SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 8263 / 8265 / 8273)

high Nessus Plugin ID 70039
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 2 kernel has been updated to version 3.0.93 and includes various bug and security fixes.

The following security bugs have been fixed :

- The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. (CVE-2013-2148)

- The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. (CVE-2013-2237)

- The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
(CVE-2013-2232)

- The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. (CVE-2013-2234)

- The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel made an incorrect function call for pending data, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
(CVE-2013-4162)

- net/ceph/auth_none.c in the Linux kernel allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.
(CVE-2013-1059)

- The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.
(CVE-2013-2164)

- Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. (CVE-2013-2851)

- The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel did not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allowed local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163)

- Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. (CVE-2013-1929)

- The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel did not validate block numbers, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map. (CVE-2013-1819)

- The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.
(CVE-2013-1774)

Also the following bugs have been fixed :

BTRFS :

- btrfs: merge contiguous regions when loading free space cache

- btrfs: fix how we deal with the orphan block rsv

- btrfs: fix wrong check during log recovery

- btrfs: change how we indicate we are adding csums

- btrfs: flush delayed inodes if we are short on space.
(bnc#801427)

- btrfs: rework shrink_delalloc. (bnc#801427)

- btrfs: fix our overcommit math. (bnc#801427)

- btrfs: delay block group item insertion. (bnc#801427)

- btrfs: remove bytes argument from do_chunk_alloc.
(bnc#801427)

- btrfs: run delayed refs first when out of space.
(bnc#801427)

- btrfs: do not commit instead of overcommitting.
(bnc#801427)

- btrfs: do not take inode delalloc mutex if we are a free space inode. (bnc#801427)

- btrfs: fix chunk allocation error handling. (bnc#801427)

- btrfs: remove extent mapping if we fail to add chunk.
(bnc#801427)

- btrfs: do not overcommit if we do not have enough space for global rsv. (bnc#801427)

- btrfs: rework the overcommit logic to be based on the total size. (bnc#801427)

- btrfs: steal from global reserve if we are cleaning up orphans. (bnc#801427)

- btrfs: clear chunk_alloc flag on retryable failure.
(bnc#801427)

- btrfs: use reserved space for creating a snapshot.
(bnc#801427)

- btrfs: cleanup to make the function btrfs_delalloc_reserve_metadata more logic. (bnc#801427)

- btrfs: fix space leak when we fail to reserve metadata space. (bnc#801427)

- btrfs: fix space accounting for unlink and rename.
(bnc#801427)

- btrfs: allocate new chunks if the space is not enough for global rsv. (bnc#801427)

- btrfs: various abort cleanups. (bnc#812526 / bnc#801427)

- btrfs: simplify unlink reservations (bnc#801427). OTHER :

- x86: Add workaround to NMI iret woes. (bnc#831949)

- x86: Do not schedule while still in NMI context.
(bnc#831949)

- bnx2x: Avoid sending multiple statistics queries.
(bnc#814336)

- bnx2x: protect different statistics flows. (bnc#814336)

- futex: Take hugepages into account when generating futex_key.

- drivers/hv: util: Fix a bug in version negotiation code for util services. (bnc#828714)

- printk: Add NMI ringbuffer. (bnc#831949)

- printk: extract ringbuffer handling from vprintk.
(bnc#831949)

- printk: NMI safe printk. (bnc#831949)

- printk: Make NMI ringbuffer size independent on log_buf_len. (bnc#831949)

- printk: Do not call console_unlock from nmi context.
(bnc#831949)

- printk: Do not use printk_cpu from finish_printk.
(bnc#831949)

- mlx4_en: Adding 40gb speed report for ethtool.
(bnc#831410)

- reiserfs: Fixed double unlock in reiserfs_setattr failure path.

- reiserfs: delay reiserfs lock until journal initialization. (bnc#815320)

- reiserfs: do not lock journal_init(). (bnc#815320)

- reiserfs: locking, handle nested locks properly.
(bnc#815320)

- reiserfs: locking, push write lock out of xattr code.
(bnc#815320)

- reiserfs: locking, release lock around quota operations.
(bnc#815320)

- NFS: support 'nosharetransport' option (bnc#807502, bnc#828192, FATE#315593).

