SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2976-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes. For the PowerPC64 a new 'bigmem' flavor has
been added to support big Power machines. (FATE#319026) The following
security bugs were fixed :

- CVE-2016-7042: The proc_keys_show function in
security/keys/proc.c in the Linux kernel, when the GNU
Compiler Collection (gcc) stack protector is enabled,
uses an incorrect buffer size for certain timeout data,
which allowed local users to cause a denial of service
(stack memory corruption and panic) by reading the
/proc/keys file (bnc#1004517).

- CVE-2016-7097: The filesystem implementation in the
Linux kernel preserves the setgid bit during a setxattr
call, which allowed local users to gain group privileges
by leveraging the existence of a setgid program with
restrictions on execute permissions (bnc#995968).

- CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed
local users to obtain sensitive information or cause a
denial of service (NULL pointer dereference) via vectors
involving a bind system call on a Bluetooth RFCOMM
socket (bnc#1003925).

- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux
kernel allowed remote attackers to execute arbitrary
code via vectors involving a recvmmsg system call that
is mishandled during error processing (bnc#1003077).

- CVE-2016-0823: The pagemap_open function in
fs/proc/task_mmu.c in the Linux kernel allowed local
users to obtain sensitive physical-address information
by reading a pagemap file, aka Android internal bug
25739721 (bnc#994759).

- CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did
not restrict a certain length field, which allowed local
users to gain privileges or cause a denial of service
(heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

- CVE-2016-3841: The IPv6 stack in the Linux kernel
mishandled options data, which allowed local users to
gain privileges or cause a denial of service
(use-after-free and system crash) via a crafted sendmsg
system call (bnc#992566).

- CVE-2016-6828: The tcp_check_send_head function in
include/net/tcp.h in the Linux kernel did not properly
maintain certain SACK state after a failed data copy,
which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system
crash) via a crafted SACK option (bnc#994296).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel
did not properly determine the rate of challenge ACK
segments, which made it easier for remote attackers to
hijack TCP sessions via a blind in-window attack

- CVE-2016-6480: Race condition in the ioctl_send_fib
function in drivers/scsi/aacraid/commctrl.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds access or system crash) by changing a
certain size value, aka a 'double fetch' vulnerability

- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt
implementation in the netfilter subsystem in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds read) or possibly obtain sensitive
information from kernel heap memory by leveraging
in-container root access to provide a crafted offset
value that leads to crossing a ruleset blob boundary

- CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel
did not reset the PIT counter values during state
restoration, which allowed guest OS users to cause a
denial of service (divide-by-zero error and host OS
crash) via a zero value, related to the
kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions

- CVE-2013-4312: The Linux kernel allowed local users to
bypass file-descriptor limits and cause a denial of
service (memory consumption) by sending each descriptor
over a UNIX socket before closing it, related to
net/unix/af_unix.c and net/unix/garbage.c (bnc#839104
bsc#922947 bsc#968014). The following non-security bugs
were fixed :

- ahci: Order SATA device IDs for codename Lewisburg

- ahci: Remove obsolete Intel Lewisburg SATA RAID device
IDs (fate#319286).

- alsa: hda - Add Intel Lewisburg device IDs Audio

- arch/powerpc: Remove duplicate/redundant Altivec entries

- avoid dentry crash triggered by NFS (bsc#984194).

- bigmem: Add switch to configure bigmem patches

- blktap2: eliminate deadlock potential from shutdown path

- blktap2: eliminate race from deferred work queue
handling (bsc#911687).

- bnx2x: fix lockdep splat (bsc#908684 FATE#317539).

- bonding: always set recv_probe to bond_arp_rcv in arp
monitor (bsc#977687).

- bonding: fix bond_arp_rcv setting and arp validate
desync state (bsc#977687).

- btrfs: account for non-CoW'd blocks in
btrfs_abort_transaction (bsc#983619).

- btrfs: ensure that file descriptor used with subvol
ioctls is a dir (bsc#999600).

- cdc-acm: added sanity checking for probe() (bsc#993891).

- config.conf: add bigmem flavour on ppc64

- cpumask, nodemask: implement cpumask/nodemask_pr_args()

- cxgb4: Set VPD size so we can read both VPD structures

- dm space map metadata: fix sm_bootstrap_get_nr_blocks()

- dm thin: fix race condition when destroying thin pool
workqueue (FATE#313903).

- drivers: hv: vmbus: avoid scheduling in interrupt
context in vmbus_initiate_unload() (bnc#986337).

