openSUSE Security Update : the Linux Kernel (openSUSE-2016-753)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE Leap 42.1 kernel was updated to 4.1.26 to receive various
security and bugfixes.

The following security bugs were fixed :

- CVE-2016-1583: Prevent the usage of mmap when the lower
file system does not allow it. This could have lead to
local privilege escalation when ecryptfs-utils was
installed and /sbin/mount.ecryptfs_private was setuid
(bsc#983143).

- CVE-2016-4565: The InfiniBand (aka IB) stack in the
Linux kernel incorrectly relies on the write system
call, which allows local users to cause a denial of
service (kernel memory write operation) or possibly have
unspecified other impact via a uAPI interface.
(bsc#979548)

- CVE-2016-4805: Use-after-free vulnerability in
drivers/net/ppp/ppp_generic.c in the Linux kernel
allowed local users to cause a denial of service (memory
corruption and system crash, or spinlock) or possibly
have unspecified other impact by removing a network
namespace, related to the ppp_register_net_channel and
ppp_unregister_channel functions. (bsc#980371).

- CVE-2016-4951: The tipc_nl_publ_dump function in
net/tipc/socket.c in the Linux kernel did not verify
socket existence, which allowed local users to cause a
denial of service (NULL pointer dereference and system
crash) or possibly have unspecified other impact via a
dumpit operation. (bsc#981058).

- CVE-2016-5244: An information leak vulnerability in
function rds_inc_info_copy of file net/rds/recv.c was
fixed that might have leaked kernel stack data.
(bsc#983213).

- CVE-2016-4580: The x25_negotiate_facilities function in
net/x25/x25_facilities.c in the Linux kernel did not
properly initialize a certain data structure, which
allowed attackers to obtain sensitive information from
kernel stack memory via an X.25 Call Request.
(bsc#981267).

- CVE-2016-0758: Tags with indefinite length could have
corrupted pointers in asn1_find_indefinite_length
(bsc#979867).

- CVE-2016-2053: The asn1_ber_decoder function in
lib/asn1_decoder.c in the Linux kernel allowed attackers
to cause a denial of service (panic) via an ASN.1 BER
file that lacks a public key, leading to mishandling by
the public_key_verify_signature function in
crypto/asymmetric_keys/public_key.c (bnc#963762).

- CVE-2013-7446: Use-after-free vulnerability in
net/unix/af_unix.c in the Linux kernel allowed local
users to bypass intended AF_UNIX socket permissions or
cause a denial of service (panic) via crafted epoll_ctl
calls (bnc#955654).

- CVE-2016-3134: The netfilter subsystem in the Linux
kernel did not validate certain offset fields, which
allowed local users to gain privileges or cause a denial
of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

- CVE-2016-3672: The arch_pick_mmap_layout function in
arch/x86/mm/mmap.c in the Linux kernel did not properly
randomize the legacy base address, which made it easier
for local users to defeat the intended restrictions on
the ADDR_NO_RANDOMIZE flag, and bypass the ASLR
protection mechanism for a setuid or setgid program, by
disabling stack-consumption resource limits
(bnc#974308).

- CVE-2016-4482: A kernel information leak in the usbfs
devio connectinfo was fixed, which could expose kernel
stack memory to userspace. (bnc#978401).

- CVE-2016-4485: A kernel information leak in llc was
fixed (bsc#978821).

- CVE-2016-4486: A kernel information leak in rtnetlink
was fixed, where 4 uninitialized bytes could leak to
userspace (bsc#978822).

- CVE-2016-4557: A use-after-free via double-fdput in
replace_map_fd_with_map_ptr() was fixed, which could
allow privilege escalation (bsc#979018).

- CVE-2016-4565: When the 'rdma_ucm' infiniband module is
loaded, local attackers could escalate their privileges
(bsc#979548).

- CVE-2016-4569: A kernel information leak in the ALSA
timer via events via snd_timer_user_tinterrupt that
could leak information to userspace was fixed
(bsc#979213).

- CVE-2016-4578: A kernel information leak in the ALSA
timer via events that could leak information to
userspace was fixed (bsc#979879).

- CVE-2016-4581: If the first propogated mount copy was
being a slave it could oops the kernel (bsc#979913)

The following non-security bugs were fixed :

- ALSA: hda - Add dock support for ThinkPad X260
(boo#979278).

- ALSA: hda - Apply fix for white noise on Asus N550JV,
too (boo#979278).

- ALSA: hda - Asus N750JV external subwoofer fixup
(boo#979278).

- ALSA: hda - Fix broken reconfig (boo#979278).

- ALSA: hda - Fix headphone mic input on a few Dell ALC293
machines (boo#979278).

- ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
(boo#979278).

- ALSA: hda - Fix white noise on Asus N750JV headphone
(boo#979278).

- ALSA: hda - Fix white noise on Asus UX501VW headset
(boo#979278).

- ALSA: hda/realtek - Add ALC3234 headset mode for
Optiplex 9020m (boo#979278).

- ALSA: hda/realtek - New codecs support for
ALC234/ALC274/ALC294 (boo#979278).

