SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0437-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-94 to
receive various security and bugfixes. The following security bugs
were fixed :

- CVE-2017-5551: tmpfs: clear S_ISGID when setting posix
ACLs (bsc#1021258).

- CVE-2016-10088: The sg implementation in the Linux
kernel did not properly restrict write operations in
situations where the KERNEL_DS option is set, which
allowed local users to read or write to arbitrary kernel
memory locations or cause a denial of service
(use-after-free) by leveraging access to a /dev/sg
device NOTE: this vulnerability existed because of an
incomplete fix for CVE-2016-9576 (bnc#1017710).

- CVE-2016-5696: TCP, when using a large Window Size, made
it easier for remote attackers to guess sequence numbers
and cause a denial of service (connection loss) to
persistent TCP connections by repeatedly injecting a TCP
RST packet, especially in protocols that use long-lived
connections, such as BGP (bnc#989152).

- CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x
provided an incomplete set of requirements for setattr
operations that underspecified removing extended
privilege attributes, which allowed local users to cause
a denial of service (capability stripping) via a failed
invocation of a system call, as demonstrated by using
chown to remove a capability from the ping or Wireshark
dumpcap program (bnc#914939).

- CVE-2016-8632: The tipc_msg_build function in
net/tipc/msg.c in the Linux kernel did not validate the
relationship between the minimum fragment length and the
maximum packet size, which allowed local users to gain
privileges or cause a denial of service (heap-based
buffer overflow) by leveraging the CAP_NET_ADMIN
capability (bnc#1008831).

- CVE-2016-8399: An elevation of privilege vulnerability
in the kernel networking subsystem could enable a local
malicious application to execute arbitrary code within
the context of the kernel. This issue is rated as
Moderate because it first requires compromising a
privileged process and current compiler optimizations
restrict access to the vulnerable code. (bnc#1014746).

- CVE-2016-9793: The sock_setsockopt function in
net/core/sock.c in the Linux kernel mishandled negative
values of sk_sndbuf and sk_rcvbuf, which allowed local
users to cause a denial of service (memory corruption
and system crash) or possibly have unspecified other
impact by leveraging the CAP_NET_ADMIN capability for a
crafted setsockopt system call with the (1)
SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option
(bnc#1013531).

- CVE-2012-6704: The sock_setsockopt function in
net/core/sock.c in the Linux kernel mishandled negative
values of sk_sndbuf and sk_rcvbuf, which allowed local
users to cause a denial of service (memory corruption
and system crash) or possibly have unspecified other
impact by leveraging the CAP_NET_ADMIN capability for a
crafted setsockopt system call with the (1) SO_SNDBUF or
(2) SO_RCVBUF option (bnc#1013542).

- CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux
kernel did not properly initialize Code Segment (CS) in
certain error cases, which allowed local users to obtain
sensitive information from kernel stack memory via a
crafted application (bnc#1013038).

- CVE-2016-9685: Multiple memory leaks in error paths in
fs/xfs/xfs_attr_list.c in the Linux kernel allowed local
users to cause a denial of service (memory consumption)
via crafted XFS filesystem operations (bnc#1012832).

- CVE-2015-8962: Double free vulnerability in the
sg_common_write function in drivers/scsi/sg.c in the
Linux kernel allowed local users to gain privileges or
cause a denial of service (memory corruption and system
crash) by detaching a device during an SG_IO ioctl call
(bnc#1010501).

- CVE-2016-9555: The sctp_sf_ootb function in
net/sctp/sm_statefuns.c in the Linux kernel lacked
chunk-length checking for the first chunk, which allowed
remote attackers to cause a denial of service
(out-of-bounds slab access) or possibly have unspecified
other impact via crafted SCTP data (bnc#1011685).

- CVE-2016-7910: Use-after-free vulnerability in the
disk_seqf_stop function in block/genhd.c in the Linux
kernel allowed local users to gain privileges by
leveraging the execution of a certain stop operation
even if the corresponding start operation had failed
(bnc#1010716).

