openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various
security issues and bugs.

The following security bugs were fixed :

- CVE-2017-7184: The xfrm_replay_verify_len function in
net/xfrm/xfrm_user.c in the Linux kernel did not
validate certain size data after an XFRM_MSG_NEWAE
update, which allowed local users to obtain root
privileges or cause a denial of service (heap-based
out-of-bounds access) by leveraging the CAP_NET_ADMIN
capability, as demonstrated during a Pwn2Own competition
at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*
package (bnc#1030573).

- CVE-2016-10200: Race condition in the L2TPv3 IP
Encapsulation feature in the Linux kernel allowed local
users to gain privileges or cause a denial of service
(use-after-free) by making multiple bind system calls
without properly ascertaining whether a socket has the
SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and
net/l2tp/l2tp_ip6.c (bnc#1028415).

- CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in
the Linux kernel allowed local users to gain privileges
or cause a denial of service (double free) by setting
the HDLC line discipline (bnc#1027565).

- CVE-2017-6345: The LLC subsystem in the Linux kernel did
not ensure that a certain destructor exists in required
circumstances, which allowed local users to cause a
denial of service (BUG_ON) or possibly have unspecified
other impact via crafted system calls (bnc#1027190).

- CVE-2017-6346: Race condition in net/packet/af_packet.c
in the Linux kernel allowed local users to cause a
denial of service (use-after-free) or possibly have
unspecified other impact via a multithreaded application
that made PACKET_FANOUT setsockopt system calls

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did
not properly restrict association peel-off operations
during certain wait states, which allowed local users to
cause a denial of service (invalid unlock and double
free) via a multithreaded application. NOTE: this
vulnerability exists because of an incorrect fix for
CVE-2017-5986 (bnc#1025235).

- CVE-2017-6214: The tcp_splice_read function in
net/ipv4/tcp.c in the Linux kernel allowed remote
attackers to cause a denial of service (infinite loop
and soft lockup) via vectors involving a TCP packet with
the URG flag (bnc#1026722).

- CVE-2016-2117: The atl2_probe function in
drivers/net/ethernet/atheros/atlx/atl2.c in the Linux
kernel incorrectly enables scatter/gather I/O, which
allowed remote attackers to obtain sensitive information
from kernel memory by reading packet data (bnc#968697).

- CVE-2017-6347: The ip_cmsg_recv_checksum function in
net/ipv4/ip_sockglue.c in the Linux kernel has incorrect
expectations about skb data layout, which allowed local
users to cause a denial of service (buffer over-read) or
possibly have unspecified other impact via crafted
system calls, as demonstrated by use of the MSG_MORE
flag in conjunction with loopback UDP transmission

- CVE-2016-9191: The cgroup offline implementation in the
Linux kernel mishandled certain drain operations, which
allowed local users to cause a denial of service (system
hang) by leveraging access to a container environment
for executing a crafted application, as demonstrated by
trinity (bnc#1008842).

- CVE-2017-2596: The nested_vmx_check_vmptr function in
arch/x86/kvm/vmx.c in the Linux kernel improperly
emulates the VMXON instruction, which allowed KVM L1
guest OS users to cause a denial of service (host OS
memory consumption) by leveraging the mishandling of
page references (bnc#1022785).

The following non-security bugs were fixed :

- ACPI: Do not create a platform_device for IOAPIC/IOxAPIC

- ACPI, ioapic: Clear on-stack resource before using it

- ACPI: Remove platform devices from a bus on removal

- add mainline tag to one hyperv patch

- bnx2x: allow adding VLANs while interface is down

- btrfs: backref: Fix soft lockup in __merge_refs function

- btrfs: incremental send, do not delay rename when parent
inode is new (bsc#1028325).

- btrfs: incremental send, do not issue invalid rmdir
operations (bsc#1028325).

- btrfs: qgroup: Move half of the qgroup accounting time
out of commit trans (bsc#1017461).

- btrfs: send, fix failure to rename top level inode due
to name collision (bsc#1028325).

