Scientific Linux Security Update : kernel on SL6.x i386/x86_64

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

Security Fix(es) :

- A flaw was found in the Linux kernel's keyring handling
code, where in key_reject_and_link() an uninitialized
variable would eventually lead to arbitrary free address
which could allow attacker to use a use-after-free style
attack. (CVE-2016-4470, Important)

- A heap-based buffer overflow vulnerability was found in
the Linux kernel's hiddev driver. This flaw could allow
a local attacker to corrupt kernel memory, possible
privilege escalation or crashing the system.
(CVE-2016-5829, Moderate)

The CVE-2016-4470 issue was discovered by David Howells (Red Hat
Inc.).

Bug Fix(es) :

- Previously, when two NFS shares with different security
settings were mounted, the I/O operations to the
kerberos-authenticated mount caused the
RPC_CRED_KEY_EXPIRE_SOON parameter to be set, but the
parameter was not unset when performing the I/O
operations on the sec=sys mount. Consequently, writes to
both NFS shares had the same parameters, regardless of
their security settings. This update fixes this problem
by moving the NO_CRKEY_TIMEOUT parameter to the
auth->au_flags field. As a result, NFS shares with
different security settings are now handled as expected.

- In some circumstances, resetting a Fibre Channel over
Ethernet (FCoE) interface could lead to a kernel panic,
due to invalid information extracted from the FCoE
header. This update adds santiy checking to the cpu
number extracted from the FCoE header. This ensures that
subsequent operations address a valid cpu, and
eliminates the kernel panic.

- Prior to this update, the following problems occurred
with the way GSF2 transitioned files and directories
from the 'unlinked' state to the 'free' state :

The numbers reported for the df and the du commands in some cases got
out of sync, which caused blocks in the file system to appear missing.
The blocks were not actually missing, but they were left in the
'unlinked' state.

In some circumstances, GFS2 referenced a cluster lock that was already
deleted, which led to a kernel panic.

If an object was deleted and its space reused as a different object,
GFS2 sometimes deleted the existing one, which caused file system
corruption.

With this update, the transition from 'unlinked' to 'free' state has
been fixed. As a result, none of these three problems occur anymore.

- Previously, the GFS2 file system in some cases became
unresponsive due to lock dependency problems between
inodes and the cluster lock. This occurred most
frequently on nearly full file systems where files and
directories were being deleted and recreated at the same
block location at the same time. With this update, a set
of patches has been applied to fix these lock
dependencies. As a result, GFS2 no longer hangs in the
described circumstances.

- When used with controllers that do not support DCMD-
MR_DCMD_PD_LIST_QUERY, the megaraid_sas driver can go
into infinite error reporting loop of error reporting
messages. This could cause difficulties with finding
other important log messages, or even it could cause the
disk to overflow. This bug has been fixed by ignoring
the DCMD MR_DCMD_PD_LIST_QUERY query for controllers
which do not support it and sending the DCMD SUCCESS
status to the AEN functions. As a result, the error
messages no longer appear when there is a change in the
status of one of the arrays.

See also :

http://www.nessus.org/u?14b4f588

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 93892 ()

Bugtraq ID:

CVE ID: CVE-2016-4470
CVE-2016-5829

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now