- CVE-2016-7911: Race condition in the get_task_ioprio
function in block/ioprio.c in the Linux kernel allowed
local users to gain privileges or cause a denial of
service (use-after-free) via a crafted ioprio_get system
call (bnc#1010711).

- CVE-2013-6368: The KVM subsystem in the Linux kernel
allowed local users to gain privileges or cause a denial
of service (system crash) via a VAPIC synchronization
operation involving a page-end address (bnc#853052).

- CVE-2015-8964: The tty_set_termios_ldisc function in
drivers/tty/tty_ldisc.c in the Linux kernel allowed
local users to obtain sensitive information from kernel
memory by reading a tty data structure (bnc#1010507).

- CVE-2016-7916: Race condition in the environ_read
function in fs/proc/base.c in the Linux kernel allowed
local users to obtain sensitive information from kernel
memory by reading a /proc/*/environ file during a
process-setup time interval in which
environment-variable copying is incomplete
(bnc#1010467).

- CVE-2016-8646: The hash_accept function in
crypto/algif_hash.c in the Linux kernel allowed local
users to cause a denial of service (OOPS) by attempting
to trigger use of in-kernel hash algorithms for a socket
that has received zero bytes of data (bnc#1010150).

- CVE-2016-8633: drivers/firewire/net.c in the Linux
kernel, in certain unusual hardware configurations,
allowed remote attackers to execute arbitrary code via
crafted fragmented packets (bnc#1008833). The following
non-security bugs were fixed :

- 8250_pci: Fix potential use-after-free in error path
(bsc#1013070).

- KABI fix (bsc#1014410).

- apparmor: fix IRQ stack overflow during free_profile
(bsc#1009875).

- be2net: Do not leak iomapped memory on removal
(bug#925065).

- block_dev: do not test bdev->bd_contains when it is not
stable (bsc#1008557).

- bna: Add synchronization for tx ring (bsc#993739).

- bnx2x: Correct ringparam estimate when DOWN
(bsc#1020214).

- crypto: add ghash-generic in the
supported.conf(bsc#1016824)

- crypto: aesni - Add support for 192 & 256 bit keys to
AESNI RFC4106 (bsc#913387).

- dm: do not call dm_sync_table() when creating new
devices (bnc#901809).

- drm/mgag200: Added support for the new deviceID for
G200eW3 (bnc#1019348)

- ext3: Avoid premature failure of ext3_has_free_blocks()
(bsc#1016668).

- ext4: do not leave i_crtime.tv_sec uninitialized
(bsc#1013018).

- ext4: fix reference counting bug on block allocation
error (bsc#1013018).

- futex: Acknowledge a new waiter in counter before plist
(bsc#851603).

- futex: Drop refcount if requeue_pi() acquired the
rtmutex (bsc#851603).

- hpilo: Add support for iLO5 (bsc#999101).

- ibmveth: calculate gso_segs for large packets
(bsc#1019165).

- ibmveth: set correct gso_size and gso_type
(bsc#1019165).

- igb: Enable SR-IOV configuration via PCI sysfs interface
(bsc#909491 FATE#317388).

- igb: Fix NULL assignment to incorrect variable in
igb_reset_q_vector (bsc#795297 FATE#313656).

- igb: Fix oops caused by missing queue pairing
(bsc#909491 FATE#317388).

- igb: Fix oops on changing number of rings (bsc#909491
FATE#317388).

- igb: Remove unnecessary flag setting in
igb_set_flag_queue_pairs() (bsc#909491 FATE#317388).

- igb: Unpair the queues when changing the number of
queues (bsc#909491 FATE#317388).

- kexec: add a kexec_crash_loaded() function (bsc#973691).

- kvm: APIC: avoid instruction emulation for EOI writes
(bsc#989680).

- kvm: Distangle eventfd code from irqchip (bsc#989680).

- kvm: Iterate over only vcpus that are preempted
(bsc#989680).