- btrfs: serialize subvolume mounts with potentially
mismatching rw flags (bsc#951844 bsc#1024015)

- crypto: algif_hash - avoid zero-sized array

- cxgb4vf: do not offload Rx checksums for IPv6 fragments

- drivers: hv: vmbus: Prevent sending data on a rescinded
channel (fate#320485, bug#1028217).

- drm/i915: Add intel_uncore_suspend / resume functions

- drm/i915: Listen for PMIC bus access notifications

- drm/mgag200: Added support for the new device G200eH3
(bsc#1007959, fate#322780)

- ext4: fix fencepost in s_first_meta_bg validation

- Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

- futex: Add missing error handling to FUTEX_REQUEUE_PI

- futex: Fix potential use-after-free in FUTEX_REQUEUE_PI

- i2c: designware-baytrail: Acquire P-Unit access on bus
acquire (bsc#1011913).

- i2c: designware-baytrail: Call
pmic_bus_access_notifier_chain (bsc#1011913).

- i2c: designware-baytrail: Fix race when resetting the
semaphore (bsc#1011913).

- i2c: designware-baytrail: Only check
iosf_mbi_available() for shared hosts (bsc#1011913).

- i2c: designware: Disable pm for PMIC i2c-bus even if
there is no _SEM method (bsc#1011913).

- i2c-designware: increase timeout (bsc#1011913).

- i2c: designware: Never suspend i2c-busses used for
accessing the system PMIC (bsc#1011913).

- i2c: designware: Rename accessor_flags to flags

- kABI: protect struct iscsi_conn (kabi).

- kABI: protect struct se_node_acl (kabi).

- kABI: restore can_rx_register parameters (kabi).

- kgr/module: make a taint flag module-specific

- kgr: remove all arch-specific kgraft header files

- l2tp: fix address test in __l2tp_ip6_bind_lookup()

- l2tp: fix lookup for sockets not bound to a device in
l2tp_ip (bsc#1028415).

- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6
bind() (bsc#1028415).

- l2tp: hold socket before dropping lock in l2tp_ip{,
6}_recv() (bsc#1028415).

- l2tp: lock socket before checking flags in connect()

- md/raid1: add rcu protection to rdev in fix_read_error
(References: bsc#998106,bsc#1020048,bsc#982783).

- md/raid1: fix a use-after-free bug

- md/raid1: handle flush request correctly

- md/raid1: Refactor raid1_make_request

- mm: fix set pageblock migratetype in deferred struct
page init (bnc#1027195).

- mm/page_alloc: Remove useless parameter of
__free_pages_boot_core (bnc#1027195).

- module: move add_taint_module() to a header file

- net/ena: change condition for host attribute
configuration (bsc#1026509).

- net/ena: change driver's default timeouts (bsc#1026509).

- net: ena: change the return type of ena_set_push_mode()
to be void (bsc#1026509).

- net: ena: Fix error return code in ena_device_init()

- net/ena: fix ethtool RSS flow configuration

- net/ena: fix NULL dereference when removing the driver
after device reset failed (bsc#1026509).

- net/ena: fix potential access to freed memory during
device reset (bsc#1026509).

- net/ena: fix queues number calculation (bsc#1026509).

- net/ena: fix RSS default hash configuration

- net/ena: reduce the severity of ena printouts

- net/ena: refactor ena_get_stats64 to be atomic context
safe (bsc#1026509).

- net/ena: remove ntuple filter support from device
feature list (bsc#1026509).

- net: ena: remove superfluous check in ena_remove()

- net: ena: Remove unnecessary pci_set_drvdata()

- net/ena: update driver version to 1.1.2 (bsc#1026509).

- net/ena: use READ_ONCE to access completion descriptors

- net: ena: use setup_timer() and mod_timer()

- net/mlx4_core: Avoid command timeouts during VF driver
device shutdown (bsc#1028017).

- net/mlx4_core: Avoid delays during VF driver device
shutdown (bsc#1028017).

- net/mlx4_core: Fix racy CQ (Completion Queue) free

- net/mlx4_core: Fix when to save some qp context flags
for dynamic VST to VGT transitions (bsc#1028017).

