openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE 13.1 kernel was updated to receive various security and
bugfixes.

Following security bugs were fixed :

- CVE-2016-0728: A reference leak in keyring handling with
join_session_keyring() could lead to local attackers
gain root privileges. (bsc#962075).

- CVE-2015-7550: A local user could have triggered a race
between read and revoke in keyctl (bnc#958951).

- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect
functions in drivers/net/ppp/pptp.c in the Linux kernel
did not verify an address length, which allowed local
users to obtain sensitive information from kernel memory
and bypass the KASLR protection mechanism via a crafted
application (bnc#959190).

- CVE-2015-8543: The networking implementation in the
Linux kernel did not validate protocol identifiers for
certain protocol families, which allowed local users to
cause a denial of service (NULL function pointer
dereference and system crash) or possibly gain
privileges by leveraging CLONE_NEWUSER support to
execute a crafted SOCK_RAW application (bnc#958886).

- CVE-2014-8989: The Linux kernel did not properly
restrict dropping of supplemental group memberships in
certain namespace scenarios, which allowed local users
to bypass intended file permissions by leveraging a
POSIX ACL containing an entry for the group category
that is more restrictive than the entry for the other
category, aka a 'negative groups' issue, related to
kernel/groups.c, kernel/uid16.c, and
kernel/user_namespace.c (bnc#906545).

- CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux
kernel on the x86_64 platform mishandles IRET faults in
processing NMIs that occurred during userspace
execution, which might allow local users to gain
privileges by triggering an NMI (bnc#937969).

- CVE-2015-7799: The slhc_init function in
drivers/net/slip/slhc.c in the Linux kernel through
4.2.3 did not ensure that certain slot numbers are
valid, which allowed local users to cause a denial of
service (NULL pointer dereference and system crash) via
a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

- CVE-2015-8104: The KVM subsystem in the Linux kernel
through 4.2.6, and Xen 4.3.x through 4.6.x, allowed
guest OS users to cause a denial of service (host OS
panic or hang) by triggering many #DB (aka Debug)
exceptions, related to svm.c (bnc#954404).

- CVE-2015-5307: The KVM subsystem in the Linux kernel
through 4.2.6, and Xen 4.3.x through 4.6.x, allowed
guest OS users to cause a denial of service (host OS
panic or hang) by triggering many #AC (aka Alignment
Check) exceptions, related to svm.c and vmx.c
(bnc#953527).

- CVE-2014-9529: Race condition in the key_gc_unused_keys
function in security/keys/gc.c in the Linux kernel
allowed local users to cause a denial of service (memory
corruption or panic) or possibly have unspecified other
impact via keyctl commands that trigger access to a key
structure member during garbage collection of a key
(bnc#912202).

- CVE-2015-7990: Race condition in the rds_sendmsg
function in net/rds/sendmsg.c in the Linux kernel
allowed local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have
unspecified other impact by using a socket that was not
properly bound. NOTE: this vulnerability exists because
of an incomplete fix for CVE-2015-6937 (bnc#952384
953052).

- CVE-2015-6937: The __rds_conn_create function in
net/rds/connection.c in the Linux kernel allowed local
users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have
unspecified other impact by using a socket that was not
properly bound (bnc#945825).

- CVE-2015-7885: The dgnc_mgmt_ioctl function in
drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel
through 4.3.3 did not initialize a certain structure
member, which allowed local users to obtain sensitive
information from kernel memory via a crafted application
(bnc#951627).

- CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in
the Linux kernel did not validate attempted changes to
the MTU value, which allowed context-dependent attackers
to cause a denial of service (packet loss) via a value
that is (1) smaller than the minimum compliant value or
(2) larger than the MTU of an interface, as demonstrated
by a Router Advertisement (RA) message that is not
validated by a daemon, a different vulnerability than
CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is
limited to the NetworkManager product (bnc#955354).