- kvm: Record the preemption status of vcpus using preempt
notifiers (bsc#989680).

- kvm: VMX: Pass vcpu to __vmx_complete_interrupts
(bsc#989680).

- kvm: fold kvm_pit_timer into kvm_kpit_state
(bsc#989680).

- kvm: make processes waiting on vcpu mutex killable
(bsc#989680).

- kvm: nVMX: Add preemption timer support (bsc#989680).

- kvm: remove a wrong hack of delivery PIT intr to vcpu0
(bsc#989680).

- kvm: use symbolic constant for nr interrupts
(bsc#989680).

- kvm: x86: Remove support for reporting coalesced APIC
IRQs (bsc#989680).

- kvm: x86: Run PIT work in own kthread (bsc#989680).

- kvm: x86: limit difference between kvmclock updates
(bsc#989680).

- libata: introduce ata_host->n_tags to avoid oops on SAS
controllers (bsc#871728).

- libata: remove n_tags to avoid kABI breakage
(bsc#871728).

- libfc: Do not take rdata->rp_mutex when processing a
-FC_EX_CLOSED ELS response (bsc#962846).

- libfc: Fixup disc_mutex handling (bsc#962846).

- libfc: Issue PRLI after a PRLO has been received
(bsc#962846).

- libfc: Revisit kref handling (bnc#990245).

- libfc: Update rport reference counting (bsc#953233).

- libfc: do not send ABTS when resetting exchanges
(bsc#962846).

- libfc: fixup locking of ptp_setup() (bsc#962846).

- libfc: reset exchange manager during LOGO handling
(bsc#962846).

- libfc: send LOGO for PLOGI failure (bsc#962846).

- locking/mutex: Explicitly mark task as running after
wakeup (bsc#1012411).

- memstick: mspro_block: add missing curly braces
(bsc#1016688).

- mlx4: Fix error flow when sending mads under SRIOV
(bsc#786036 FATE#314304).

- mlx4: Fix incorrect MC join state bit-masking on SR-IOV
(bsc#786036 FATE#314304).

- mlx4: Fix memory leak if QP creation failed (bsc#786036
FATE#314304).

- mlx4: Fix potential deadlock when sending mad to wire
(bsc#786036 FATE#314304).

- mlx4: Forbid using sysfs to change RoCE pkeys
(bsc#786036 FATE#314304).

- mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
(bsc#786036 FATE#314304).

- mlx4: add missing braces in verify_qp_parameters
(bsc#786036 FATE#314304).

- mm/memory_hotplug.c: check for missing sections in
test_pages_in_a_zone() (bnc#961589).

- mm: fix crashes from mbind() merging vmas (bnc#1005877).

- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
(bsc#1011820).

- mremap: enforce rmap src/dst vma ordering in case of
vma_merge() succeeding in copy_vma() (bsc#1008645).

- net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
(bsc#786036 FATE#314304).

- net/mlx4_core: Allow resetting VF admin mac to zero
(bsc#919382 FATE#317529).

- net/mlx4_core: Avoid returning success in case of an
error flow (bsc#786036 FATE#314304).

- net/mlx4_core: Do not BUG_ON during reset when PCI is
offline (bsc#924708).

- net/mlx4_core: Do not access comm channel if it has not
yet been initialized (bsc#924708).

- net/mlx4_core: Fix error message deprecation for
ConnectX-2 cards (bsc#919382 FATE#317529).

- net/mlx4_core: Fix the resource-type enum in res tracker
to conform to FW spec (bsc#786036 FATE#314304).

- net/mlx4_core: Implement pci_resume callback
(bsc#924708).

- net/mlx4_core: Update the HCA core clock frequency after
INIT_PORT (bug#919382 FATE#317529).

- net/mlx4_en: Choose time-stamping shift value according
to HW frequency (bsc#919382 FATE#317529).

- net/mlx4_en: Fix HW timestamp init issue upon system
startup (bsc#919382 FATE#317529).