- net/mlx4_core: Use cq quota in SRIOV when creating
completion EQs (bsc#1028017).

- net/mlx4_en: Fix bad WQE issue (bsc#1028017).

- NFS: do not try to cross a mountpount when there isn't
one there (bsc#1028041).

- nvme: Do not suspend admin queue that wasn't created

- nvme: Suspend all queues before deletion (bsc#1026505).

- PCI: hv: Fix wslot_to_devfn() to fix warnings on device
removal (fate#320485, bug#1028217).

- PCI: hv: Use device serial number as PCI domain
(fate#320485, bug#1028217).

- powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

- RAID1: a new I/O barrier implementation to remove resync
window (bsc#998106,bsc#1020048,bsc#982783).

- RAID1: avoid unnecessary spin locks in I/O barrier code

- Revert 'give up on gcc ilog2() constant optimizations'

- Revert 'net: introduce device min_header_len' (kabi).

- Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown
flow' (bsc#1028017).

- Revert 'nfit, libnvdimm: fix interleave set cookie
calculation' (kabi).

- Revert 'RDMA/core: Fix incorrect structure packing for
booleans' (kabi).

- Revert 'target: Fix NULL dereference during LUN lookup +
active I/O shutdown' (kabi).

- rtlwifi: rtl_usb: Fix missing entry in USB driver's
private data (bsc#1026462).

- s390/kmsg: add missing kmsg descriptions (bnc#1025683,

- s390/mm: fix zone calculation in arch_add_memory()
(bnc#1025683, LTC#152318).

- sched/loadavg: Avoid loadavg spikes caused by delayed
NO_HZ accounting (bsc#1018419).

- scsi_dh_alua: Do not modify the interval value for
retries (bsc#1012910).

- scsi: do not print 'reservation conflict' for TEST UNIT
READY (bsc#1027054).

- softirq: Let ksoftirqd do its job (bsc#1019618).

- supported.conf: Add tcp_westwood as supported module

- taint/module: Clean up global and module taint flags
handling (fate#313296).

- Update mainline reference in
t_fb_create.patch See (bsc#1028158) for the context in
which this was discovered upstream.

- x86/apic/uv: Silence a shift wrapping warning

- x86/mce: Do not print MCEs when mcelog is active

- x86, mm: fix gup_pte_range() vs DAX mappings

- x86/mm/gup: Simplify get_user_pages() PTE bit handling

- x86/platform/intel/iosf_mbi: Add a mutex for P-Unit
access (bsc#1011913).

- x86/platform/intel/iosf_mbi: Add a PMIC bus access
notifier (bsc#1011913).

- x86/platform: Remove warning message for duplicate NMI
handlers (bsc#1029220).

- x86/platform/UV: Add basic CPU NMI health check

- x86/platform/UV: Add Support for UV4 Hubless NMIs

- x86/platform/UV: Add Support for UV4 Hubless systems

- x86/platform/UV: Clean up the NMI code to match current
coding style (bsc#1023866).

- x86/platform/UV: Clean up the UV APIC code

- x86/platform/UV: Ensure uv_system_init is called when
necessary (bsc#1023866).

- x86/platform/UV: Fix 2 socket config problem

- x86/platform/UV: Fix panic with missing UVsystab support

- x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be
NMI source (bsc#1023866).

- x86/platform/UV: Verify NMI action is valid, default is
standard (bsc#1023866).

- xen-blkfront: correct maximum segment accounting

- xen-blkfront: do not call talk_to_blkback when already
connected to blkback.

- xen/blkfront: Fix crash if backend does not follow the
right states.

- xen-blkfront: free resources if xlvbd_alloc_gendisk

- xen/netback: set default upper limit of tx/rx queues to
8 (bnc#1019163).

- xen/netfront: set default upper limit of tx/rx queues to
8 (bnc#1019163).

- xfs: do not take the IOLOCK exclusive for direct I/O
page invalidation (bsc#1015609).

See also :

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

High / CVSS Base Score : 7.2

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now