SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 8779 / 8791 / 8792)

high Nessus Plugin ID 72163

Language:

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 2 kernel was updated to 3.0.101 and also includes various other bug and security fixes.

A new feature was added :

- supported.conf: marked net/netfilter/xt_set as supported (bnc#851066)(fate#313309) The following security bugs have been fixed :

- Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (bnc#853050).
(CVE-2013-4587)

- The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (bnc#853052).
(CVE-2013-6368)

- The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (bnc#853051).
(CVE-2013-6367)

- Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots. (bnc#851101).
(CVE-2013-4592)

- The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (bnc#852559).
(CVE-2013-6378)

- Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions. (bnc#849029). (CVE-2013-4514)

- The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call. (bnc#849034). (CVE-2013-4515)

- The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header. (bnc#854634). (CVE-2013-7027)

- The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. (bnc#848321). (CVE-2013-4483)

- Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. (bnc#849021).
(CVE-2013-4511)

- The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.
(bnc#852373). (CVE-2013-6380)

- Linux kernel built with the networking support(CONFIG_NET) is vulnerable to an information leakage flaw in the socket layer. It could occur while doing recvmsg(2), recvfrom(2) socket calls. It occurs due to improperly initialised msg_name & msg_namelen message header parameters. (bnc#854722). (CVE-2013-6463)

- The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. (bnc#852558).
(CVE-2013-6383)

- Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data.
(bnc#840226). (CVE-2013-4345)

Also the following non-security bugs have been fixed :

- kabi: protect bind_conflict callback in struct inet_connection_sock_af_ops. (bnc#823618)

- printk: forcibly flush nmi ringbuffer if oops is in progress. (bnc#849675)

- blktrace: Send BLK_TN_PROCESS events to all running traces. (bnc#838623)

- x86/dumpstack: Fix printk_address for direct addresses.
(bnc#845621)

- futex: fix handling of read-only-mapped hugepages (VM Functionality).

- random: fix accounting race condition with lockless irq entropy_count update. (bnc#789359)

- Provide realtime priority kthread and workqueue boot options. (bnc#836718)

- sched: Fix several races in CFS_BANDWIDTH. (bnc#848336)

- sched: Fix cfs_bandwidth misuse of hrtimer_expires_remaining. (bnc#848336)

- sched: Fix hrtimer_cancel()/rq->lock deadlock.
(bnc#848336)

- sched: Fix race on toggling cfs_bandwidth_used.
(bnc#848336)

- sched: Fix buglet in return_cfs_rq_runtime().

- sched: Guarantee new group-entities always have weight.
(bnc#848336)

- sched: Use jump labels to reduce overhead when bandwidth control is inactive. (bnc#848336)

- watchdog: Get rid of MODULE_ALIAS_MISCDEV statements.
(bnc#827767)

- tcp: bind() fix autoselection to share ports.
(bnc#823618)

- tcp: bind() use stronger condition for bind_conflict.
(bnc#823618)

- tcp: ipv6: bind() use stronger condition for bind_conflict. (bnc#823618)

- macvlan: disable LRO on lower device instead of macvlan.
(bnc#846984)

- macvlan: introduce IFF_MACVLAN flag and helper function.
(bnc#846984)

- macvlan: introduce macvlan_dev_real_dev() helper function. (bnc#846984)

- xen: netback: bump tx queue length. (bnc#849404)

- xen: xen_spin_kick fixed crash/lock release (bnc#807434)(bnc#848652).

- xen: fixed USB passthrough issue. (bnc#852624)

- netxen: fix off by one bug in netxen_release_tx_buffer(). (bnc#845729)

- xfrm: invalidate dst on policy insertion/deletion.
(bnc#842239)

- xfrm: prevent ipcomp scratch buffer race condition.
(bnc#842239)

- crypto: Fix aes-xts parameter corruption (bnc#854546, LTC#100718).

- crypto: gf128mul - fix call to memset() (obvious fix).

- autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race. (bnc#851314)

- autofs4: catatonic_mode vs. notify_daemon race.
(bnc#851314)

- autofs4: close the races around autofs4_notify_daemon().
(bnc#851314)

- autofs4: deal with autofs4_write/autofs4_write races.
(bnc#851314)

- autofs4 - dont clear DCACHE_NEED_AUTOMOUNT on rootless mount. (bnc#851314)

- autofs4 - fix deal with autofs4_write races.
(bnc#851314)

- autofs4 - use simple_empty() for empty directory check.
(bnc#851314)

- blkdev_max_block: make private to fs/buffer.c.
(bnc#820338)

- Avoid softlockup in shrink_dcache_for_umount_subtree.
(bnc#834473)

- dlm: set zero linger time on sctp socket. (bnc#787843)

- SUNRPC: Fix a data corruption issue when retransmitting RPC calls. (bnc#855037)

- nfs: Change NFSv4 to not recover locks after they are lost. (bnc#828236)

- nfs: Adapt readdirplus to application usage patterns.
(bnc#834708)

- xfs: Account log unmount transaction correctly.
(bnc#849950)

- xfs: improve ioend error handling. (bnc#846036)

- xfs: reduce ioend latency. (bnc#846036)

- xfs: use per-filesystem I/O completion workqueues.
(bnc#846036)

- xfs: Hide additional entries in struct xfs_mount.
(bnc#846036 / bnc#848544)

- vfs: avoid 'attempt to access beyond end of device' warnings. (bnc#820338)

- vfs: fix O_DIRECT read past end of block device.
(bnc#820338)

- cifs: Improve performance of browsing directories with several files. (bnc#810323)

- cifs: Ensure cifs directories do not show up as files.
(bnc#826602)

- sd: avoid deadlocks when running under multipath.
(bnc#818545)

- sd: fix crash when UA received on DIF enabled device.
(bnc#841445)

- sg: fix blk_get_queue usage. (bnc#834808)

- block: factor out vector mergeable decision to a helper function. (bnc#769644)

- block: modify __bio_add_page check to accept pages that do not start a new segment. (bnc#769644)

- dm-multipath: abort all requests when failing a path.
(bnc#798050)

- scsi: Add 'eh_deadline' to limit SCSI EH runtime.
(bnc#798050)

- scsi: Allow error handling timeout to be specified.
(bnc#798050)

- scsi: Fixup compilation warning. (bnc#798050)

- scsi: Retry failfast commands after EH. (bnc#798050)

- scsi: Warn on invalid command completion. (bnc#798050)

- scsi: kABI fixes. (bnc#798050)

- scsi: remove check for 'resetting'. (bnc#798050)

- advansys: Remove 'last_reset' references. (bnc#798050)

- cleanup setting task state in scsi_error_handler().
(bnc#798050)

- dc395: Move 'last_reset' into internal host structure.
(bnc#798050)

- dpt_i2o: Remove DPTI_STATE_IOCTL. (bnc#798050)

- dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset.
(bnc#798050)

- tmscsim: Move 'last_reset' into host structure.
(bnc#798050)

- scsi_dh: invoke callback if ->activate is not present.
(bnc#708296)

- scsi_dh: return individual errors in scsi_dh_activate().
(bnc#708296)

- scsi_dh_alua: Decode EMC Clariion extended inquiry.
(bnc#708296)

- scsi_dh_alua: Decode HP EVA array identifier.
(bnc#708296)

- scsi_dh_alua: Evaluate state for all port groups.
(bnc#708296)

- scsi_dh_alua: Fix missing close brace in alua_check_sense. (bnc#843642)

- scsi_dh_alua: Make stpg synchronous. (bnc#708296)

- scsi_dh_alua: Pass buffer as function argument.
(bnc#708296)

- scsi_dh_alua: Re-evaluate port group states after STPG.
(bnc#708296)

- scsi_dh_alua: Recheck state on transitioning.
(bnc#708296)

- scsi_dh_alua: Rework rtpg workqueue. (bnc#708296)

- scsi_dh_alua: Use separate alua_port_group structure.
(bnc#708296)

- scsi_dh_alua: Allow get_alua_data() to return NULL.
(bnc#839407)

- scsi_dh_alua: asynchronous RTPG. (bnc#708296)

- scsi_dh_alua: correctly terminate target port strings.
(bnc#708296)

- scsi_dh_alua: defer I/O while workqueue item is pending.
(bnc#708296)

- scsi_dh_alua: Do not attach to RAID or enclosure devices. (bnc#819979)

- scsi_dh_alua: Do not attach to well-known LUNs.
(bnc#821980)

- scsi_dh_alua: fine-grained locking in alua_rtpg_work().
(bnc#708296)

- scsi_dh_alua: invalid state information for 'optimized' paths. (bnc#843445)

- scsi_dh_alua: move RTPG to workqueue. (bnc#708296)

- scsi_dh_alua: move 'expiry' into PG structure.
(bnc#708296)

- scsi_dh_alua: move some sense code handling into generic code. (bnc#813245)