- drivers: hv: vmbus: avoid wait_for_completion() on crash

- drivers: hv: vmbus: do not loose HVMSG_TIMER_EXPIRED
messages (bnc#986337).

- drivers: hv: vmbus: do not send CHANNELMSG_UNLOAD on
pre-Win2012R2 hosts (bnc#986337).

- drivers: hv: vmbus: handle various crash scenarios

- drivers: hv: vmbus: remove code duplication in message
handling (bnc#986337).

- drivers: hv: vss: run only on supported host versions

- fs/cifs: cifs_get_root shouldn't use path with tree name
(bsc#963655, bsc#979681).

- fs/cifs: Compare prepaths when comparing superblocks

- fs/cifs: Fix memory leaks in cifs_do_mount()

- fs/cifs: Fix regression which breaks DFS mounting

- fs/cifs: fix wrongly prefixed path to root (bsc#963655,

- fs/cifs: make share unaccessible at root level mountable

- fs/cifs: Move check for prefix path to within
cifs_get_root() (bsc#799133).

- fs/select: add vmalloc fallback for select(2)

- hv: do not lose pending heartbeat vmbus packets

- i2c: i801: add Intel Lewisburg device IDs (fate#319286).

- i40e: fix an uninitialized variable bug (bsc#909484

- include/linux/mmdebug.h: should include linux/bug.h
(bnc#971975 VM performance -- git fixes).

- increase CONFIG_NR_IRQS 512 -> 2048 reportedly irq error
with multiple nvme and tg3 in the same machine is
resolved by increasing CONFIG_NR_IRQS (bsc#998399)

- introduce SIZE_MAX (bsc#1000189).

- ipv6: replacing a rt6_info needs to purge possible
propagated rt6_infos too (bsc#865783).

- kabi: Import kabi files from 3.0.101-80

- kabi-fix for flock_owner addition (bsc#998689).

- kabi, unix: properly account for FDs passed over unix
sockets (bnc#839104).

- kaweth: fix firmware download (bsc#993890).

- kaweth: fix oops upon failed memory allocation

- kvm: x86: only channel 0 of the i8254 is linked to the
HPET (bsc#960689).

- kvm: x86: SYSENTER emulation is broken (bsc#994618).

- libata: support the ata host which implements a queue
depth less than 32 (bsc#871728)

- libfc: sanity check cpu number extracted from xid

- lib/vsprintf: implement bitmap printing through
'%*pb[l]' (bnc#1003866).

- lpfc: call lpfc_sli_validate_fcp_iocb() with the hbalock
held (bsc#951392).

- bigmem: make bigmem patches configurable

- md: check command validity early in md_ioctl()

- md: Drop sending a change uevent when stopping

- md: fix problem when adding device to read-only array
with bitmap (bnc#771065).

- md: lockless I/O submission for RAID1 (bsc#982783).

- md/raid10: always set reshape_safe when initializing
reshape_position (fate#311379).

- md/raid10: Fix memory leak when raid10 reshape completes

- mm: fix sleeping function warning from __put_anon_vma

- mm/memory.c: actually remap enough memory (bnc#1005903).

- mm: thp: fix SMP race condition between THP page fault
and MADV_DONTNEED (VM Functionality, bnc#986445).

- mm, vmscan: Do not wait for page writeback for GFP_NOFS
allocations (bnc#763198).

- Move patches that create ppc64-bigmem to the powerpc
section. Add comments that outline the procedure and
warn the unsuspecting.

- move the call of __d_drop(anon) into
__d_materialise_unique(dentry, anon) (bsc#984194).

- mpt2sas, mpt3sas: Fix panic when aer correct error
occurred (bsc#997708).

- mshyperv: fix recognition of Hyper-V guest crash MSR's

- net: add pfmemalloc check in sk_add_backlog()

- netback: fix flipping mode (bsc#996664).

- netfilter: ipv4: defrag: set local_df flag on
defragmented skb (bsc#907611).

- netvsc: fix incorrect receive checksum offloading

- nfs4: reset states to use open_stateid when returning
delegation voluntarily (bsc#1007944).

- nfs: Do not disconnect open-owner on NFS4ERR_BAD_SEQID

- nfs: Do not drop directory dentry which is in use

- nfs: Do not write enable new pages while an invalidation
is proceeding (bsc#999584).

