SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various
security and bug fixes. The following security bugs were fixed :

- CVE-2016-4486: Fixed 4 byte information leak in
net/core/rtnetlink.c (bsc#978822).

- CVE-2016-3134: The netfilter subsystem in the Linux
kernel did not validate certain offset fields, which
allowed local users to gain privileges or cause a denial
of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

- CVE-2016-2847: fs/pipe.c in the Linux kernel did not
limit the amount of unread data in pipes, which allowed
local users to cause a denial of service (memory
consumption) by creating many pipes with non-default
sizes (bnc#970948).

- CVE-2016-2188: The iowarrior_probe function in
drivers/usb/misc/iowarrior.c in the Linux kernel allowed
physically proximate attackers to cause a denial of
service (NULL pointer dereference and system crash) via
a crafted endpoints value in a USB device descriptor
(bnc#970956).

- CVE-2016-3138: The acm_probe function in
drivers/usb/class/cdc-acm.c in the Linux kernel allowed
physically proximate attackers to cause a denial of
service (NULL pointer dereference and system crash) via
a USB device without both a control and a data endpoint
descriptor (bnc#970911).

- CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the
Linux kernel allowed physically proximate attackers to
cause a denial of service (NULL pointer dereference and
system crash) via a USB device without both an
interrupt-in and an interrupt-out endpoint descriptor,
related to the cypress_generic_port_probe and
cypress_open functions (bnc#970970).

- CVE-2016-3140: The digi_port_init function in
drivers/usb/serial/digi_acceleport.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor
(bnc#970892).

- CVE-2016-2186: The powermate_probe function in
drivers/input/misc/powermate.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor
(bnc#970958).

- CVE-2016-2185: The ati_remote2_probe function in
drivers/input/misc/ati_remote2.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor
(bnc#971124).

- CVE-2016-3156: The IPv4 implementation in the Linux
kernel mishandles destruction of device objects, which
allowed guest OS users to cause a denial of service
(host OS networking outage) by arranging for a large
number of IP addresses (bnc#971360).

- CVE-2016-2184: The create_fixed_stream_quirk function in
sound/usb/quirks.c in the snd-usb-audio driver in the
Linux kernel allowed physically proximate attackers to
cause a denial of service (NULL pointer dereference or
double free, and system crash) via a crafted endpoints
value in a USB device descriptor (bnc#971125).

- CVE-2016-3139: The wacom_probe function in
drivers/input/tablet/wacom_sys.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor
(bnc#970909).

- CVE-2016-2143: The fork implementation in the Linux
kernel on s390 platforms mishandled the case of four
page-table levels, which allowed local users to cause a
denial of service (system crash) or possibly have
unspecified other impact via a crafted application,
related to arch/s390/include/asm/mmu_context.h and
arch/s390/include/asm/pgalloc.h (bnc#970504).

- CVE-2016-2782: The treo_attach function in
drivers/usb/serial/visor.c in the Linux kernel allowed
physically proximate attackers to cause a denial of
service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a
USB device that lacks a (1) bulk-in or (2) interrupt-in
endpoint (bnc#968670).

- CVE-2015-8816: The hub_activate function in
drivers/usb/core/hub.c in the Linux kernel did not
properly maintain a hub-interface data structure, which
allowed physically proximate attackers to cause a denial
of service (invalid memory access and system crash) or
possibly have unspecified other impact by unplugging a
USB hub device (bnc#968010).

- CVE-2015-7566: The clie_5_attach function in
drivers/usb/serial/visor.c in the Linux kernel allowed
physically proximate attackers to cause a denial of
service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a
USB device that lacks a bulk-out endpoint (bnc#961512).

- CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel
did not prevent recursive callback access, which allowed
local users to cause a denial of service (deadlock) via
a crafted ioctl call (bnc#968013).

- CVE-2016-2547: sound/core/timer.c in the Linux kernel
employed a locking approach that did not consider slave
timer instances, which allowed local users to cause a
denial of service (race condition, use-after-free, and
system crash) via a crafted ioctl call (bnc#968011).

- CVE-2016-2548: sound/core/timer.c in the Linux kernel
retained certain linked lists after a close or stop
action, which allowed local users to cause a denial of
service (system crash) via a crafted ioctl call, related
to the (1) snd_timer_close and (2) _snd_timer_stop
functions (bnc#968012).

- CVE-2016-2546: sound/core/timer.c in the Linux kernel
used an incorrect type of mutex, which allowed local
users to cause a denial of service (race condition,
use-after-free, and system crash) via a crafted ioctl
call (bnc#967975).

