SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0652-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 Service Pack 1 LTSS kernel was updated to
fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

- CVE-2013-4299: Interpretation conflict in
drivers/md/dm-snap-persistent.c in the Linux kernel
through 3.11.6 allowed remote authenticated users to
obtain sensitive information or modify data via a
crafted mapping to a snapshot block device (bnc#846404).

- CVE-2014-8160: SCTP firewalling failed until the SCTP
module was loaded (bnc#913059).

- CVE-2014-9584: The parse_rock_ridge_inode_internal
function in fs/isofs/rock.c in the Linux kernel before
3.18.2 did not validate a length value in the Extensions
Reference (ER) System Use Field, which allowed local
users to obtain sensitive information from kernel memory
via a crafted iso9660 image (bnc#912654).

- CVE-2014-9585: The vdso_addr function in
arch/x86/vdso/vma.c in the Linux kernel through 3.18.2
did not properly choose memory locations for the vDSO
area, which made it easier for local users to bypass the
ASLR protection mechanism by guessing a location at the
end of a PMD (bnc#912705).

- CVE-2014-9420: The rock_continue function in
fs/isofs/rock.c in the Linux kernel through 3.18.1 did
not restrict the number of Rock Ridge continuation
entries, which allowed local users to cause a denial of
service (infinite loop, and system crash or hang) via a
crafted iso9660 image (bnc#911325).

- CVE-2014-0181: The Netlink implementation in the Linux
kernel through 3.14.1 did not provide a mechanism for
authorizing socket operations based on the opener of a
socket, which allowed local users to bypass intended
access restrictions and modify network configurations by
using a Netlink socket for the (1) stdout or (2) stderr
of a setuid program (bnc#875051).

- CVE-2010-5313: Race condition in arch/x86/kvm/x86.c in
the Linux kernel before 2.6.38 allowed L2 guest OS users
to cause a denial of service (L1 guest OS crash) via a
crafted instruction that triggers an L2 emulation
failure report, a similar issue to CVE-2014-7842
(bnc#907822).

- CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in
the Linux kernel before 3.17.4 allowed guest OS users to
cause a denial of service (guest OS crash) via a crafted
application that performs an MMIO transaction or a PIO
transaction to trigger a guest userspace emulation error
report, a similar issue to CVE-2010-5313 (bnc#905312).

- CVE-2014-3688: The SCTP implementation in the Linux
kernel before 3.17.4 allowed remote attackers to cause a
denial of service (memory consumption) by triggering a
large number of chunks in an associations output queue,
as demonstrated by ASCONF probes, related to
net/sctp/inqueue.c and net/sctp/sm_statefuns.c
(bnc#902351).

- CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function
in net/sctp/associola.c in the SCTP implementation in
the Linux kernel through 3.17.2 allowed remote attackers
to cause a denial of service (panic) via duplicate
ASCONF chunks that trigger an incorrect uncork within
the side-effect interpreter (bnc#902349).

- CVE-2014-3673: The SCTP implementation in the Linux
kernel through 3.17.2 allowed remote attackers to cause
a denial of service (system crash) via a malformed
ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c (bnc#902346).

- CVE-2014-7841: The sctp_process_param function in
net/sctp/sm_make_chunk.c in the SCTP implementation in
the Linux kernel before 3.17.4, when ASCONF is used,
allowed remote attackers to cause a denial of service
(NULL pointer dereference and system crash) via a
malformed INIT chunk (bnc#905100).

- CVE-2014-8709: The ieee80211_fragment function in
net/mac80211/tx.c in the Linux kernel before 3.13.5 did
not properly maintain a certain tail pointer, which
allowed remote attackers to obtain sensitive cleartext
information by reading packets (bnc#904700).

- CVE-2013-7263: The Linux kernel before 3.12.4 updated
certain length values before ensuring that associated
data structures have been initialized, which allowed
local users to obtain sensitive information from kernel
stack memory via a (1) recvfrom, (2) recvmmsg, or (3)
recvmsg system call, related to net/ipv4/ping.c,
net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and
net/ipv6/udp.c (bnc#857643).

- CVE-2012-6657: The sock_setsockopt function in
net/core/sock.c in the Linux kernel before 3.5.7 did not
ensure that a keepalive action is associated with a
stream socket, which allowed local users to cause a
denial of service (system crash) by leveraging the
ability to create a raw socket (bnc#896779).