- nfs: Fix an LOCK/OPEN race when unlinking an open file

- nfs: Fix a regression in the read() syscall

- nfs: Fix races in nfs_revalidate_mapping (bsc#999584).

- nfs: fix the handling of NFS_INO_INVALID_DATA flag in
nfs_revalidate_mapping (bsc#999584).

- nfs: Fix writeback performance issue on cache
invalidation (bsc#999584).

- nfs: Refresh open-owner id when server says SEQID is bad

- nfsv4.1: Fix an NFSv4.1 state renewal regression

- nfsv4: add flock_owner to open context (bnc#998689).

- nfsv4: change nfs4_do_setattr to take an open_context
instead of a nfs4_state (bnc#998689).

- nfsv4: change nfs4_select_rw_stateid to take a
lock_context inplace of lock_owner (bnc#998689).

- nfsv4: do not check MAY_WRITE access bit in OPEN

- nfsv4: enhance nfs4_copy_lock_stateid to use a flock
stateid if there is one (bnc#998689).

- nfsv4: fix broken patch relating to v4 read delegations
(bsc#956514, bsc#989261, bsc#979595).

- nfsv4: Fix range checking in __nfs4_get_acl_uncached and
__nfs4_proc_set_acl (bsc#982218).

- oom: print nodemask in the oom report (bnc#1003866).

- pci: Add pci_set_vpd_size() to set VPD size

- pciback: fix conf_space read/write overlap check.

- pciback: return proper values during BAR sizing.

- pci_ids: Add PCI device ID functions 3 and 4 for newer
F15h models (fate#321400).

- pm / hibernate: Fix rtree_next_node() to avoid walking
off list ends (bnc#860441).

- powerpc/64: Fix incorrect return value from
__copy_tofrom_user (bsc#1005896).

- powerpc: Add ability to build little endian kernels

- powerpc: add kernel parameter iommu_alloc_quiet

- powerpc: Avoid load of static chain register when
calling nested functions through a pointer on 64bit

- powerpc: blacklist fixes for unsupported
subarchitectures ppc32 only: 6e0fdf9af216 powerpc: fix
typo 'CONFIG_PMAC' obscure hardware: f7e9e3583625
powerpc: Fix missing L2 cache size in

- powerpc: Build fix for powerpc KVM

- powerpc: Do not build assembly files with ABIv2

- powerpc: Do not use ELFv2 ABI to build the kernel

- powerpc: dtc is required to build dtb files

- powerpc: Fix 64 bit builds with binutils 2.24

- powerpc: Fix error when cross building TAGS & cscope

- powerpc: Make the vdso32 also build big-endian

- powerpc: Make VSID_BITS* dependency explicit

- powerpc/mm: Add 64TB support (bsc#928138,fate#319026).

- powerpc/mm: Change the swap encoding in pte

- powerpc/mm: Convert virtual address to vpn

- powerpc/mm: Fix hash computation function

- powerpc/mm: Increase the slice range to 64TB

- powerpc/mm: Make KERN_VIRT_SIZE not dependend on
PGTABLE_RANGE (bsc#928138,fate#319026).

- powerpc/mm: Make some of the PGTABLE_RANGE dependency
explicit (bsc#928138,fate#319026).

- powerpc/mm: Replace open coded CONTEXT_BITS value

- powerpc/mm: Simplify hpte_decode

- powerpc/mm: Update VSID allocation documentation

- powerpc/mm: Use 32bit array for slb cache

- powerpc/mm: Use hpt_va to compute virtual address

- powerpc/mm: Use the required number of VSID bits in
slbmte (bsc#928138,fate#319026).

- powerpc: Move kdump default base address to half RMO
size on 64bit (bsc#1003344).

- powerpc: Remove altivec fix for gcc versions before 4.0

- powerpc: Remove buggy 9-year-old test for binutils

- powerpc: Rename USER_ESID_BITS* to ESID_BITS*

- powerpc: Require gcc 4.0 on 64-bit (bsc#967716).

- powerpc: Update kernel VSID range

- ppp: defer netns reference release for ppp channel

- qlcnic: fix a timeout loop (bsc#909350 FATE#317546)

- random32: add prandom_u32_max (bsc#989152).

- remove problematic preprocessor constructs

- REVERT fs/cifs: fix wrongly prefixed path to root
(bsc#963655, bsc#979681)

- rpm/ Bump x86 disk space requirement to
20GB Clamav tends to run out of space nowadays.

