openSUSE Security Update : the Linux Kernel (openSUSE-2016-1410)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE 13.1 kernel was updated to 3.12.67 to receive various
security and bugfixes.

The following security bugs were fixed :

- CVE-2013-5634: arch/arm/kvm/arm.c in the Linux kernel on
the ARM platform, when KVM is used, allowed host OS
users to cause a denial of service (NULL pointer
dereference, OOPS, and host OS crash) or possibly have
unspecified other impact by omitting vCPU initialization
before a KVM_GET_REG_LIST ioctl call. (bsc#994758)

- CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in
the Linux kernel allowed local users to gain privileges
by triggering access to a paging structure by a
different CPU (bnc#963767).

- CVE-2016-7042: The proc_keys_show function in
security/keys/proc.c in the Linux kernel used an
incorrect buffer size for certain timeout data, which
allowed local users to cause a denial of service (stack
memory corruption and panic) by reading the /proc/keys
file (bnc#1004517).

- CVE-2016-7097: The filesystem implementation in the
Linux kernel preserved the setgid bit during a setxattr
call, which allowed local users to gain group privileges
by leveraging the existence of a setgid program with
restrictions on execute permissions (bnc#995968).

- CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed
local users to obtain sensitive information or cause a
denial of service (NULL pointer dereference) via vectors
involving a bind system call on a Bluetooth RFCOMM
socket (bnc#1003925).

- CVE-2016-8658: Stack-based buffer overflow in the
brcmf_cfg80211_start_ap function in
1.c in the Linux kernel allowed local users to cause a
denial of service (system crash) or possibly have
unspecified other impact via a long SSID Information
Element in a command to a Netlink socket (bnc#1004462).

- CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did
not restrict a certain length field, which allowed local
users to gain privileges or cause a denial of service
(heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in
the Linux kernel allowed local users to cause a denial
of service (NULL pointer dereference and system crash)
by using an ABORT_TASK command to abort a device write
operation (bnc#994748).

- CVE-2016-6828: The tcp_check_send_head function in
include/net/tcp.h in the Linux kernel did not properly
maintain certain SACK state after a failed data copy,
which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system
crash) via a crafted SACK option (bnc#994296).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel
did not properly determine the rate of challenge ACK
segments, which made it easier for remote attackers to
hijack TCP sessions via a blind in-window attack

- CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb
function in drivers/s390/char/sclp_ctl.c in the Linux
kernel allowed local users to obtain sensitive
information from kernel memory by changing a certain
length value, aka a 'double fetch' vulnerability

- CVE-2016-6480: Race condition in the ioctl_send_fib
function in drivers/scsi/aacraid/commctrl.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds access or system crash) by changing a
certain size value, aka a 'double fetch' vulnerability

The following non-security bugs were fixed :

- aacraid: Fix RRQ overload (bsc#1003079).

- acpi / pm: Ignore wakeup setting if the ACPI companion
can't wake up (FATE#315621).

- af_vsock: Shrink the area influenced by prepare_to_wait

- apparmor: add missing id bounds check on dfa
verification (bsc#1000304).

- apparmor: check that xindex is in trans_table bounds

- apparmor: do not check for vmalloc_addr if kvzalloc()
failed (bsc#1000304).

- apparmor: do not expose kernel stack (bsc#1000304).

- apparmor: ensure the target profile name is always
audited (bsc#1000304).

- apparmor: exec should not be returning ENOENT when it
denies (bsc#1000304).

- apparmor: fix arg_size computation for when setprocattr
is null terminated (bsc#1000304).

- apparmor: fix audit full profile hname on successful
load (bsc#1000304).

- apparmor: fix change_hat not finding hat after policy
replacement (bsc#1000287).

- apparmor: fix disconnected bind mnts reconnection

- apparmor: fix log failures for all profiles in a set

- apparmor: fix module parameters can be changed after
policy is locked (bsc#1000304).

- apparmor: fix oops in profile_unpack() when policy_db is
not present (bsc#1000304).

- apparmor: fix oops, validate buffer size in
apparmor_setprocattr() (bsc#1000304).

- apparmor: fix put() parent ref after updating the active
ref (bsc#1000304).

- apparmor: fix refcount bug in profile replacement

- apparmor: fix refcount race when finding a child profile

- apparmor: fix replacement bug that adds new child to old
parent (bsc#1000304).