- CVE-2016-2545: The snd_timer_interrupt function in
sound/core/timer.c in the Linux kernel did not properly
maintain a certain linked list, which allowed local
users to cause a denial of service (race condition and
system crash) via a crafted ioctl call (bnc#967974).

- CVE-2016-2544: Race condition in the queue_delete
function in sound/core/seq/seq_queue.c in the Linux
kernel allowed local users to cause a denial of service
(use-after-free and system crash) by making an ioctl
call at a certain time (bnc#967973).

- CVE-2016-2543: The snd_seq_ioctl_remove_events function
in sound/core/seq/seq_clientmgr.c in the Linux kernel
did not verify FIFO assignment before proceeding with
FIFO clearing, which allowed local users to cause a
denial of service (NULL pointer dereference and OOPS)
via a crafted ioctl call (bnc#967972).

- CVE-2016-2384: Double free vulnerability in the
snd_usbmidi_create function in sound/usb/midi.c in the
Linux kernel allowed physically proximate attackers to
cause a denial of service (panic) or possibly have
unspecified other impact via vectors involving an
invalid USB descriptor (bnc#966693).

- CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in
the Linux kernel did not properly identify error
conditions, which allowed remote attackers to execute
arbitrary code or cause a denial of service
(use-after-free) via crafted packets (bnc#966437).

- CVE-2015-8785: The fuse_fill_write_pages function in
fs/fuse/file.c in the Linux kernel allowed local users
to cause a denial of service (infinite loop) via a
writev system call that triggers a zero length for the
first segment of an iov (bnc#963765).

- CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in
the Linux kernel .4.1 allowed local users to gain
privileges by triggering access to a paging structure by
a different CPU (bnc#963767).

- CVE-2016-0723: Race condition in the tty_ioctl function
in drivers/tty/tty_io.c in the Linux kernel allowed
local users to obtain sensitive information from kernel
memory or cause a denial of service (use-after-free and
system crash) by making a TIOCGETD ioctl call during
processing of a TIOCSETD ioctl call (bnc#961500).

- CVE-2013-7446: Use-after-free vulnerability in
net/unix/af_unix.c in the Linux kernel allowed local
users to bypass intended AF_UNIX socket permissions or
cause a denial of service (panic) via crafted epoll_ctl
calls (bnc#955654).

- CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux
kernel did not properly manage the relationship between
a lock and a socket, which allowed local users to cause
a denial of service (deadlock) via a crafted sctp_accept
call (bnc#961509).

- CVE-2015-7515: The aiptek_probe function in
drivers/input/tablet/aiptek.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (NULL pointer dereference and system crash)
via a crafted USB device that lacks endpoints
(bnc#956708).

- CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in
the Linux kernel did not validate attempted changes to
the MTU value, which allowed context-dependent attackers
to cause a denial of service (packet loss) via a value
that is (1) smaller than the minimum compliant value or
(2) larger than the MTU of an interface, as demonstrated
by a Router Advertisement (RA) message that is not
validated by a daemon, a different vulnerability than
CVE-2015-0272 (bnc#955354).

- CVE-2015-7550: The keyctl_read_key function in
security/keys/keyctl.c in the Linux kernel did not
properly use a semaphore, which allowed local users to
cause a denial of service (NULL pointer dereference and
system crash) or possibly have unspecified other impact
via a crafted application that leverages a race
condition between keyctl_revoke and keyctl_read calls
(bnc#958951).

- CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect
functions in drivers/net/ppp/pptp.c in the Linux kernel
did not verify an address length, which allowed local
users to obtain sensitive information from kernel memory
and bypass the KASLR protection mechanism via a crafted
application (bnc#959190).

- CVE-2015-8575: The sco_sock_bind function in
net/bluetooth/sco.c in the Linux kernel did not verify
an address length, which allowed local users to obtain
sensitive information from kernel memory and bypass the
KASLR protection mechanism via a crafted application
(bnc#959399).

- CVE-2015-8543: The networking implementation in the
Linux kernel did not validate protocol identifiers for
certain protocol families, which allowed local users to
cause a denial of service (NULL function pointer
dereference and system crash) or possibly gain
privileges by leveraging CLONE_NEWUSER support to
execute a crafted SOCK_RAW application (bnc#958886).

- CVE-2015-8539: The KEYS subsystem in the Linux kernel
allowed local users to gain privileges or cause a denial
of service (BUG) via crafted keyctl commands that
negatively instantiate a key, related to
security/keys/encrypted-keys/encrypted.c,
security/keys/trusted.c, and
security/keys/user_defined.c (bnc#958463).

- CVE-2015-7509: fs/ext4/namei.c in the Linux kernel
allowed physically proximate attackers to cause a denial
of service (system crash) via a crafted no-journal
filesystem, a related issue to CVE-2013-2015
(bnc#956709).