- net/mlx4_en: Fix potential deadlock in port statistics
flow (bsc#786036 FATE#314304).

- net/mlx4_en: Move filters cleanup to a proper location
(bsc#786036 FATE#314304).

- net/mlx4_en: Remove dependency between timestamping
capability and service_task (bsc#919382 FATE#317529).

- net/mlx4_en: fix spurious timestamping callbacks
(bsc#919382 FATE#317529).

- netfront: do not truncate grant references.

- nfsv4: Cap the transport reconnection timer at 1/2 lease
period (bsc#1014410).

- nfsv4: Cleanup the setting of the nfs4 lease period
(bsc#1014410).

- nfsv4: Handle timeouts correctly when probing for lease
validity (bsc#1014410).

- nvme: Automatic namespace rescan (bsc#1017686).

- nvme: Metadata format support (bsc#1017686).

- ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()
(bnc#1019783).

- posix-timers: Remove remaining uses of tasklist_lock
(bnc#997401).

- posix-timers: Use sighand lock instead of tasklist_lock
for task clock sample (bnc#997401).

- posix-timers: Use sighand lock instead of tasklist_lock
on timer deletion (bnc#997401).

- powerpc/MSI: Fix race condition in tearing down MSI
interrupts (bsc#1010201).

- powerpc/mm/hash64: Fix subpage protection with 4K HPTE
config (bsc#1010201).

- powerpc/numa: Fix multiple bugs in memory_hotplug_max()
(bsc#1010201).

- powerpc/pseries: Use H_CLEAR_HPT to clear MMU hash table
during kexec (bsc#1003813).

- powerpc: fix typo 'CONFIG_PPC_CPU' (bsc#1010201).

- powerpc: scan_features() updates incorrect bits for
REAL_LE (bsc#1010201).

- printk/sched: Introduce special printk_sched() for those
awkward (bsc#996541).

- ptrace: __ptrace_may_access() should not deny
sub-threads (bsc#1012851).

- qlcnic: fix a loop exit condition better (bsc#909350
FATE#317546).

- qlcnic: use the correct ring in
qlcnic_83xx_process_rcv_ring_diag() (bnc#800999
FATE#313899).

- reiserfs: fix race in prealloc discard (bsc#987576).

- rpm/constraints.in: Bump ppc64 disk requirements to fix
OBS builds again

- rpm/kernel-binary.spec.in: Export a make-stderr.log file
(bsc#1012422)

- rt2x00: fix rfkill regression on rt2500pci (bnc#748806).

- s390/zcrypt: kernel: Fix invalid domain response
handling (bsc#1016320).

- scsi: Fix erratic device offline during EH (bsc#993832).

- scsi: lpfc: Set elsiocb contexts to NULL after freeing
it (bsc#996557).

- scsi: lpfc: avoid double free of resource identifiers
(bsc#989896).

- scsi_error: count medium access timeout only once per EH
run (bsc#993832).

- scsi_error: fixup crash in scsi_eh_reset (bsc#993832)

- serial: 8250_pci: Detach low-level driver during PCI
error recovery (bsc#1013070).

- sunrpc: Enforce an upper limit on the number of cached
credentials (bsc#1012917).

- sunrpc: Fix reconnection timeouts (bsc#1014410).

- sunrpc: Fix two issues with drop_caches and the sunrpc
auth cache (bsc#1012917).

- sunrpc: Limit the reconnect backoff timer to the max RPC
message timeout (bsc#1014410).

- tcp: fix inet6_csk_route_req() for link-local addresses
(bsc#1010175).

- tcp: pass fl6 to inet6_csk_route_req() (bsc#1010175).

- tcp: plug dst leak in tcp_v6_conn_request()
(bsc#1010175).

- tcp: use inet6_csk_route_req() in tcp_v6_send_synack()
(bsc#1010175).

- tg3: Fix temperature reporting (bnc#790588 FATE#313912).

- usb: console: fix potential use after free
(bsc#1015817).

- usb: console: fix uninitialised ldisc semaphore
(bsc#1015817).

