SUSE SLED12 / SLES12 Security Update : kernel-source (SUSE-SU-2015:1727-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.

Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to
receive various security and bugfixes.

Following security bugs were fixed :

- CVE-2015-7613: A flaw was found in the Linux kernel IPC
code that could lead to arbitrary code execution. The
ipc_addid() function initialized a shared object that
has unset uid/gid values. Since the fields are not
initialized, the check can falsely succeed. (bsc#948536)

- CVE-2015-5156: When a guests KVM network devices is in a
bridge configuration the kernel can create a situation
in which packets are fragmented in an unexpected
fashion. The GRO functionality can create a situation in
which multiple SKB's are chained together in a single
packets fraglist (by design). (bsc#940776)

- CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux
kernel before 4.1.6 on the x86_64 platform mishandles
IRET faults in processing NMIs that occurred during
userspace execution, which might allow local users to
gain privileges by triggering an NMI (bsc#938706).

- CVE-2015-6252: A flaw was found in the way the Linux
kernel's vhost driver treated userspace provided log
file descriptor when processing the VHOST_SET_LOG_FD
ioctl command. The file descriptor was never released
and continued to consume kernel memory. A privileged
local user with access to the /dev/vhost-net files could
use this flaw to create a denial-of-service attack

- CVE-2015-5697: The get_bitmap_file function in
drivers/md/md.c in the Linux kernel before 4.1.6 does
not initialize a certain bitmap data structure, which
allows local users to obtain sensitive information from
kernel memory via a GET_BITMAP_FILE ioctl call.

- CVE-2015-6937: A NULL pointer dereference flaw was found
in the Reliable Datagram Sockets (RDS) implementation
allowing a local user to cause system DoS. A
verification was missing that the underlying transport
exists when a connection was created. (bsc#945825)

- CVE-2015-5283: A NULL pointer dereference flaw was found
in SCTP implementation allowing a local user to cause
system DoS. Creation of multiple sockets in parallel
when system doesn't have SCTP module loaded can lead to
kernel panic. (bsc#947155)

The following non-security bugs were fixed :

- ALSA: hda - Abort the probe without i915 binding for
HSW/BDW (bsc#936556).

- Btrfs: Backport subvolume mount option handling

- Btrfs: Handle unaligned length in extent_same

- Btrfs: advertise which crc32c implementation is being
used on mount (bsc#946057).

- Btrfs: allow mounting btrfs subvolumes with different
ro/rw options.

- Btrfs: check if previous transaction aborted to avoid fs
corruption (bnc#942509).

- Btrfs: clean up error handling in mount_subvol()

- Btrfs: cleanup orphans while looking up default
subvolume (bsc#914818).

- Btrfs: do not update mtime/ctime on deduped inodes

- Btrfs: fail on mismatched subvol and subvolid mount
options (bsc#934962).

- Btrfs: fix chunk allocation regression leading to
transaction abort (bnc#938550).

- Btrfs: fix clone / extent-same deadlocks (bsc#937612).

- Btrfs: fix crash on close_ctree() if cleaner starts new
transaction (bnc#938891).

- Btrfs: fix deadlock with extent-same and readpage

- Btrfs: fix file corruption after cloning inline extents

- Btrfs: fix file read corruption after extent cloning and
fsync (bnc#946902).

- Btrfs: fix find_free_dev_extent() malfunction in case
device tree has hole (bnc#938550).

- Btrfs: fix hang when failing to submit bio of directIO

- Btrfs: fix list transaction->pending_ordered corruption

- Btrfs: fix memory corruption on failure to submit bio
for direct IO (bnc#942685).

- Btrfs: fix memory leak in the extent_same ioctl

- Btrfs: fix put dio bio twice when we submit dio bio fail

- Btrfs: fix race between balance and unused block group
deletion (bnc#938892).

- Btrfs: fix range cloning when same inode used as source
and destination (bnc#942511).

- Btrfs: fix read corruption of compressed and shared
extents (bnc#946906).

- Btrfs: fix uninit variable in clone ioctl (bnc#942511).

- Btrfs: fix use-after-free in mount_subvol().

- Btrfs: fix wrong check for btrfs_force_chunk_alloc()

- Btrfs: lock superblock before remounting for rw subvol

- Btrfs: pass unaligned length to btrfs_cmp_data()

- Btrfs: remove all subvol options before mounting
top-level (bsc#934962).

- Btrfs: show subvol= and subvolid= in /proc/mounts

- Btrfs: unify subvol= and subvolid= mounting

- Btrfs: fill ->last_trans for delayed inode in
btrfs_fill_inode (bnc#942925).

- Btrfs: fix metadata inconsistencies after directory
fsync (bnc#942925).

- Btrfs: fix stale dir entries after removing a link and
fsync (bnc#942925).

- Btrfs: fix stale dir entries after unlink, inode
eviction and fsync (bnc#942925).