- apparmor: fix uninitialized lsm_audit member

- apparmor: fix update the mtime of the profile file on
replacement (bsc#1000304).

- apparmor: internal paths should be treated as
disconnected (bsc#1000304).

- apparmor: use list_next_entry instead of list_entry_next

- arm64: Ensure pmd_present() returns false after
pmd_mknotpresent() (Automatic NUMA Balancing

- arm64: mm: remove broken &= operator from
pmd_mknotpresent (Automatic NUMA Balancing

- avoid dentry crash triggered by NFS (bsc#984194).

- be2net: Do not leak iomapped memory on removal
(bsc#921784 FATE#318561).

- be2net: fix BE3-R FW download compatibility check
(bsc#921784 FATE#318561).

- be2net: fix wrong return value in
be_check_ufi_compatibility() (bsc#921784 FATE#318561).

- be2net: remove vlan promisc capability from VF's profile
descriptors (bsc#921784 FATE#318561).

- blacklist.conf :

- blacklist.conf: 78f3d050c34b We do not support fsl

- blacklist.conf: add 5195c14c8b27 (reverted and
superseded by a commit we already have)

- blacklist.conf: Add entry for
7bf52fb891b64b8d61caf0b82060adb9db761aec The commit
7bf52fb891b6 ('mm: vmscan: reclaim highmem zone if
buffer_heads is over limit') is unnecessary as the fix
is also available from commit d4debc66d1fc ('vmscan:
remove unnecessary temporary vars in

- blacklist.conf: add pointless networking follow-up fixes

- blacklist.conf: Add two fanotify commits which we do not
need (fixes tag was not quite accurate)

- blacklist.conf: Blacklist unsupported architectures

- blkfront: fix an error path memory leak (luckily none so

- blk-mq: fix undefined behaviour in order_to_size()

- blktap2: eliminate deadlock potential from shutdown path

- blktap2: eliminate race from deferred work queue
handling (bsc#911687).

- bond: Check length of IFLA_BOND_ARP_IP_TARGET attributes

- bonding: always set recv_probe to bond_arp_rcv in arp
monitor (bsc#977687).

- bonding: fix curr_active_slave/carrier with loadbalance
arp monitoring (fate#316924).

- bonding: Prevent IPv6 link local address on enslaved
devices (fate#316924).

- bonding: prevent out of bound accesses (fate#316924).

- bonding: set carrier off for devices created through
netlink (bsc#999577).

- btrfs: account for non-CoW'd blocks in
btrfs_abort_transaction (bsc#983619).

- btrfs: add missing discards when unpinning extents with
-o discard (bsc#904489).

- btrfs: btrfs_issue_discard ensure offset/length are
aligned to sector boundaries (bsc#904489).

- btrfs: do not create or leak aliased root while cleaning
up orphans (bsc#904489).

- btrfs: ensure that file descriptor used with subvol
ioctls is a dir (bsc#999600).

- btrfs: explictly delete unused block groups in
close_ctree and ro-remount (bsc#904489).

- btrfs: Fix a data space underflow warning (bsc#985562,
bsc#975596, bsc#984779)

- btrfs: fix fitrim discarding device area reserved for
boot loader's use (bsc#904489).

- btrfs: handle quota reserve failure properly

- btrfs: iterate over unused chunk space in FITRIM

- btrfs: make btrfs_issue_discard return bytes discarded

- btrfs: properly track when rescan worker is running

- btrfs: remove unnecessary locking of cleaner_mutex to
avoid deadlock (bsc#904489).

- btrfs: reorder patches to place local patches back at
the end of the series

- btrfs: skip superblocks during discard (bsc#904489).

- btrfs: test_check_exists: Fix infinite loop when
searching for free space entries (bsc#987192).

- btrfs: waiting on qgroup rescan should not always be
interruptible (bsc#992712).

- cdc-acm: added sanity checking for probe() (bsc#993891).

- cephfs: ignore error from
invalidate_inode_pages2_range() in direct write

- cephfs: remove warning when ceph_releasepage() is called
on dirty page (bsc#995153).

- clockevents: export clockevents_unbind_device instead of
clockevents_unbind (bnc#937888).

