Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2523)

Medium Nessus Plugin ID 68853

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[2.6.39-400.23.1.el6uek]
- Parallel mtrr init between cpus (Zhenzhong Duan) [Orabug: 16777774]
- Merge tag 'v2.6.39-400.21.1.16748891' of git://ca-git.us.oracle.com/linux-uek-2.6.39-ofed into uek-2.6.39-400 (Maxim Uvarov) [Orabug: 16748891]
- xen-blkfront: use a different scatterlist for each request (Roger Pau Monne)
- Fix EN driver to work with newer FWs based on latest mlx4_core (Yuval Shaia) [Orabug: 16748891]

[2.6.39-400.22.1.el6uek]
- block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie Iles) [Orabug: 16387137] {CVE-2012-4542}
- Merge tag 'v2.6.39-400.21.1#bug16684527' of git://ca-git.us.oracle.com/linux-joejin-public into uek-2.6.39-400_errata (Maxim Uvarov) [Orabug: 16684527]
- KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) (Andy Honig) [Orabug: 16711660] {CVE-2013-1797}
- Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711065] {CVE-2013-0349}
- USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425358] {CVE-2013-1774}
- keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493354] {CVE-2013-1792}
- KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710951] {CVE-2013-1798}
- KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Andy Honig) [Orabug: 16710806] {CVE-2013-1796}
- tmpfs: fix use-after-free of mempolicy object (Greg Thelen) [Orabug: 16515833] {CVE-2013-1767}
- procfs: do not confuse jiffies with cputime64_t (Andreas Schwab) [Orabug: 16673925]
- procfs: do not overflow get_{idle,iowait}_time for nohz (Michal Hocko) [Orabug: 16673925]
- xen/evtchn: Handle VIRQ_TIMER before any other hardirq in event loop. (Keir Fraser) [Orabug: 16093126]
- Fix device removal NULL pointer dereference (Joe Jin) [Orabug: 16684527]
- put stricter guards on queue dead checks (James Bottomley) [Orabug: 16684527]

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2013-May/003458.html

https://oss.oracle.com/pipermail/el-errata/2013-May/003459.html

Plugin Details

Severity: Medium

ID: 68853

File Name: oraclelinux_ELSA-2013-2523.nasl

Version: 1.9

Type: local

Agent: unix

Published: 2013/07/12

Updated: 2019/04/01

Dependencies: 12634, 122878

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, cpe:/o:oracle:linux:5, cpe:/o:oracle:linux:6

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/05/10

Vulnerability Publication Date: 2013/02/28

Reference Information

CVE: CVE-2012-4542, CVE-2013-0349, CVE-2013-1767, CVE-2013-1774, CVE-2013-1792, CVE-2013-1796, CVE-2013-1797, CVE-2013-1798

BID: 58088, 58112, 58177, 58202, 58368, 58604, 58605, 58607