- Btrfs: fix stale directory entries after fsync log
replay (bnc#942925).

- Btrfs: make btrfs_search_forward return with nodes
unlocked (bnc#942925).

- Btrfs: support NFSv2 export (bnc#929871).

- Btrfs: update fix for read corruption of compressed and
shared extents (bsc#948256).

- Drivers: hv: do not do hypercalls when hypercall_page is

- Drivers: hv: vmbus: add special crash handler.

- Drivers: hv: vmbus: add special kexec handler.

- Drivers: hv: vmbus: remove hv_synic_free_cpu() call from

- Input: evdev - do not report errors form flush()

- Input: synaptics - do not retrieve the board id on old
firmwares (bsc#929092).

- Input: synaptics - log queried and quirked dimension
values (bsc#929092).

- Input: synaptics - query min dimensions for fw v8.1.

- Input: synaptics - remove X1 Carbon 3rd gen from the
topbuttonpad list (bsc#929092).

- Input: synaptics - remove X250 from the topbuttonpad

- Input: synaptics - remove obsolete min/max quirk for
X240 (bsc#929092).

- Input: synaptics - skip quirks when post-2013 dimensions

- Input: synaptics - split synaptics_resolution(), query
first (bsc#929092).

- Input: synaptics - support min/max board id in
min_max_pnpid_table (bsc#929092).

- NFS: Make sure XPRT_CONNECTING gets cleared when needed

- NFSv4: do not set SETATTR for O_RDONLY|O_EXCL

- PCI: Move MPS configuration check to
pci_configure_device() (bsc#943313).

- PCI: Set MPS to match upstream bridge (bsc#943313).

- SCSI: fix regression in scsi_send_eh_cmnd()

- SCSI: fix scsi_error_handler vs. scsi_host_dev_release
race (bnc#942204).

- SCSI: vmw_pvscsi: Fix pvscsi_abort() function

- UAS: fixup for remaining use of dead_list (bnc#934942).

- USB: storage: use %*ph specifier to dump small buffers

- aio: fix reqs_available handling (bsc#943378).

- audit: do not generate loginuid log when audit disabled

- blk-merge: do not compute bi_phys_segments from bi_vcnt
for cloned bio (bnc#934430).

- blk-merge: fix blk_recount_segments (bnc#934430).

- blk-merge: recaculate segment if it isn't less than max
segments (bnc#934430).

- block: add queue flag for disabling SG merging

- block: blk-merge: fix blk_recount_segments()

- config: disable CONFIG_TCM_RBD on ppc64le and s390x

- cpufreq: intel_pstate: Add CPU ID for Braswell

- dlm: fix missing endian conversion of rcom_status flags

- dm cache mq: fix memory allocation failure for large
cache devices (bsc#942707).

- drm/i915: Avoid race of intel_crt_detect_hotplug() with
HPD interrupt (bsc#942938).

- drm/i915: Make hpd arrays big enough to avoid out of
bounds access (bsc#942938).

- drm/i915: Only print hotplug event message when hotplug
bit is set (bsc#942938).

- drm/i915: Queue reenable timer also when
enable_hotplug_processing is false (bsc#942938).

- drm/i915: Use an interrupt save spinlock in
intel_hpd_irq_handler() (bsc#942938).

- drm/radeon: fix hotplug race at startup (bsc#942307).

- ethtool, net/mlx4_en: Add 100M, 20G, 56G speeds ethtool
reporting support (bsc#945710).

- hrtimer: prevent timer interrupt DoS (bnc#886785).

- hv: fcopy: add memory barrier to propagate state

- inotify: Fix nested sleeps in inotify_read()

- intel_pstate: Add CPU IDs for Broadwell processors.

- intel_pstate: Add CPUID for BDW-H CPU.

- intel_pstate: Add support for SkyLake.

- intel_pstate: Correct BYT VID values (bnc#907973).

- intel_pstate: Remove periodic P state boost

- intel_pstate: add sample time scaling (bnc#907973,
bnc#924722, bnc#916543).

- intel_pstate: don't touch turbo bit if turbo disabled or
unavailable (bnc#907973).

- intel_pstate: remove setting P state to MAX on init

- intel_pstate: remove unneeded sample buffers

- intel_pstate: set BYT MSR with wrmsrl_on_cpu()

- ipr: Fix incorrect trace indexing (bsc#940912).

- ipr: Fix invalid array indexing for HRRQ (bsc#940912).

- iwlwifi: dvm: drop non VO frames when flushing

- kABI workaround for ieee80211_ops.flush argument change

- kconfig: Do not print status messages in make -s mode

- kernel/modsign_uefi.c: Check for EFI_RUNTIME_SERVICES in
load_uefi_certs (bsc#856382).

- kernel: do full redraw of the 3270 screen on reconnect
(bnc#943476, LTC#129509).