- CVE-2015-8767: A case can occur when sctp_accept() is
called by the user during a heartbeat timeout event
after the 4-way handshake. Since sctp_assoc_migrate()
changes both assoc->base.sk and assoc->ep, the
bh_sock_lock in sctp_generate_heartbeat_event() will be
taken with the listening socket but released with the
new association socket. The result is a deadlock on any
future attempts to take the listening socket lock.
(bsc#961509)

- CVE-2015-8575: Validate socket address length in
sco_sock_bind() to prevent information leak
(bsc#959399).

- CVE-2015-8551, CVE-2015-8552: xen/pciback: For
XEN_PCI_OP_disable_msi[|x] only disable if device has
MSI(X) enabled (bsc#957990).

- CVE-2015-8550: Compiler optimizations in the XEN PV
backend drivers could have lead to double fetch
vulnerabilities, causing denial of service or arbitrary
code execution (depending on the configuration)
(bsc#957988).

The following non-security bugs were fixed :

- ALSA: hda - Disable 64bit address for Creative HDA
controllers (bnc#814440).

- ALSA: hda - Fix noise problems on Thinkpad T440s
(boo#958504).

- Input: aiptek - fix crash on detecting device without
endpoints (bnc#956708).

- KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y
(boo#956934).

- KVM: x86: update masterclock values on TSC writes
(bsc#961739).

- NFS: Fix a NULL pointer dereference of migration
recovery ops for v4.2 client (bsc#960839).

- apparmor: allow SYS_CAP_RESOURCE to be sufficient to
prlimit another task (bsc#921949).

- blktap: also call blkif_disconnect() when frontend
switched to closed (bsc#952976).

- blktap: refine mm tracking (bsc#952976).

- cdrom: Random writing support for BD-RE media
(bnc#959568).

- genksyms: Handle string literals with spaces in
reference files (bsc#958510).

- ipv4: Do not increase PMTU with Datagram Too Big message
(bsc#955224).

- ipv6: distinguish frag queues by device for multicast
and link-local packets (bsc#955422).

- ipv6: fix tunnel error handling (bsc#952579).

- route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

- uas: Add response iu handling (bnc#954138).

- usbvision fix overflow of interfaces array (bnc#950998).

- x86/evtchn: make use of PHYSDEVOP_map_pirq.