- usb: cp210x: Corrected USB request type definitions
(bsc#1015932).

- usb: cp210x: relocate private data from USB interface to
port (bsc#1015932).

- usb: cp210x: work around cp2108 GET_LINE_CTL bug
(bsc#1015932).

- usb: ftdi_sio: fix null deref at port probe
(bsc#1015796).

- usb: ipaq.c: fix a timeout loop (bsc#1015848).

- usb: opticon: fix non-atomic allocation in write path
(bsc#1015803).

- usb: option: fix runtime PM handling (bsc#1015752).

- usb: serial: cp210x: add 16-bit register access
functions (bsc#1015932).

- usb: serial: cp210x: add 8-bit and 32-bit register
access functions (bsc#1015932).

- usb: serial: cp210x: add new access functions for large
registers (bsc#1015932).

- usb: serial: cp210x: fix hardware flow-control disable
(bsc#1015932).

- usb: serial: fix potential use-after-free after failed
probe (bsc#1015828).

- usb: serial: io_edgeport: fix memory leaks in attach
error path (bsc#1016505).

- usb: serial: io_edgeport: fix memory leaks in probe
error path (bsc#1016505).

- usb: serial: keyspan: fix use-after-free in probe error
path (bsc#1016520).

- usb: sierra: fix AA deadlock in open error path
(bsc#1015561).

- usb: sierra: fix remote wakeup (bsc#1015561).

- usb: sierra: fix urb and memory leak in resume error
path (bsc#1015561).

- usb: sierra: fix urb and memory leak on disconnect
(bsc#1015561).

- usb: sierra: fix use after free at suspend/resume
(bsc#1015561).

- usb: usb_wwan: fix potential blocked I/O after resume
(bsc#1015760).

- usb: usb_wwan: fix race between write and resume
(bsc#1015760).

- usb: usb_wwan: fix urb leak at shutdown (bsc#1015760).

- usb: usb_wwan: fix urb leak in write error path
(bsc#1015760).

- usb: usb_wwan: fix write and suspend race (bsc#1015760).

- usbhid: add ATEN CS962 to list of quirky devices
(bsc#1007615).

- usblp: do not set TASK_INTERRUPTIBLE before lock
(bsc#1015844).

