SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:1611-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various
security and bugfixes.

Following security bugs were fixed :

- CVE-2015-5707: An integer overflow in the SCSI generic
driver could be potentially used by local attackers to
crash the kernel or execute code (bsc#940338).

- CVE-2015-5364: A remote denial of service (hang) via UDP
flood with incorrect package checksums was fixed.
(bsc#936831).

- CVE-2015-5366: A remote denial of service (unexpected
error returns) via UDP flood with incorrect package
checksums was fixed. (bsc#936831).

- CVE-2015-1420: A race condition in the handle_to_path
function in fs/fhandle.c in the Linux kernel allowed
local users to bypass intended size restrictions and
trigger read operations on additional memory locations
by changing the handle_bytes value of a file handle
during the execution of this function (bnc#915517).

- CVE-2015-4700: A local user could have created a bad
instruction in the JIT processed BPF code, leading to a
kernel crash (bnc#935705).

- CVE-2015-4167: The UDF filesystem in the Linux kernel
was vulnerable to a crash which could occur while
fetching inode information from a corrupted/malicious
udf file system image. (bsc#933907).

- CVE-2014-9728 CVE-2014-9729 CVE-2014-9730 CVE-2014-9731:
Various issues in handling UDF filesystems in the Linux
kernel allowed the corruption of kernel memory and other
issues. An attacker able to mount a corrupted/malicious
UDF file system image could cause the kernel to crash.
(bsc#933904 bsc#933896)

- CVE-2015-2150: The Linux kernel did not properly
restrict access to PCI command registers, which might
have allowed local guest users to cause a denial of
service (non-maskable interrupt and host crash) by
disabling the (1) memory or (2) I/O decoding for a PCI
Express device and then accessing the device, which
triggers an Unsupported Request (UR) response
(bsc#919463).

- CVE-2015-0777: drivers/xen/usbback/usbback.c as used in
the Linux kernel 2.6.x and 3.x in SUSE Linux
distributions, allowed guest OS users to obtain
sensitive information from uninitialized locations in
host OS kernel memory via unspecified vectors
(bnc#917830).

- CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux
kernel did not prevent the TS_COMPAT flag from reaching
a user-mode task, which might have allowed local users
to bypass the seccomp or audit protection mechanism via
a crafted application that uses the (1) fork or (2)
close system call, as demonstrated by an attack against
seccomp before 3.16 (bnc#926240).

- CVE-2015-1805: The Linux kernels implementation of
vectored pipe read and write functionality did not take
into account the I/O vectors that were already processed
when retrying after a failed atomic access operation,
potentially resulting in memory corruption due to an I/O
vector array overrun. A local, unprivileged user could
use this flaw to crash the system or, potentially,
escalate their privileges on the system. (bsc#933429).

Also the following non-security bugs were fixed :

- audit: keep inode pinned (bsc#851068).

- btrfs: be aware of btree inode write errors to avoid fs
corruption (bnc#942350).

- btrfs: check if previous transaction aborted to avoid fs
corruption (bnc#942350).

- btrfs: deal with convert_extent_bit errors to avoid fs
corruption (bnc#942350).

- cifs: Fix missing crypto allocation (bnc#937402).

- client MUST ignore EncryptionKeyLength if
CAP_EXTENDED_SECURITY is set (bnc#932348).

- drm: ast,cirrus,mgag200: use drm_can_sleep (bnc#883380,
bsc#935572).

- drm/cirrus: do not attempt to acquire a reservation
while in an interrupt handler (bsc#935572).

- drm/mgag200: do not attempt to acquire a reservation
while in an interrupt handler (bsc#935572).

- drm/mgag200: Do not do full cleanup if
mgag200_device_init fails.

- ext3: Fix data corruption in inodes with journalled data
(bsc#936637)

- ext4: handle SEEK_HOLE/SEEK_DATA generically
(bsc#934944).

- fanotify: Fix deadlock with permission events
(bsc#935053).

- fork: reset mm->pinned_vm (bnc#937855).

- hrtimer: prevent timer interrupt DoS (bnc#886785).

- hugetlb: do not account hugetlb pages as NR_FILE_PAGES
(bnc#930092).

- hugetlb, kabi: do not account hugetlb pages as
NR_FILE_PAGES (bnc#930092).