- xen/pciback: Do not allow MSI-X ops if
PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=814440
https://bugzilla.opensuse.org/show_bug.cgi?id=851610
https://bugzilla.opensuse.org/show_bug.cgi?id=869564
https://bugzilla.opensuse.org/show_bug.cgi?id=873385
https://bugzilla.opensuse.org/show_bug.cgi?id=906545
https://bugzilla.opensuse.org/show_bug.cgi?id=907818
https://bugzilla.opensuse.org/show_bug.cgi?id=909077
https://bugzilla.opensuse.org/show_bug.cgi?id=909477
https://bugzilla.opensuse.org/show_bug.cgi?id=911326
https://bugzilla.opensuse.org/show_bug.cgi?id=912202
https://bugzilla.opensuse.org/show_bug.cgi?id=915517
https://bugzilla.opensuse.org/show_bug.cgi?id=915577
https://bugzilla.opensuse.org/show_bug.cgi?id=917830
https://bugzilla.opensuse.org/show_bug.cgi?id=918333
https://bugzilla.opensuse.org/show_bug.cgi?id=919007
https://bugzilla.opensuse.org/show_bug.cgi?id=919018
https://bugzilla.opensuse.org/show_bug.cgi?id=919463
https://bugzilla.opensuse.org/show_bug.cgi?id=919596
https://bugzilla.opensuse.org/show_bug.cgi?id=921313
https://bugzilla.opensuse.org/show_bug.cgi?id=921949
https://bugzilla.opensuse.org/show_bug.cgi?id=922583
https://bugzilla.opensuse.org/show_bug.cgi?id=922936
https://bugzilla.opensuse.org/show_bug.cgi?id=922944
https://bugzilla.opensuse.org/show_bug.cgi?id=926238
https://bugzilla.opensuse.org/show_bug.cgi?id=926240
https://bugzilla.opensuse.org/show_bug.cgi?id=927780
https://bugzilla.opensuse.org/show_bug.cgi?id=927786
https://bugzilla.opensuse.org/show_bug.cgi?id=928130
https://bugzilla.opensuse.org/show_bug.cgi?id=929525
https://bugzilla.opensuse.org/show_bug.cgi?id=930399
https://bugzilla.opensuse.org/show_bug.cgi?id=931988
https://bugzilla.opensuse.org/show_bug.cgi?id=932348
https://bugzilla.opensuse.org/show_bug.cgi?id=933896
https://bugzilla.opensuse.org/show_bug.cgi?id=933904
https://bugzilla.opensuse.org/show_bug.cgi?id=933907
https://bugzilla.opensuse.org/show_bug.cgi?id=933934
https://bugzilla.opensuse.org/show_bug.cgi?id=935542
https://bugzilla.opensuse.org/show_bug.cgi?id=935705
https://bugzilla.opensuse.org/show_bug.cgi?id=936502
https://bugzilla.opensuse.org/show_bug.cgi?id=936831
https://bugzilla.opensuse.org/show_bug.cgi?id=937032
https://bugzilla.opensuse.org/show_bug.cgi?id=937033
https://bugzilla.opensuse.org/show_bug.cgi?id=937969
https://bugzilla.opensuse.org/show_bug.cgi?id=938706
https://bugzilla.opensuse.org/show_bug.cgi?id=940338
https://bugzilla.opensuse.org/show_bug.cgi?id=944296
https://bugzilla.opensuse.org/show_bug.cgi?id=945825
https://bugzilla.opensuse.org/show_bug.cgi?id=947155
https://bugzilla.opensuse.org/show_bug.cgi?id=949936
https://bugzilla.opensuse.org/show_bug.cgi?id=950998
https://bugzilla.opensuse.org/show_bug.cgi?id=951194
https://bugzilla.opensuse.org/show_bug.cgi?id=951440
https://bugzilla.opensuse.org/show_bug.cgi?id=951627
https://bugzilla.opensuse.org/show_bug.cgi?id=952384
https://bugzilla.opensuse.org/show_bug.cgi?id=952579
https://bugzilla.opensuse.org/show_bug.cgi?id=952976
https://bugzilla.opensuse.org/show_bug.cgi?id=953052
https://bugzilla.opensuse.org/show_bug.cgi?id=953527
https://bugzilla.opensuse.org/show_bug.cgi?id=954138
https://bugzilla.opensuse.org/show_bug.cgi?id=954404
https://bugzilla.opensuse.org/show_bug.cgi?id=955224
https://bugzilla.opensuse.org/show_bug.cgi?id=955354
https://bugzilla.opensuse.org/show_bug.cgi?id=955422
https://bugzilla.opensuse.org/show_bug.cgi?id=956708
https://bugzilla.opensuse.org/show_bug.cgi?id=956934
https://bugzilla.opensuse.org/show_bug.cgi?id=957988
https://bugzilla.opensuse.org/show_bug.cgi?id=957990
https://bugzilla.opensuse.org/show_bug.cgi?id=958504
https://bugzilla.opensuse.org/show_bug.cgi?id=958510
https://bugzilla.opensuse.org/show_bug.cgi?id=958886
https://bugzilla.opensuse.org/show_bug.cgi?id=958951
https://bugzilla.opensuse.org/show_bug.cgi?id=959190
https://bugzilla.opensuse.org/show_bug.cgi?id=959399
https://bugzilla.opensuse.org/show_bug.cgi?id=959568
https://bugzilla.opensuse.org/show_bug.cgi?id=960839
https://bugzilla.opensuse.org/show_bug.cgi?id=961509
https://bugzilla.opensuse.org/show_bug.cgi?id=961739
https://bugzilla.opensuse.org/show_bug.cgi?id=962075

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true