- xenbus: do not invoke is_ready() for most device states
(bsc#987333).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1003813
https://bugzilla.suse.com/1005877
https://bugzilla.suse.com/1007615
https://bugzilla.suse.com/1008557
https://bugzilla.suse.com/1008645
https://bugzilla.suse.com/1008831
https://bugzilla.suse.com/1008833
https://bugzilla.suse.com/1008893
https://bugzilla.suse.com/1009875
https://bugzilla.suse.com/1010150
https://bugzilla.suse.com/1010175
https://bugzilla.suse.com/1010201
https://bugzilla.suse.com/1010467
https://bugzilla.suse.com/1010501
https://bugzilla.suse.com/1010507
https://bugzilla.suse.com/1010711
https://bugzilla.suse.com/1010713
https://bugzilla.suse.com/1010716
https://bugzilla.suse.com/1011685
https://bugzilla.suse.com/1011820
https://bugzilla.suse.com/1012183
https://bugzilla.suse.com/1012411
https://bugzilla.suse.com/1012422
https://bugzilla.suse.com/1012832
https://bugzilla.suse.com/1012851
https://bugzilla.suse.com/1012852
https://bugzilla.suse.com/1012917
https://bugzilla.suse.com/1013018
https://bugzilla.suse.com/1013038
https://bugzilla.suse.com/1013042
https://bugzilla.suse.com/1013070
https://bugzilla.suse.com/1013531
https://bugzilla.suse.com/1013542
https://bugzilla.suse.com/1014410
https://bugzilla.suse.com/1014454
https://bugzilla.suse.com/1014746
https://bugzilla.suse.com/1015561
https://bugzilla.suse.com/1015752
https://bugzilla.suse.com/1015760
https://bugzilla.suse.com/1015796
https://bugzilla.suse.com/1015803
https://bugzilla.suse.com/1015817
https://bugzilla.suse.com/1015828
https://bugzilla.suse.com/1015844
https://bugzilla.suse.com/1015848
https://bugzilla.suse.com/1015878
https://bugzilla.suse.com/1015932
https://bugzilla.suse.com/1016320
https://bugzilla.suse.com/1016505
https://bugzilla.suse.com/1016520
https://bugzilla.suse.com/1016668
https://bugzilla.suse.com/1016688
https://bugzilla.suse.com/1016824
https://bugzilla.suse.com/1016831
https://bugzilla.suse.com/1017686
https://bugzilla.suse.com/1017710
https://bugzilla.suse.com/1019079
https://bugzilla.suse.com/1019148
https://bugzilla.suse.com/1019165
https://bugzilla.suse.com/1019348
https://bugzilla.suse.com/1019783
https://bugzilla.suse.com/1020214
https://bugzilla.suse.com/1021258
https://bugzilla.suse.com/748806
https://bugzilla.suse.com/786036
https://bugzilla.suse.com/790588
https://bugzilla.suse.com/795297
https://bugzilla.suse.com/800999
https://bugzilla.suse.com/821612
https://bugzilla.suse.com/824171
https://bugzilla.suse.com/851603
https://bugzilla.suse.com/853052
https://bugzilla.suse.com/871728
https://bugzilla.suse.com/901809
https://bugzilla.suse.com/909350
https://bugzilla.suse.com/909491
https://bugzilla.suse.com/913387
https://bugzilla.suse.com/914939
https://bugzilla.suse.com/919382
https://bugzilla.suse.com/924708
https://bugzilla.suse.com/925065
https://bugzilla.suse.com/953233
https://bugzilla.suse.com/961589
https://bugzilla.suse.com/962846
https://bugzilla.suse.com/969340
https://bugzilla.suse.com/973691
https://bugzilla.suse.com/987333
https://bugzilla.suse.com/987576
https://bugzilla.suse.com/989152
https://bugzilla.suse.com/989680
https://bugzilla.suse.com/989896
https://bugzilla.suse.com/990245
https://bugzilla.suse.com/992991
https://bugzilla.suse.com/993739
https://bugzilla.suse.com/993832
https://bugzilla.suse.com/996541
https://bugzilla.suse.com/996557
https://bugzilla.suse.com/997401
https://bugzilla.suse.com/999101
https://www.suse.com/security/cve/CVE-2004-0230.html
https://www.suse.com/security/cve/CVE-2012-6704.html
https://www.suse.com/security/cve/CVE-2013-6368.html
https://www.suse.com/security/cve/CVE-2015-1350.html
https://www.suse.com/security/cve/CVE-2015-8962.html
https://www.suse.com/security/cve/CVE-2015-8964.html
https://www.suse.com/security/cve/CVE-2016-10088.html
https://www.suse.com/security/cve/CVE-2016-5696.html
https://www.suse.com/security/cve/CVE-2016-7910.html
https://www.suse.com/security/cve/CVE-2016-7911.html
https://www.suse.com/security/cve/CVE-2016-7916.html
https://www.suse.com/security/cve/CVE-2016-8399.html
https://www.suse.com/security/cve/CVE-2016-8632.html
https://www.suse.com/security/cve/CVE-2016-8633.html
https://www.suse.com/security/cve/CVE-2016-8646.html
https://www.suse.com/security/cve/CVE-2016-9555.html
https://www.suse.com/security/cve/CVE-2016-9685.html
https://www.suse.com/security/cve/CVE-2016-9756.html
https://www.suse.com/security/cve/CVE-2016-9793.html
https://www.suse.com/security/cve/CVE-2017-5551.html
http://www.nessus.org/u?c2478355

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-kernel-12977=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
slessp4-kernel-12977=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
slexsp3-kernel-12977=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
dbgsp4-kernel-12977=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true