- kexec: define kexec_in_progress in !CONFIG_KEXEC case.

- kvm: Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS

- lpfc: Fix scsi prep dma buf error (bsc#908950).

- mac80211: add vif to flush call (bsc#940545).

- md/bitmap: do not abuse i_writecount for bitmap files

- md/bitmap: protect clearing of ->bitmap by mddev->lock

- md/raid5: use ->lock to protect accessing raid5 sysfs
attributes (bnc#912183).

- md: fix problems with freeing private data after ->run
failure (bnc#912183).

- md: level_store: group all important changes into one
place (bnc#912183).

- md: move GET_BITMAP_FILE ioctl out from mddev_lock

- md: protect ->pers changes with mddev->lock

- md: remove mddev_lock from rdev_attr_show()

- md: remove mddev_lock() from md_attr_show()

- md: remove need for mddev_lock() in md_seq_show()

- md: split detach operation out from ->stop (bnc#912183).

- md: tidy up set_bitmap_file (bsc#943270).

- megaraid_sas: Handle firmware initialization after fast
boot (bsc#922071).

- mfd: lpc_ich: Assign subdevice ids automatically

- mm: filemap: Avoid unnecessary barriers and waitqueue
lookups -fix (VM/FS Performance (bnc#941951)).

- mm: make page pfmemalloc check more robust (bnc#920016).

- mm: numa: disable change protection for vma(VM_HUGETLB)

- netfilter: nf_conntrack_proto_sctp: minimal multihoming
support (bsc#932350).

- net/mlx4_core: Add ethernet backplane autoneg device
capability (bsc#945710).

- net/mlx4_core: Introduce ACCESS_REG CMD and
eth_prot_ctrl dev cap (bsc#945710).

- net/mlx4_en: Use PTYS register to query ethtool settings

- net/mlx4_en: Use PTYS register to set ethtool settings
(Speed) (bsc#945710).

- rcu: Reject memory-order-induced stall-warning false
positives (bnc#941908).

- s390/dasd: fix kernel panic when alias is set offline
(bnc#940965, LTC#128595).

- sched: Fix KMALLOC_MAX_SIZE overflow during cpumask
allocation (bnc#939266).

- sched: Fix cpu_active_mask/cpu_online_mask race

- sched, numa: do not hint for NUMA balancing on
VM_MIXEDMAP mappings (bnc#943573).

- uas: Add US_FL_MAX_SECTORS_240 flag (bnc#934942).

- uas: Add response iu handling (bnc#934942).

- uas: Add uas_get_tag() helper function (bnc#934942).

- uas: Check against unexpected completions (bnc#934942).

- uas: Cleanup uas_log_cmd_state usage (bnc#934942).

- uas: Do not log urb status error on cancellation

- uas: Do not use scsi_host_find_tag (bnc#934942).

- uas: Drop COMMAND_COMPLETED flag (bnc#934942).

- uas: Drop all references to a scsi_cmnd once it has been
aborted (bnc#934942).

- uas: Drop inflight list (bnc#934942).

- uas: Fix memleak of non-submitted urbs (bnc#934942).

- uas: Fix resetting flag handling (bnc#934942).

- uas: Free data urbs on completion (bnc#934942).

- uas: Log error codes when logging errors (bnc#934942).

- uas: Reduce number of function arguments for
uas_alloc_foo functions (bnc#934942).

- uas: Remove cmnd reference from the cmd urb

- uas: Remove support for old sense ui as used in
pre-production hardware (bnc#934942).

- uas: Remove task-management / abort error handling code

- uas: Set max_sectors_240 quirk for ASM1053 devices

- uas: Simplify reset / disconnect handling (bnc#934942).

- uas: Simplify unlink of data urbs on error (bnc#934942).

- uas: Use scsi_print_command (bnc#934942).

- uas: pre_reset and suspend: Fix a few races

- uas: zap_pending: data urbs should have completed at
this time (bnc#934942).

- x86/kernel: Do not reserve crashkernel high memory if
crashkernel low memory reserving failed (bsc#939145).

- x86/smpboot: Check for cpu_active on cpu initialization

- x86/smpboot: Check for cpu_active on cpu initialization

- xhci: Workaround for PME stuck issues in Intel xhci

- xhci: rework cycle bit checking for new dequeue pointers

- xfs: Fix file type directory corruption for btree
directories (bsc#941305).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12 :

zypper in -t patch SUSE-SLE-WE-12-2015-668=1

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2015-668=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2015-668=1

SUSE Linux Enterprise Module for Public Cloud 12 :

zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2015-668=1

SUSE Linux Enterprise Live Patching 12 :

zypper in -t patch SUSE-SLE-Live-Patching-12-2015-668=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-668=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.8
CVSS Temporal Score : 6.1
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 86378 ()

Bugtraq ID: 76005

CVE ID: CVE-2015-5156

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now