- conntrack: RFC5961 challenge ACK confuse conntrack
LAST-ACK transition (bsc#966864).

- cpumask, nodemask: implement cpumask/nodemask_pr_args()

- cxgbi: fix uninitialized flowi6 (bsc#924384 FATE#318570

- dm: fix AB-BA deadlock in __dm_destroy(). (bsc#970943)

- drivers/hv: share Hyper-V SynIC constants with userspace

- drivers: hv: vmbus: avoid scheduling in interrupt
context in vmbus_initiate_unload() (bnc#937888).

- drivers: hv: vmbus: avoid unneeded compiler
optimizations in vmbus_wait_for_unload() (bnc#937888).

- drivers: hv: vmbus: avoid wait_for_completion() on crash

- drivers: hv: vmbus: Cleanup vmbus_set_event()

- drivers: hv: vmbus: do not loose HVMSG_TIMER_EXPIRED
messages (bnc#937888).

- drivers: hv: vmbus: do not manipulate with clocksources
on crash (bnc#937888).

- drivers: hv: vmbus: Force all channel messages to be
delivered on CPU 0 (bnc#937888).

- drivers: hv: vmbus: Get rid of the unused irq variable

- drivers: hv: vmbus: handle various crash scenarios

- drivers: hv: vmbus: remove code duplication in message
handling (bnc#937888).

- drivers: hv: vmbus: Support handling messages on
multiple CPUs (bnc#937888).

- drivers: hv: vmbus: Support kexec on ws2012 r2 and above

- efi: Small leak on error in runtime map code

- ext2: Enable ext2 driver in config files (bsc#976195,

- ext4: Add parameter for tuning handling of ext2

- Fix kabi change cause by adding flock_owner to
open_context (bsc#998689).

- fix pCPU handling (luckily none so far).

- fix
ch (bsc#1003153).

- fs/cifs: cifs_get_root shouldn't use path with tree name
(bsc#963655, bsc#979681).

- fs/cifs: Compare prepaths when comparing superblocks

- fs/cifs: Fix memory leaks in cifs_do_mount()

- fs/cifs: Fix regression which breaks DFS mounting

- fs/cifs: make share unaccessible at root level mountable

- fs/cifs: Move check for prefix path to within
cifs_get_root() (bsc#799133).

- fs/cifs: REVERT fix wrongly prefixed path to root
(bsc#963655, bsc#979681)

- fs/select: add vmalloc fallback for select(2)

- ftrace/x86: Set ftrace_stub to weak to prevent gcc from
using short jumps to it (bsc#984419).

- hyperv: enable call to clockevents_unbind_device in
kexec/kdump path

- hyperv: replace KEXEC_CORE by plain KEXEC because we
lack 2965faa5e0 in the base kernel

- i40e: fix an uninitialized variable bug (bnc#857397

- ib/IWPM: Fix a potential skb leak (bsc#924381
FATE#318568 bsc#921338).

- ib/mlx5: Fix RC transport send queue overhead
computation (bnc#865545 FATE#316891).

- introduce NETIF_F_GSO_ENCAP_ALL helper mask

- iommu/amd: Update Alias-DTE in update_device_table()

- ipv6: fix multipath route replace error recovery

- ipv6: KABI workaround for ipv6: add complete rcu
protection around np->opt.

- ipv6: send NEWLINK on RA managed/otherconf changes

- ipv6: send only one NEWLINK when RA causes changes

- iscsi: Add a missed complete in iscsit_close_connection
(bsc#992555, bsc#987805).

- iwlwifi: dvm: fix flush support for old firmware

- kabi: clockevents: export clockevents_unbind again.

- kabi: hide harmless change in struct
inet_connection_sock (fate#318553).

- kABI: protect backing-dev include in mm/migrate.

- kABI: protect enum usb_device_speed.

- kABI: protect struct mlx5_modify_qp_mbox_in.

- kABI: protect struct mmc_packed (kabi).

- kabi: work around kabi changes from commit 53f9ff48f636

- kaweth: fix firmware download (bsc#993890).

- kaweth: fix oops upon failed memory allocation

- kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd

- kernel/printk/printk.c: fix faulty logic in the case of
recursive printk (bnc#744692, bnc#789311).

- kvm: do not handle APIC access page if in-kernel irqchip
is not in use (bsc#959463).

