wang discovered that a race condition existed in the NXP
SAA7164 TV Decoder driver for the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-8831).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3420-1) (BlueBorne)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

It was discovered that a buffer overflow existed in the Bluetooth
stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-1000251)

It was discovered that the Flash-Friendly File System (f2fs)
implementation in the Linux kernel did not properly validate
superblock metadata. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-10663)

It was discovered that a buffer overflow existed in the ioctl handling
code in the ISDN subsystem of the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-12762)

Pengfei Wang discovered that a race condition existed in the NXP
SAA7164 TV Decoder driver for the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-8831).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3419-2) (BlueBorne)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

USN-3419-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that a buffer overflow existed in the Bluetooth
stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-1000251)

It was discovered that a buffer overflow existed in the Broadcom
FullMAC WLAN driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3419-1) (BlueBorne)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

It was discovered that a buffer overflow existed in the Bluetooth
stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-1000251)

It was discovered that a buffer overflow existed in the Broadcom
FullMAC WLAN driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now