- CVE-2015-7799: The slhc_init function in
drivers/net/slip/slhc.c in the Linux kernel did not
ensure that certain slot numbers are valid, which
allowed local users to cause a denial of service (NULL
pointer dereference and system crash) via a crafted
PPPIOCSMAXCID ioctl call (bnc#949936).

- CVE-2015-8104: The KVM subsystem in the Linux kernel
allowed guest OS users to cause a denial of service
(host OS panic or hang) by triggering many #DB (aka
Debug) exceptions, related to svm.c (bnc#954404).

- CVE-2015-5307: The KVM subsystem in the Linux kernel
allowed guest OS users to cause a denial of service
(host OS panic or hang) by triggering many #AC (aka
Alignment Check) exceptions, related to svm.c and vmx.c
(bnc#953527).

- CVE-2015-7990: Race condition in the rds_sendmsg
function in net/rds/sendmsg.c in the Linux kernel
allowed local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have
unspecified other impact by using a socket that was not
properly bound (bnc#952384).

- CVE-2015-7872: The key_gc_unused_keys function in
security/keys/gc.c in the Linux kernel allowed local
users to cause a denial of service (OOPS) via crafted
keyctl commands (bnc#951440).

- CVE-2015-6937: The __rds_conn_create function in
net/rds/connection.c in the Linux kernel allowed local
users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have
unspecified other impact by using a socket that was not
properly bound (bnc#945825).

- CVE-2015-6252: The vhost_dev_ioctl function in
drivers/vhost/vhost.c in the Linux kernel allowed local
users to cause a denial of service (memory consumption)
via a VHOST_SET_LOG_FD ioctl call that triggers
permanent file-descriptor allocation (bnc#942367).

- CVE-2015-3339: Race condition in the prepare_binprm
function in fs/exec.c in the Linux kernel allowed local
users to gain privileges by executing a setuid program
at a time instant when a chown to root is in progress,
and the ownership is changed but the setuid bit is not
yet stripped (bnc#928130). The following non-security
bugs were fixed :

- Fix handling of re-write-before-commit for mmapped NFS
pages (bsc#964201).

- Fix lpfc_send_rscn_event allocation size claims
bnc#935757

- Fix ntpd clock synchronization in Xen PV domains
(bnc#816446).

- Fix vmalloc_fault oops during lazy MMU updates
(bsc#948562).

- Make sure XPRT_CONNECTING gets cleared when needed
(bsc#946309).

- SCSI: bfa: Fix to handle firmware tskim abort request
response (bsc#972510).

- USB: usbip: fix potential out-of-bounds write
(bnc#975945).

- af_unix: Guard against other == sk in unix_dgram_sendmsg
(bsc#973570).

- dm-snap: avoid deadock on s->lock when a read is split
(bsc#939826).

- mm/hugetlb: check for pte NULL pointer in
__page_check_address() (bsc#977847).

- nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).

- privcmd: allow preempting long running user-mode
originating hypercalls (bnc#861093).

- s390/cio: collect format 1 channel-path description data
(bsc#966460, bsc#966662).

- s390/cio: ensure consistent measurement state
(bsc#966460, bsc#966662).

- s390/cio: fix measurement characteristics memleak
(bsc#966460, bsc#966662).

- s390/cio: update measurement characteristics
(bsc#966460, bsc#966662).