- kvm: vmx: defer load of APIC access page address during
reset (bsc#959463).

- libceph: enable large, variable-sized OSD requests

- libceph: make r_request msg_size calculation clearer

- libceph: move r_reply_op_{len,result} into struct
ceph_osd_req_op (bsc#988715).

- libceph: osdc->req_mempool should be backed by a slab
pool (bsc#988715).

- libceph: rename ceph_osd_req_op::payload_len to
indata_len (bsc#988715).

- libfc: do not send ABTS when resetting exchanges

- libfc: Do not take rdata->rp_mutex when processing a
-FC_EX_CLOSED ELS response (bsc#962846).

- libfc: Fixup disc_mutex handling (bsc#962846).

- libfc: fixup locking of ptp_setup() (bsc#962846).

- libfc: Issue PRLI after a PRLO has been received

- libfc: reset exchange manager during LOGO handling

- libfc: Revisit kref handling (bnc#990245).

- libfc: sanity check cpu number extracted from xid

- libfc: send LOGO for PLOGI failure (bsc#962846).

- lib/vsprintf: implement bitmap printing through
'%*pb[l]' (bnc#1003866).

- md: check command validity early in md_ioctl()

- md: Drop sending a change uevent when stopping

- md: lockless I/O submission for RAID1 (bsc#982783).

- md/raid5: fix a recently broken BUG_ON() (bsc#1006691).

- memcg: convert threshold to bytes (bnc#931454).

- memcg: fix thresholds for 32b architectures

- mm, cma: prevent nr_isolated_* counters from going
negative (bnc#971975 VM performance -- git fixes).

- mm: thp: fix SMP race condition between THP page fault
and MADV_DONTNEED (VM Functionality, bnc#986445).

- module: Issue warnings when tainting kernel

- mpt2sas, mpt3sas: Fix panic when aer correct error
occurred (bsc#997708).

- mpt3sas: Update
efore-enabli.patch (bsc#967640, bsc#992244).

- msi-x: fix an error path (luckily none so far).

- netback: fix flipping mode (bsc#996664).

- netback: fix refounting (bsc#978094).

- netfront: do not truncate grant references.

- netfront: use correct linear area after linearizing an
skb (bsc#1007886).

- nfs4: reset states to use open_stateid when returning
delegation voluntarily (bsc#1003400).

- nfs: Add a stub for GETDEVICELIST (bnc#898675).

- nfs: Do not write enable new pages while an invalidation
is proceeding (bsc#999584).

- nfsd: Use free_conn to free connection (bsc#979451).

- nfs: Fix an LOCK/OPEN race when unlinking an open file

- nfs: Fix a regression in the read() syscall

- nfs: fix BUG() crash in notify_change() with patch to
chown_common() (bnc#876463).

- nfs: fix pg_test page count calculation (bnc#898675).

- nfs: nfs4_fl_prepare_ds must be careful about reporting
success (bsc#1000776).

- nfsv4: add flock_owner to open context (bnc#998689).

- nfsv4: change nfs4_do_setattr to take an open_context
instead of a nfs4_state (bnc#998689).

- nfsv4: change nfs4_select_rw_stateid to take a
lock_context inplace of lock_owner (bnc#998689).

- nfsv4: enhance nfs4_copy_lock_stateid to use a flock
stateid if there is one (bnc#998689).

- nfsv4: Ensure nfs_atomic_open set the dentry verifier on
ENOENT (bnc#866130).

- oom: print nodemask in the oom report (bnc#1003866).

- packet: tpacket_snd(): fix signed/unsigned comparison

- perf/x86/intel: Fix bug for 'cycles:p' and 'cycles:pp'
on SLM (bsc#997896).

- pm / hibernate: Fix 2G size issue of snapshot image
verification (bsc#1004252).

- pm / hibernate: Fix rtree_next_node() to avoid walking
off list ends (bnc#860441).

- powerpc: add kernel parameter iommu_alloc_quiet

- printk: add kernel parameter to control writes to
/dev/kmsg (bsc#979928).

- qgroup: Prevent qgroup->reserved from going subzero

- qlcnic: potential NULL dereference in
qlcnic_83xx_get_minidump_template() (bsc#922064

- radeon: avoid boot hang in Xen Dom0 (luckily none so

- ratelimit: extend to print suppressed messages on
release (bsc#979928).