- CVE-2014-3185: Multiple buffer overflows in the
command_port_read_callback function in
drivers/usb/serial/whiteheat.c in the Whiteheat USB
Serial Driver in the Linux kernel before 3.16.2 allowed
physically proximate attackers to execute arbitrary code
or cause a denial of service (memory corruption and
system crash) via a crafted device that provides a large
amount of (1) EHCI or (2) XHCI data associated with a
bulk response (bnc#896391).

- CVE-2014-3184: The report_fixup functions in the HID
subsystem in the Linux kernel before 3.16.2 might allow
physically proximate attackers to cause a denial of
service (out-of-bounds write) via a crafted device that
provides a small report descriptor, related to (1)
drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)
drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,
(5) drivers/hid/hid-petalynx.c, and (6)
drivers/hid/hid-sunplus.c (bnc#896390).

The following non-security bugs have been fixed :

- KVM: SVM: Make Use of the generic guest-mode functions
(bnc#907822).

- KVM: inject #UD if instruction emulation fails and exit
to userspace (bnc#907822).

- block: Fix bogus partition statistics reports
(bnc#885077 bnc#891211).

- block: skip request queue cleanup if no elevator is
assigned (bnc#899338).

- isofs: Fix unchecked printing of ER records.

- Re-enable nested-spinlocks-backport patch for xen
(bnc#908870).

- time, ntp: Do not update time_state in middle of leap
second (bnc#912916).

- timekeeping: Avoid possible deadlock from
clock_was_set_delayed (bnc#771619, bnc#915335).

- udf: Check component length before reading it.

- udf: Check path length when reading symlink.

- udf: Verify i_size when loading inode.

- udf: Verify symlink size before loading it.

- vt: prevent race between modifying and reading unicode
map (bnc#915826).

- writeback: Do not sync data dirtied after sync start
(bnc#833820).

- xfs: Avoid blocking on inode flush in background inode
reclaim (bnc#892235).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/771619
https://bugzilla.suse.com/833820
https://bugzilla.suse.com/846404
https://bugzilla.suse.com/857643
https://bugzilla.suse.com/875051
https://bugzilla.suse.com/885077
https://bugzilla.suse.com/891211
https://bugzilla.suse.com/892235
https://bugzilla.suse.com/896390
https://bugzilla.suse.com/896391
https://bugzilla.suse.com/896779
https://bugzilla.suse.com/899338
https://bugzilla.suse.com/902346
https://bugzilla.suse.com/902349
https://bugzilla.suse.com/902351
https://bugzilla.suse.com/904700
https://bugzilla.suse.com/905100
https://bugzilla.suse.com/905312
https://bugzilla.suse.com/907822
https://bugzilla.suse.com/908870
https://bugzilla.suse.com/911325
https://bugzilla.suse.com/912654
https://bugzilla.suse.com/912705
https://bugzilla.suse.com/912916
https://bugzilla.suse.com/913059
https://bugzilla.suse.com/915335
https://bugzilla.suse.com/915826
http://www.nessus.org/u?859a6bb5
http://www.nessus.org/u?c8b31cc6
http://www.nessus.org/u?7c8f1473
http://www.nessus.org/u?0d3e3539
http://www.nessus.org/u?958976ab
http://www.nessus.org/u?5151205f
https://www.suse.com/security/cve/CVE-2010-5313.html
https://www.suse.com/security/cve/CVE-2012-6657.html
https://www.suse.com/security/cve/CVE-2013-4299.html
https://www.suse.com/security/cve/CVE-2013-7263.html
https://www.suse.com/security/cve/CVE-2014-0181.html
https://www.suse.com/security/cve/CVE-2014-3184.html
https://www.suse.com/security/cve/CVE-2014-3185.html
https://www.suse.com/security/cve/CVE-2014-3673.html
https://www.suse.com/security/cve/CVE-2014-3687.html
https://www.suse.com/security/cve/CVE-2014-3688.html
https://www.suse.com/security/cve/CVE-2014-7841.html
https://www.suse.com/security/cve/CVE-2014-7842.html
https://www.suse.com/security/cve/CVE-2014-8160.html
https://www.suse.com/security/cve/CVE-2014-8709.html
https://www.suse.com/security/cve/CVE-2014-9420.html
https://www.suse.com/security/cve/CVE-2014-9584.html
https://www.suse.com/security/cve/CVE-2014-9585.html
http://www.nessus.org/u?25324753

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11 SP1 LTSS :

zypper in -t patch slessp1-kernel=10315 slessp1-kernel=10316
slessp1-kernel=10317

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false