- scsi_dh_alua: multipath failover fails with error 15.
(bnc#825696)

- scsi_dh_alua: parse target device id. (bnc#708296)

- scsi_dh_alua: protect accesses to struct alua_port_group. (bnc#708296)

- scsi_dh_alua: put sense buffer on stack. (bnc#708296)

- scsi_dh_alua: reattaching device handler fails with 'Error 15'. (bnc#843429)

- scsi_dh_alua: remove locking when checking state.
(bnc#708296)

- scsi_dh_alua: remove stale variable. (bnc#708296)

- scsi_dh_alua: retry RTPG on UNIT ATTENTION. (bnc#708296)

- scsi_dh_alua: retry command on 'mode parameter changed' sense code. (bnc#843645)

- scsi_dh_alua: simplify alua_check_sense(). (bnc#843642)

- scsi_dh_alua: simplify state update. (bnc#708296)

- scsi_dh_alua: use delayed_work. (bnc#708296)

- scsi_dh_alua: use flag for RTPG extended header.
(bnc#708296)

- scsi_dh_alua: use local buffer for VPD inquiry.
(bnc#708296)

- scsi_dh_alua: use spin_lock_irqsave for port group.
(bnc#708296)

- lpfc: Do not free original IOCB whenever ABTS fails.
(bnc#806988)

- lpfc: Fix kernel warning on spinlock usage. (bnc#806988)

- lpfc: Fixed system panic due to midlayer abort.
(bnc#806988)

- qla2xxx: Add module parameter to override the default request queue size. (bnc#826756)

- qla2xxx: Module parameter 'ql2xasynclogin'. (bnc#825896)

- bna: do not register ndo_set_rx_mode callback.
(bnc#847261)

- hv: handle more than just WS2008 in KVP negotiation.
(bnc#850640)

- drm: do not add inferred modes for monitors that do not support them. (bnc#849809)

- pci/quirks: Modify reset method for Chelsio T4.
(bnc#831168)

- pci: fix truncation of resource size to 32 bits.
(bnc#843419)

- pci: pciehp: Retrieve link speed after link is trained.
(bnc#820102)

- pci: Separate pci_bus_read_dev_vendor_id from pci_scan_device. (bnc#820102)

- pci: pciehp: replace unconditional sleep with config space access check. (bnc#820102)

- pci: pciehp: make check_link_active more helpful.
(bnc#820102)

- pci: pciehp: Add pcie_wait_link_not_active().
(bnc#820102)

- pci: pciehp: Add Disable/enable link functions.
(bnc#820102)

- pci: pciehp: Disable/enable link during slot power off/on. (bnc#820102)

- mlx4: allocate just enough pages instead of always 4 pages. (bnc#835186 / bnc#835074)

- mlx4: allow order-0 memory allocations in RX path.
(bnc#835186 / bnc#835074)

- net/mlx4: use one page fragment per incoming frame.
(bnc#835186 / bnc#835074)

- qeth: request length checking in snmp ioctl (bnc#849848, LTC#99511).

- cio: add message for timeouts on internal I/O (bnc#837739,LTC#97047).

- s390/cio: dont abort verification after missing irq (bnc#837739,LTC#97047).

- s390/cio: skip broken paths (bnc#837739,LTC#97047).

- s390/cio: export vpm via sysfs (bnc#837739,LTC#97047).

- s390/cio: handle unknown pgroup state (bnc#837739,LTC#97047).

Solution

Apply SAT patch number 8779 / 8791 / 8792 as appropriate.

Plugin Details

Severity: High

ID: 72163

File Name: suse_11_kernel-140116.nasl

Version: 1.4

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 1/28/2014

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, p-cpe:/a:novell:suse_linux:11:xen-kmp-default, p-cpe:/a:novell:suse_linux:11:xen-kmp-pae, p-cpe:/a:novell:suse_linux:11:xen-kmp-trace, cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:kernel-trace-extra

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 1/16/2014

Reference Information

CVE: CVE-2013-4345, CVE-2013-4483, CVE-2013-4511, CVE-2013-4514, CVE-2013-4515, CVE-2013-4587, CVE-2013-4592, CVE-2013-6367, CVE-2013-6368, CVE-2013-6378, CVE-2013-6380, CVE-2013-6383, CVE-2013-7027, CVE-2013-7266, CVE-2013-7267, CVE-2013-7268, CVE-2013-7269, CVE-2013-7270, CVE-2013-7271

Detections

Analytics