- ratelimit: fix bug in time interval by resetting right
begin time (bsc#979928).

- rbd: truncate objects on cmpext short reads

- rcu: Fix improper use or RCU in
opt.kabi.patch. (bsc#961257)

- Refresh
. After a write, we must free the 'request', not the
'response'. This error crept in during the backport.

- Refresh patches.xen/xen3-patch-3.9 (bsc#991247).

- Rename
ad_struct-for-storing-RIP.patch to match its non-Xen

- Revert 'can: dev: fix deadlock reported after bus-off'.

- Revert 'Input: i8042 - break load dependency between
atkbd/psmouse and i8042'.

- Revert 'Input: i8042 - set up shared ps2_cmd_mutex for
AUX ports'.

- rpm/ do not prepend '60.' to release string
This is needed for SLE maintenance workflow, no need for
that in evergreen-13.1.

- rpm/ Set the SP1 release string to
60.<RELEASE> (bsc#997059)

- rpm/mkspec: Read a default release string from
rpm/ (bsc997059)

- rtnetlink: avoid 0 sized arrays (fate#316924).

- s390: add SMT support (bnc#994438, LTC#144756).

- sched/core: Fix an SMP ordering race in try_to_wake_up()
vs. schedule() (bnc#1001419).

- sched/core: Fix a race between try_to_wake_up() and a
woken up task (bsc#1002165, bsc#1001419).

- scsi: ibmvfc: add FC Class 3 Error Recovery support

- scsi: ibmvfc: Fix I/O hang when port is not mapped

- scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in
PRLI (bsc#984992).

- sd: Fix memory leak caused by RESET_WP patch

- squashfs3: properly handle dir_emit() failures

- sunrpc: Add missing support for

- sunrpc: Fix a regression when reconnecting (bsc#946309).

- supported.conf: Add ext2

- supported.conf: Add iscsi modules to -base (bsc#997299)

- supported.conf: Add tun to -base (bsc#992593)

- supported.conf: Add veth to -base (bsc#992591)

- target: Fix missing complete during ABORT_TASK +
CMD_T_FABRIC_STOP (bsc#987621).

- target: Fix race between iscsi-target connection
shutdown + ABORT_TASK (bsc#987621).

- tcp: add proper TS val into RST packets (bsc#937086).

- tcp: align tcp_xmit_size_goal() on tcp_tso_autosize()

- tcp: fix child sockets to use system default congestion
control if not set (fate#318553).

- tcp: fix cwnd limited checking to improve congestion
control (bsc#988617).

- tcp: refresh skb timestamp at retransmit time

- timers: Use proper base migration in add_timer_on()

- tunnels: Do not apply GRO to multiple layers of
encapsulation (bsc#1001486).

- tunnels: Remove encapsulation offloads on decap

- Update patches.kabi/kabi.clockevents_unbind.patch

- uprobes: Fix the memcg accounting (bnc#931454).

- usb: fix typo in wMaxPacketSize validation (bsc#991665).

- usbhid: add ATEN CS962 to list of quirky devices

- usb: hub: Fix auto-remount of safely removed or ejected
USB-3 devices (bsc#922634).

- usb: validate wMaxPacketValue entries in endpoint
descriptors (bnc#991665).

- vmxnet3: Wake queue from reset work (bsc#999907).

- x86/tlb/trace: Do not trace on CPU that is offline (TLB
Performance git-fixes).

- xenbus: do not invoke ->is_ready() for most device
states (bsc#987333).

- xenbus: inspect the correct type in

- xen: Linux 3.12.63.

- xen: Linux 3.12.64.

- xen/pciback: Fix conf_space read/write overlap check.

- xen-pciback: return proper values during BAR sizing.

- xen: x86/mm/pat, /dev/mem: Remove superfluous error
message (bsc#974620).

- xfs: fixed signedness of error code in
xfs_inode_buf_verify (bsc#1003153).

- xfs: handle dquot buffer readahead in log recovery
correctly (bsc#955446).

- xfs: Silence warnings in xfs_vm_releasepage()
(bnc#915183 bsc#987565).

- xhci: silence warnings in switch (bnc#991665).

See also :

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

High / CVSS Base Score : 7.2

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now