- IB/core: Fix mismatch between locked and pinned pages
(bnc#937855).

- iommu/amd: Fix memory leak in free_pagetable
(bsc#935866).

- iommu/amd: Handle integer overflow in dma_ops_area_alloc
(bsc#931538).

- iommu/amd: Handle large pages correctly in
free_pagetable (bsc#935866).

- ipr: Increase default adapter init stage change timeout
(bsc#930761).

- ixgbe: Use pci_vfs_assigned instead of
ixgbe_vfs_are_assigned (bsc#927355).

- kdump: fix crash_kexec()/smp_send_stop() race in panic()
(bnc#937444).

- kernel: add panic_on_warn. (bsc#934742)

- kvm: irqchip: Break up high order allocations of
kvm_irq_routing_table (bnc#926953).

- libata: prevent HSM state change race between ISR and
PIO (bsc#923245).

- md: use kzalloc() when bitmap is disabled (bsc#939994).

- megaraid_sas: Use correct reset sequence in adp_reset()
(bsc#894936).

- mlx4: Check for assigned VFs before disabling SR-IOV
(bsc#927355).

- mm/hugetlb: check for pte NULL pointer in
__page_check_address() (bnc#929143).

- mm: restrict access to slab files under procfs and sysfs
(bnc#936077).

- net: fib6: fib6_commit_metrics: fix potential NULL
pointer dereference (bsc#867362).

- net: Fix 'ip rule delete table 256' (bsc#873385).

- net: ipv6: fib: do not sleep inside atomic lock
(bsc#867362).

- net/mlx4_core: Do not disable SRIOV if there are active
VFs (bsc#927355).

- nfsd: Fix nfsv4 opcode decoding error (bsc#935906).

- nfsd: support disabling 64bit dir cookies (bnc#937503).

- nfs: never queue requests with rq_cong set on the
sending queue (bsc#932458).

- nfsv4: Minor cleanups for nfs4_handle_exception and
nfs4_async_handle_error (bsc#939910).

- pagecache limit: add tracepoints (bnc#924701).

- pagecache limit: Do not skip over small zones that
easily (bnc#925881).

- pagecache limit: export debugging counters via
/proc/vmstat (bnc#924701).

- pagecache limit: fix wrong nr_reclaimed count
(bnc#924701).

- pagecache limit: reduce starvation due to reclaim
retries (bnc#925903).

- pci: Add SRIOV helper function to determine if VFs are
assigned to guest (bsc#927355).

- pci: Disable Bus Master only on kexec reboot
(bsc#920110).

- pci: disable Bus Master on PCI device shutdown
(bsc#920110).

- pci: Disable Bus Master unconditionally in
pci_device_shutdown() (bsc#920110).

- pci: Don't try to disable Bus Master on disconnected PCI
devices (bsc#920110).

- perf, nmi: Fix unknown NMI warning (bsc#929142).

- perf/x86/intel: Move NMI clearing to end of PMI handler
(bsc#929142).

- rtlwifi: rtl8192cu: Fix kernel deadlock (bnc#927786).

- sched: fix __sched_setscheduler() vs load balancing race
(bnc#921430)

- scsi_error: add missing case statements in
scsi_decide_disposition() (bsc#920733).

- scsi: Set hostbyte status in scsi_check_sense()
(bsc#920733).

- scsi: set host msg status correctly (bnc#933936)

- scsi: vmw_pvscsi: Fix pvscsi_abort() function
(bnc#940398 bsc#930934).

- st: NULL pointer dereference panic caused by use after
kref_put by st_open (bsc#936875).

- udf: Remove repeated loads blocksize (bsc#933907).

- usb: core: Fix USB 3.0 devices lost in NOTATTACHED state
after a hub port reset (bnc#937641).

- vmxnet3: Bump up driver version number (bsc#936423).

- vmxnet3: Changes for vmxnet3 adapter version 2 (fwd)
(bug#936423).

- vmxnet3: Fix memory leaks in rx path (fwd) (bug#936423).

- vmxnet3: Register shutdown handler for device (fwd)
(bug#936423).

- x86/mm: Improve AMD Bulldozer ASLR workaround
(bsc#937032).

- x86, tls: Interpret an all-zero struct user_desc as 'no
segment' (bsc#920250).