- xfs: Fix lost direct IO write in the last block
(bsc#949744).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/816446
https://bugzilla.suse.com/861093
https://bugzilla.suse.com/928130
https://bugzilla.suse.com/935757
https://bugzilla.suse.com/939826
https://bugzilla.suse.com/942367
https://bugzilla.suse.com/945825
https://bugzilla.suse.com/946117
https://bugzilla.suse.com/946309
https://bugzilla.suse.com/948562
https://bugzilla.suse.com/949744
https://bugzilla.suse.com/949936
https://bugzilla.suse.com/951440
https://bugzilla.suse.com/952384
https://bugzilla.suse.com/953527
https://bugzilla.suse.com/954404
https://bugzilla.suse.com/955354
https://bugzilla.suse.com/955654
https://bugzilla.suse.com/956708
https://bugzilla.suse.com/956709
https://bugzilla.suse.com/958463
https://bugzilla.suse.com/958886
https://bugzilla.suse.com/958951
https://bugzilla.suse.com/959190
https://bugzilla.suse.com/959399
https://bugzilla.suse.com/961500
https://bugzilla.suse.com/961509
https://bugzilla.suse.com/961512
https://bugzilla.suse.com/963765
https://bugzilla.suse.com/963767
https://bugzilla.suse.com/964201
https://bugzilla.suse.com/966437
https://bugzilla.suse.com/966460
https://bugzilla.suse.com/966662
https://bugzilla.suse.com/966693
https://bugzilla.suse.com/967972
https://bugzilla.suse.com/967973
https://bugzilla.suse.com/967974
https://bugzilla.suse.com/967975
https://bugzilla.suse.com/968010
https://bugzilla.suse.com/968011
https://bugzilla.suse.com/968012
https://bugzilla.suse.com/968013
https://bugzilla.suse.com/968670
https://bugzilla.suse.com/970504
https://bugzilla.suse.com/970892
https://bugzilla.suse.com/970909
https://bugzilla.suse.com/970911
https://bugzilla.suse.com/970948
https://bugzilla.suse.com/970956
https://bugzilla.suse.com/970958
https://bugzilla.suse.com/970970
https://bugzilla.suse.com/971124
https://bugzilla.suse.com/971125
https://bugzilla.suse.com/971126
https://bugzilla.suse.com/971360
https://bugzilla.suse.com/972510
https://bugzilla.suse.com/973570
https://bugzilla.suse.com/975945
https://bugzilla.suse.com/977847
https://bugzilla.suse.com/978822
https://www.suse.com/security/cve/CVE-2013-2015.html
https://www.suse.com/security/cve/CVE-2013-7446.html
https://www.suse.com/security/cve/CVE-2015-0272.html
https://www.suse.com/security/cve/CVE-2015-3339.html
https://www.suse.com/security/cve/CVE-2015-5307.html
https://www.suse.com/security/cve/CVE-2015-6252.html
https://www.suse.com/security/cve/CVE-2015-6937.html
https://www.suse.com/security/cve/CVE-2015-7509.html
https://www.suse.com/security/cve/CVE-2015-7515.html
https://www.suse.com/security/cve/CVE-2015-7550.html
https://www.suse.com/security/cve/CVE-2015-7566.html
https://www.suse.com/security/cve/CVE-2015-7799.html
https://www.suse.com/security/cve/CVE-2015-7872.html
https://www.suse.com/security/cve/CVE-2015-7990.html
https://www.suse.com/security/cve/CVE-2015-8104.html
https://www.suse.com/security/cve/CVE-2015-8215.html
https://www.suse.com/security/cve/CVE-2015-8539.html
https://www.suse.com/security/cve/CVE-2015-8543.html
https://www.suse.com/security/cve/CVE-2015-8569.html
https://www.suse.com/security/cve/CVE-2015-8575.html
https://www.suse.com/security/cve/CVE-2015-8767.html
https://www.suse.com/security/cve/CVE-2015-8785.html
https://www.suse.com/security/cve/CVE-2015-8812.html
https://www.suse.com/security/cve/CVE-2015-8816.html
https://www.suse.com/security/cve/CVE-2016-0723.html
https://www.suse.com/security/cve/CVE-2016-2069.html
https://www.suse.com/security/cve/CVE-2016-2143.html
https://www.suse.com/security/cve/CVE-2016-2184.html
https://www.suse.com/security/cve/CVE-2016-2185.html
https://www.suse.com/security/cve/CVE-2016-2186.html
https://www.suse.com/security/cve/CVE-2016-2188.html
https://www.suse.com/security/cve/CVE-2016-2384.html
https://www.suse.com/security/cve/CVE-2016-2543.html
https://www.suse.com/security/cve/CVE-2016-2544.html
https://www.suse.com/security/cve/CVE-2016-2545.html
https://www.suse.com/security/cve/CVE-2016-2546.html
https://www.suse.com/security/cve/CVE-2016-2547.html
https://www.suse.com/security/cve/CVE-2016-2548.html
https://www.suse.com/security/cve/CVE-2016-2549.html
https://www.suse.com/security/cve/CVE-2016-2782.html
https://www.suse.com/security/cve/CVE-2016-2847.html
https://www.suse.com/security/cve/CVE-2016-3134.html
https://www.suse.com/security/cve/CVE-2016-3137.html
https://www.suse.com/security/cve/CVE-2016-3138.html
https://www.suse.com/security/cve/CVE-2016-3139.html
https://www.suse.com/security/cve/CVE-2016-3140.html
https://www.suse.com/security/cve/CVE-2016-3156.html
https://www.suse.com/security/cve/CVE-2016-4486.html
http://www.nessus.org/u?f2996c2e

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP2-LTSS:zypper in -t patch
slessp2-kernel-source-12693=1

SUSE Linux Enterprise Debuginfo 11-SP2:zypper in -t patch
dbgsp2-kernel-source-12693=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true