openSUSE Security Update : the Linux Kernel (openSUSE-2017-246)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE Leap 42.1 kernel to 4.1.38 to receive various security
and bugfixes.

The following security bugs were fixed :

- CVE-2016-7117: Use-after-free vulnerability in the
__sys_recvmmsg function in net/socket.c in the Linux
kernel allowed remote attackers to execute arbitrary
code via vectors involving a recvmmsg system call that
is mishandled during error processing (bnc#1003077).

- CVE-2017-5551: tmpfs: Fixed a bug that could have
allowed users to set setgid bits on files they don't
down (bsc#1021258).

- CVE-2016-10147: crypto/mcryptd.c in the Linux kernel
allowed local users to cause a denial of service (NULL
pointer dereference and system crash) by using an AF_ALG
socket with an incompatible algorithm, as demonstrated
by mcryptd(md5) (bnc#1020381).

- CVE-2016-10088: The sg implementation in the Linux
kernel did not properly restrict write operations in
situations where the KERNEL_DS option is set, which
allowed local users to read or write to arbitrary kernel
memory locations or cause a denial of service
(use-after-free) by leveraging access to a /dev/sg
device, related to block/bsg.c and drivers/scsi/sg.c.
NOTE: this vulnerability exists because of an incomplete
fix for CVE-2016-9576 (bnc#1017710).

- CVE-2016-7917: The nfnetlink_rcv_batch function in
net/netfilter/nfnetlink.c in the Linux kernel did not
check whether a batch message's length field is large
enough, which allowed local users to obtain sensitive
information from kernel memory or cause a denial of
service (infinite loop or out-of-bounds read) by
leveraging the CAP_NET_ADMIN capability (bnc#1010444).

- CVE-2016-8645: The TCP stack in the Linux kernel
mishandled skb truncation, which allowed local users to
cause a denial of service (system crash) via a crafted
application that made sendto system calls, related to
net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c
(bnc#1009969).

- CVE-2016-9806: Race condition in the netlink_dump
function in net/netlink/af_netlink.c in the Linux kernel
allowed local users to cause a denial of service (double
free) or possibly have unspecified other impact via a
crafted application that made sendmsg system calls,
leading to a free operation associated with a new dump
that started earlier than anticipated (bnc#1013540
1017589).

- CVE-2016-9793: The sock_setsockopt function in
net/core/sock.c in the Linux kernel mishandled negative
values of sk_sndbuf and sk_rcvbuf, which allowed local
users to cause a denial of service (memory corruption
and system crash) or possibly have unspecified other
impact by leveraging the CAP_NET_ADMIN capability for a
crafted setsockopt system call with the (1)
SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531
1013542).

The following non-security bugs were fixed :

- PCI: generic: Fix pci_remap_iospace() failure path
(bsc#1019658).

- bcache: partition support: add 16 minors per bcacheN
device (bsc#1019784).

- bnx2x: Correct ringparam estimate when DOWN
(bsc#1020214).

- clk: xgene: Do not call __pa on ioremaped address
(bsc#1019660).

- kABI workaround for 4.1.37 mount changes
(stable-4.1.37).

- kABI: reintroduce sk_filter (bsc#1009969).

- kabi/severities: Ignore inode_change_ok change It's
renamed in 4.1.37 to setattr_prepare()

- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
(bsc#1011820).

- net: introduce __sock_queue_rcv_skb() function
(bsc#1009969).

- netback: correct array index (bsc#983348).

- netfront: do not truncate grant references.

- netfront: use correct linear area after linearizing an
skb (bsc#1007886).

- reiserfs: fix race in prealloc discard (bsc#987576).

- rose: limit sk_filter trim to payload (bsc#1009969).

- scsi: bfa: Increase requested firmware version to
3.2.5.1 (bsc#1013273).

- xenbus: correctly signal errors from
xenstored_local_init() (luckily none so far).

- xenbus: do not invoke ->is_ready() for most device
states (bsc#987333).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1003077
https://bugzilla.opensuse.org/show_bug.cgi?id=1007886
https://bugzilla.opensuse.org/show_bug.cgi?id=1009969
https://bugzilla.opensuse.org/show_bug.cgi?id=1010444
https://bugzilla.opensuse.org/show_bug.cgi?id=1011820
https://bugzilla.opensuse.org/show_bug.cgi?id=1013273
https://bugzilla.opensuse.org/show_bug.cgi?id=1013531
https://bugzilla.opensuse.org/show_bug.cgi?id=1013540
https://bugzilla.opensuse.org/show_bug.cgi?id=1013542
https://bugzilla.opensuse.org/show_bug.cgi?id=1017589
https://bugzilla.opensuse.org/show_bug.cgi?id=1017710
https://bugzilla.opensuse.org/show_bug.cgi?id=1019658
https://bugzilla.opensuse.org/show_bug.cgi?id=1019660
https://bugzilla.opensuse.org/show_bug.cgi?id=1019784
https://bugzilla.opensuse.org/show_bug.cgi?id=1020214
https://bugzilla.opensuse.org/show_bug.cgi?id=1020381
https://bugzilla.opensuse.org/show_bug.cgi?id=1021258
https://bugzilla.opensuse.org/show_bug.cgi?id=983348
https://bugzilla.opensuse.org/show_bug.cgi?id=987333
https://bugzilla.opensuse.org/show_bug.cgi?id=987576

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 97138 ()

Bugtraq ID:

CVE ID: CVE-2016-10088
CVE-2016-10147
CVE-2016-7117
CVE-2016-7917
CVE-2016-8645
CVE-2016-9576
CVE-2016-9793
CVE-2016-9806
CVE-2017-5551

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now