- dm mpath: add retain_attached_hw_handler feature.
(bnc#760407)

- scsi_dh: add scsi_dh_attached_handler_name. (bnc#760407)

- bonding: disallow change of MAC if fail_over_mac enabled. (bnc#827376)

- bonding: propagate unicast lists down to slaves.
(bnc#773255 / bnc#827372)

- bonding: emit address change event also in bond_release.
(bnc#773255 / bnc#827372)

- bonding: emit event when bonding changes MAC.
(bnc#773255 / bnc#827372)

- SUNRPC: Ensure we release the socket write lock if the rpc_task exits early. (bnc#830901)

- ext4: force read-only unless rw=1 module option is used (fate#314864).

- HID: fix unused rsize usage. (bnc#783475)

- HID: fix data access in implement(). (bnc#783475)

- xfs: fix deadlock in xfs_rtfree_extent with kernel v3.x.
(bnc#829622)

- r8169: allow multicast packets on sub-8168f chipset.
(bnc#805371)

- r8169: support new chips of RTL8111F. (bnc#805371)

- r8169: define the early size for 8111evl. (bnc#805371)

- r8169: fix the reset setting for 8111evl. (bnc#805371)

- r8169: add MODULE_FIRMWARE for the firmware of 8111evl.
(bnc#805371)

- r8169: fix sticky accepts packet bits in RxConfig.
(bnc#805371)

- r8169: adjust the RxConfig settings. (bnc#805371)

- r8169: support RTL8111E-VL. (bnc#805371)

- r8169: add ERI functions. (bnc#805371)

- r8169: modify the flow of the hw reset. (bnc#805371)

- r8169: adjust some registers. (bnc#805371)

- r8169: check firmware content sooner. (bnc#805371)

- r8169: support new firmware format. (bnc#805371)

- r8169: explicit firmware format check. (bnc#805371)

- r8169: move the firmware down into the device private data. (bnc#805371)

- mm: link_mem_sections make sure nmi watchdog does not trigger while linking memory sections. (bnc#820434)

- kernel: lost IPIs on CPU hotplug (bnc#825048, LTC#94784).

- iwlwifi: use correct supported firmware for 6035 and 6000g2. (bnc#825887)

- watchdog: Update watchdog_thresh atomically.
(bnc#829357)

- watchdog: update watchdog_tresh properly. (bnc#829357)

- watchdog:
watchdog-make-disable-enable-hotplug-and-preempt-save.pa tch. (bnc#829357)

- include/1/smp.h: define __smp_call_function_single for !CONFIG_SMP. (bnc#829357)

- lpfc: Return correct error code on bsg_timeout.
(bnc#816043)

- dm-multipath: Drop table when retrying ioctl.
(bnc#808940)

- scsi: Do not retry invalid function error. (bnc#809122)

- scsi: Always retry internal target error. (bnc#745640, bnc#825227)

- ibmvfc: Driver version 1.0.1. (bnc#825142)

- ibmvfc: Fix for offlining devices during error recovery.
(bnc#825142)

- ibmvfc: Properly set cancel flags when cancelling abort.
(bnc#825142)

- ibmvfc: Send cancel when link is down. (bnc#825142)

- ibmvfc: Support FAST_IO_FAIL in EH handlers.
(bnc#825142)

- ibmvfc: Suppress ABTS if target gone. (bnc#825142)

- fs/dcache.c: add cond_resched() to shrink_dcache_parent(). (bnc#829082)

- kmsg_dump: do not run on non-error paths by default.
(bnc#820172)

- mm: honor min_free_kbytes set by user. (bnc#826960)

- hyperv: Fix a kernel warning from netvsc_linkstatus_callback(). (bnc#828574)

- RT: Fix up hardening patch to not gripe when avg > available, which lockless access makes possible and happens in -rt kernels running a cpubound ltp realtime testcase. Just keep the output sane in that case.