- ALSA: hda/realtek - New codec support of ALC225
(boo#979278).

- ALSA: hda/realtek - Support headset mode for ALC225
(boo#979278).

- ALSA: pcxhr: Fix missing mutex unlock (boo#979278).

- ALSA: usb-audio: Quirk for yet another Phoenix Audio
devices (v2) (boo#979278).

- bluetooth: fix power_on vs close race (bsc#966849).

- bluetooth: vhci: fix open_timeout vs. hdev race
(bsc#971799,bsc#966849).

- bluetooth: vhci: Fix race at creating hci device
(bsc#971799,bsc#966849).

- bluetooth: vhci: purge unhandled skbs
(bsc#971799,bsc#966849).

- btrfs: do not use src fd for printk (bsc#980348).

- btrfs: fix crash/invalid memory access on fsync when
using overlayfs (bsc#977198)

- drm: qxl: Workaround for buggy user-space (bsc#981344).

- enic: set netdev->vlan_features (bsc#966245).

- fs: add file_dentry() (bsc#977198).

- IB/IPoIB: Do not set skb truesize since using one
linearskb (bsc#980657).

- input: i8042 - lower log level for 'no controller'
message (bsc#945345).

- kabi: Add kabi/severities entries to ignore sound/hda/*,
x509_*, efivar_validate, file_open_root and dax_fault

- kabi: Add some fixups (module, pci_dev, drm, fuse and
thermal)

- kabi: file_dentry changes (bsc#977198).

- kABI fixes for 4.1.22

- mm/page_alloc.c: calculate 'available' memory in a
separate function (bsc#982239).

- net: disable fragment reassembly if high_thresh is zero
(bsc#970506).

- of: iommu: Silence misleading warning.

- pstore_register() error handling was wrong -- it tried
to release lock before it's acquired, causing spinlock /
preemption imbalance. - usb: quirk to stop runtime PM
for Intel 7260 (bnc#984460).

- Revert 'usb: hub: do not clear BOS field during reset
device' (boo#979728).

- usb: core: hub: hub_port_init lock controller instead of
bus (bnc#978073).

- usb: preserve kABI in address0 locking (bnc#978073).

- usb: usbip: fix potential out-of-bounds write
(bnc#975945).

- USB: xhci: Add broken streams quirk for Frescologic
device id 1009 (bnc#982712).

- virtio_balloon: do not change memory amount visible via
/proc/meminfo (bsc#982238).

- virtio_balloon: export 'available' memory to balloon
statistics (bsc#982239).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=945345
https://bugzilla.opensuse.org/show_bug.cgi?id=955654
https://bugzilla.opensuse.org/show_bug.cgi?id=963762
https://bugzilla.opensuse.org/show_bug.cgi?id=966245
https://bugzilla.opensuse.org/show_bug.cgi?id=966849
https://bugzilla.opensuse.org/show_bug.cgi?id=970506
https://bugzilla.opensuse.org/show_bug.cgi?id=971126
https://bugzilla.opensuse.org/show_bug.cgi?id=971799
https://bugzilla.opensuse.org/show_bug.cgi?id=973570
https://bugzilla.opensuse.org/show_bug.cgi?id=974308
https://bugzilla.opensuse.org/show_bug.cgi?id=975945
https://bugzilla.opensuse.org/show_bug.cgi?id=977198
https://bugzilla.opensuse.org/show_bug.cgi?id=978073
https://bugzilla.opensuse.org/show_bug.cgi?id=978401
https://bugzilla.opensuse.org/show_bug.cgi?id=978821
https://bugzilla.opensuse.org/show_bug.cgi?id=978822
https://bugzilla.opensuse.org/show_bug.cgi?id=979018
https://bugzilla.opensuse.org/show_bug.cgi?id=979213
https://bugzilla.opensuse.org/show_bug.cgi?id=979278
https://bugzilla.opensuse.org/show_bug.cgi?id=979548
https://bugzilla.opensuse.org/show_bug.cgi?id=979728
https://bugzilla.opensuse.org/show_bug.cgi?id=979867
https://bugzilla.opensuse.org/show_bug.cgi?id=979879
https://bugzilla.opensuse.org/show_bug.cgi?id=979913
https://bugzilla.opensuse.org/show_bug.cgi?id=980348
https://bugzilla.opensuse.org/show_bug.cgi?id=980371
https://bugzilla.opensuse.org/show_bug.cgi?id=980657
https://bugzilla.opensuse.org/show_bug.cgi?id=981058
https://bugzilla.opensuse.org/show_bug.cgi?id=981267
https://bugzilla.opensuse.org/show_bug.cgi?id=981344
https://bugzilla.opensuse.org/show_bug.cgi?id=982238
https://bugzilla.opensuse.org/show_bug.cgi?id=982239
https://bugzilla.opensuse.org/show_bug.cgi?id=982712
https://bugzilla.opensuse.org/show_bug.cgi?id=983143
https://bugzilla.opensuse.org/show_bug.cgi?id=983213
https://bugzilla.opensuse.org/show_bug.cgi?id=984460

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now