- rpm/package-descriptions: add -bigmem description

- s390/cio: fix accidental interrupt enabling during
resume (bnc#1003677, LTC#147606).

- s390/dasd: fix hanging device after clear subchannel
(bnc#994436, LTC#144640).

- s390/time: LPAR offset handling (bnc#1003677,

- s390/time: move PTFF definitions (bnc#1003677,

- sata: Adding Intel Lewisburg device IDs for SATA

- sched/core: Fix an SMP ordering race in try_to_wake_up()
vs. schedule() (bnc#1001419).

- sched/core: Fix a race between try_to_wake_up() and a
woken up task (bnc#1002165).

- sched: Fix possible divide by zero in avg_atom()
calculation (bsc#996329).

- scripts/bigmem-generate-ifdef-guard: auto-regen

- scripts/bigmem-generate-ifdef-guard: Include this script
to regenerate

- scripts/bigmem-generate-ifdef-guard: make executable

- scsi_dh_rdac: retry inquiry for UNIT ATTENTION

- scsi: do not print 'reservation conflict' for TEST UNIT
READY (bsc#984102).

- scsi: ibmvfc: add FC Class 3 Error Recovery support

- scsi: ibmvfc: Fix I/O hang when port is not mapped

- scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in
PRLI (bsc#984992).

- scsi_scan: Send TEST UNIT READY to LUN0 before LUN
scanning (bnc#843236,bsc#989779).

- scsi: zfcp: spin_lock_irqsave() is not nestable

on all platforms The specfile adjusts the config if
necessary, but a new version of
requires the settings to be present in the repository.

- sfc: on MC reset, clear PIO buffer linkage in TXQs
(bsc#909618 FATE#317521).

- sort hyperv patches properly in series.conf

- sunrpc/cache: drop reference when
sunrpc_cache_pipe_upcall() detects a race (bnc#803320).

- tg3: Avoid NULL pointer dereference in
tg3_io_error_detected() (bsc#908458 FATE#317507).

- tmpfs: change final i_blocks BUG to WARNING

- tty: Signal SIGHUP before hanging up ldisc (bnc#989764).

- Update patches.xen/xen3-auto-arch-x86.diff (bsc#929141,

- usb: fix typo in wMaxPacketSize validation (bsc#991665).

- usb: hub: Fix auto-remount of safely removed or ejected
USB-3 devices (bsc#922634).

- usb: hub: Fix unbalanced reference count/memory
leak/deadlocks (bsc#968010).

- usb: validate wMaxPacketValue entries in endpoint
descriptors (bnc#991665).

- vlan: do not deliver frames for unknown vlans to
protocols (bsc#979514).

- vlan: mask vlan prio bits (bsc#979514).

- vmxnet3: Wake queue from reset work (bsc#999907).

- x86, amd_nb: Clarify F15h, model 30h GART and L3 support

- x86/asm/traps: Disable tracing and kprobes in
fixup_bad_iret and sync_regs (bsc#909077).

- x86/cpu/amd: Set X86_FEATURE_EXTD_APICID for future
processors (fate#321400).

- x86/gart: Check for GART support before accessing GART
registers (fate#321400).

- x86/MCE/intel: Cleanup CMCI storm logic (bsc#929141).

- xenbus: inspect the correct type in

- xen: x86/mm/pat, /dev/mem: Remove superfluous error
message (bsc#974620).

- xfs: Avoid grabbing ilock when file size is not changed

- xfs: Silence warnings in xfs_vm_releasepage()
(bnc#915183 bsc#987565).

- zfcp: close window with unblocked rport during rport
gone (bnc#1003677, LTC#144310).

- zfcp: fix D_ID field with actual value on tracing SAN
responses (bnc#1003677, LTC#144312).

- zfcp: fix ELS/GS request&response length for hardware
data router (bnc#1003677, LTC#144308).

- zfcp: fix payload trace length for SAN request&response
(bnc#1003677, LTC#144312).

- zfcp: restore: Dont use 0 to indicate invalid LUN in rec
trace (bnc#1003677, LTC#144312).

- zfcp: restore tracing of handle for port and LUN with
HBA records (bnc#1003677, LTC#144312).

- zfcp: retain trace level for SCSI and HBA FSF response
records (bnc#1003677, LTC#144312).

- zfcp: trace full payload of all SAN records
(req,resp,iels) (bnc#1003677, LTC#144312).

- zfcp: trace on request for open and close of WKA port
(bnc#1003677, LTC#144312).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-kernel-12869=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.4
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now