- x86, tls, ldt: Stop checking lm in LDT_empty
(bsc#920250).

- xenbus: add proper handling of XS_ERROR from Xenbus for
transactions.

- xfs: avoid mounting of xfs filesystems with inconsistent
option (bnc#925705)

- zcrypt: Fixed reset and interrupt handling of AP queues
(bnc#936925, LTC#126491).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/851068
https://bugzilla.suse.com/867362
https://bugzilla.suse.com/873385
https://bugzilla.suse.com/883380
https://bugzilla.suse.com/886785
https://bugzilla.suse.com/894936
https://bugzilla.suse.com/915517
https://bugzilla.suse.com/917830
https://bugzilla.suse.com/919463
https://bugzilla.suse.com/920110
https://bugzilla.suse.com/920250
https://bugzilla.suse.com/920733
https://bugzilla.suse.com/921430
https://bugzilla.suse.com/923245
https://bugzilla.suse.com/924701
https://bugzilla.suse.com/925705
https://bugzilla.suse.com/925881
https://bugzilla.suse.com/925903
https://bugzilla.suse.com/926240
https://bugzilla.suse.com/926953
https://bugzilla.suse.com/927355
https://bugzilla.suse.com/927786
https://bugzilla.suse.com/929142
https://bugzilla.suse.com/929143
https://bugzilla.suse.com/930092
https://bugzilla.suse.com/930761
https://bugzilla.suse.com/930934
https://bugzilla.suse.com/931538
https://bugzilla.suse.com/932348
https://bugzilla.suse.com/932458
https://bugzilla.suse.com/933429
https://bugzilla.suse.com/933896
https://bugzilla.suse.com/933904
https://bugzilla.suse.com/933907
https://bugzilla.suse.com/933936
https://bugzilla.suse.com/934742
https://bugzilla.suse.com/934944
https://bugzilla.suse.com/935053
https://bugzilla.suse.com/935572
https://bugzilla.suse.com/935705
https://bugzilla.suse.com/935866
https://bugzilla.suse.com/935906
https://bugzilla.suse.com/936077
https://bugzilla.suse.com/936423
https://bugzilla.suse.com/936637
https://bugzilla.suse.com/936831
https://bugzilla.suse.com/936875
https://bugzilla.suse.com/936925
https://bugzilla.suse.com/937032
https://bugzilla.suse.com/937402
https://bugzilla.suse.com/937444
https://bugzilla.suse.com/937503
https://bugzilla.suse.com/937641
https://bugzilla.suse.com/937855
https://bugzilla.suse.com/939910
https://bugzilla.suse.com/939994
https://bugzilla.suse.com/940338
https://bugzilla.suse.com/940398
https://bugzilla.suse.com/942350
https://www.suse.com/security/cve/CVE-2014-9728.html
https://www.suse.com/security/cve/CVE-2014-9729.html
https://www.suse.com/security/cve/CVE-2014-9730.html
https://www.suse.com/security/cve/CVE-2014-9731.html
https://www.suse.com/security/cve/CVE-2015-0777.html
https://www.suse.com/security/cve/CVE-2015-1420.html
https://www.suse.com/security/cve/CVE-2015-1805.html
https://www.suse.com/security/cve/CVE-2015-2150.html
https://www.suse.com/security/cve/CVE-2015-2830.html
https://www.suse.com/security/cve/CVE-2015-4167.html
https://www.suse.com/security/cve/CVE-2015-4700.html
https://www.suse.com/security/cve/CVE-2015-5364.html
https://www.suse.com/security/cve/CVE-2015-5366.html
https://www.suse.com/security/cve/CVE-2015-5707.html
http://www.nessus.org/u?441d7fc3

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for VMWare 11-SP3 :

zypper in -t patch slessp3-kernel-201508-12100=1

SUSE Linux Enterprise Server 11-SP3 :

zypper in -t patch slessp3-kernel-201508-12100=1

SUSE Linux Enterprise Server 11-EXTRA :

zypper in -t patch slexsp3-kernel-201508-12100=1

SUSE Linux Enterprise Desktop 11-SP3 :

zypper in -t patch sledsp3-kernel-201508-12100=1

SUSE Linux Enterprise Debuginfo 11-SP3 :

zypper in -t patch dbgsp3-kernel-201508-12100=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.1
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now