- md/raid10: Fix two bug affecting RAID10 reshape (-).

- Allow NFSv4 to run execute-only files. (bnc#765523)

- fs/ocfs2/namei.c: remove unnecessary ERROR when removing non-empty directory. (bnc#819363)

- block: Reserve only one queue tag for sync IO if only 3 tags are available. (bnc#806396)

- drm/i915: Add wait_for in init_ring_common. (bnc#813604)

- drm/i915: Mark the ringbuffers as being in the GTT domain. (bnc#813604)

- ext4: avoid hang when mounting non-journal filesystems with orphan list. (bnc#817377)

- autofs4 - fix get_next_positive_subdir(). (bnc#819523)

- ocfs2: Add bits_wanted while calculating credits in ocfs2_calc_extend_credits. (bnc#822077)

- re-enable io tracing. (bnc#785901)

- SUNRPC: Prevent an rpc_task wakeup race. (bnc#825591)

- tg3: Prevent system hang during repeated EEH errors.
(bnc#822066)

- backends: Check for insane amounts of requests on the ring.

- Update Xen patches to 3.0.82.

- netiucv: Hold rtnl between name allocation and device registration. (bnc#824159)

- drm/edid: Do not print messages regarding stereo or csync by default. (bnc#821235)

- net/sunrpc: xpt_auth_cache should be ignored when expired. (bnc#803320)

- sunrpc/cache: ensure items removed from cache do not have pending upcalls. (bnc#803320)

- sunrpc/cache: remove races with queuing an upcall.
(bnc#803320)

- sunrpc/cache: use cache_fresh_unlocked consistently and correctly. (bnc#803320)

- md/raid10 'enough' fixes. (bnc#773837)

- Update config files: disable IP_PNP. (bnc#822825)

- Disable efi pstore by default. (bnc#804482 / bnc#820172)

- md: Fix problem with GET_BITMAP_FILE returning wrong status. (bnc#812974 / bnc#823497)

- USB: xHCI: override bogus bulk wMaxPacketSize values.
(bnc#823082)

- ALSA: hda - Fix system panic when DMA > 40 bits for Nvidia audio controllers. (bnc#818465)

- USB: UHCI: fix for suspend of virtual HP controller.
(bnc#817035)

- mm: mmu_notifier: re-fix freed page still mapped in secondary MMU. (bnc#821052)

Solution

Apply SAT patch number 8263 / 8265 / 8273 as appropriate.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=745640

https://bugzilla.novell.com/show_bug.cgi?id=760407

https://bugzilla.novell.com/show_bug.cgi?id=765523

https://bugzilla.novell.com/show_bug.cgi?id=773006

https://bugzilla.novell.com/show_bug.cgi?id=773255

https://bugzilla.novell.com/show_bug.cgi?id=773837

https://bugzilla.novell.com/show_bug.cgi?id=783475

https://bugzilla.novell.com/show_bug.cgi?id=785901

https://bugzilla.novell.com/show_bug.cgi?id=789010

https://bugzilla.novell.com/show_bug.cgi?id=801427

https://bugzilla.novell.com/show_bug.cgi?id=803320

https://bugzilla.novell.com/show_bug.cgi?id=804482

https://bugzilla.novell.com/show_bug.cgi?id=805371

https://bugzilla.novell.com/show_bug.cgi?id=806396

https://bugzilla.novell.com/show_bug.cgi?id=806976

https://bugzilla.novell.com/show_bug.cgi?id=807471

https://bugzilla.novell.com/show_bug.cgi?id=807502

https://bugzilla.novell.com/show_bug.cgi?id=808940

https://bugzilla.novell.com/show_bug.cgi?id=809122

https://bugzilla.novell.com/show_bug.cgi?id=812526

https://bugzilla.novell.com/show_bug.cgi?id=812974

https://bugzilla.novell.com/show_bug.cgi?id=813604

https://bugzilla.novell.com/show_bug.cgi?id=813733

https://bugzilla.novell.com/show_bug.cgi?id=814336

https://bugzilla.novell.com/show_bug.cgi?id=815320

https://bugzilla.novell.com/show_bug.cgi?id=816043

https://bugzilla.novell.com/show_bug.cgi?id=817035

https://bugzilla.novell.com/show_bug.cgi?id=817377

https://bugzilla.novell.com/show_bug.cgi?id=818465

https://bugzilla.novell.com/show_bug.cgi?id=819363

https://bugzilla.novell.com/show_bug.cgi?id=819523

https://bugzilla.novell.com/show_bug.cgi?id=820172

https://bugzilla.novell.com/show_bug.cgi?id=820434

https://bugzilla.novell.com/show_bug.cgi?id=821052

https://bugzilla.novell.com/show_bug.cgi?id=821235

https://bugzilla.novell.com/show_bug.cgi?id=822066

https://bugzilla.novell.com/show_bug.cgi?id=822077

https://bugzilla.novell.com/show_bug.cgi?id=822575

https://bugzilla.novell.com/show_bug.cgi?id=822825

https://bugzilla.novell.com/show_bug.cgi?id=823082

https://bugzilla.novell.com/show_bug.cgi?id=823342

https://bugzilla.novell.com/show_bug.cgi?id=823497

https://bugzilla.novell.com/show_bug.cgi?id=823517

https://bugzilla.novell.com/show_bug.cgi?id=824159

https://bugzilla.novell.com/show_bug.cgi?id=824295

https://bugzilla.novell.com/show_bug.cgi?id=824915

https://bugzilla.novell.com/show_bug.cgi?id=825048

https://bugzilla.novell.com/show_bug.cgi?id=825142

https://bugzilla.novell.com/show_bug.cgi?id=825227

https://bugzilla.novell.com/show_bug.cgi?id=825591

https://bugzilla.novell.com/show_bug.cgi?id=825657

https://bugzilla.novell.com/show_bug.cgi?id=825887

https://bugzilla.novell.com/show_bug.cgi?id=826350

https://bugzilla.novell.com/show_bug.cgi?id=826960

https://bugzilla.novell.com/show_bug.cgi?id=827372

https://bugzilla.novell.com/show_bug.cgi?id=827376

https://bugzilla.novell.com/show_bug.cgi?id=827378

https://bugzilla.novell.com/show_bug.cgi?id=827749

https://bugzilla.novell.com/show_bug.cgi?id=827750

https://bugzilla.novell.com/show_bug.cgi?id=828119

https://bugzilla.novell.com/show_bug.cgi?id=828192

https://bugzilla.novell.com/show_bug.cgi?id=828574

https://bugzilla.novell.com/show_bug.cgi?id=828714

https://bugzilla.novell.com/show_bug.cgi?id=829082

https://bugzilla.novell.com/show_bug.cgi?id=829357

https://bugzilla.novell.com/show_bug.cgi?id=829622

https://bugzilla.novell.com/show_bug.cgi?id=830901

https://bugzilla.novell.com/show_bug.cgi?id=831055

https://bugzilla.novell.com/show_bug.cgi?id=831058

https://bugzilla.novell.com/show_bug.cgi?id=831410

https://bugzilla.novell.com/show_bug.cgi?id=831949

http://support.novell.com/security/cve/CVE-2013-1059.html

http://support.novell.com/security/cve/CVE-2013-1774.html

http://support.novell.com/security/cve/CVE-2013-1819.html

http://support.novell.com/security/cve/CVE-2013-1929.html

http://support.novell.com/security/cve/CVE-2013-2148.html

http://support.novell.com/security/cve/CVE-2013-2164.html

http://support.novell.com/security/cve/CVE-2013-2232.html

http://support.novell.com/security/cve/CVE-2013-2234.html

http://support.novell.com/security/cve/CVE-2013-2237.html

http://support.novell.com/security/cve/CVE-2013-2851.html

http://support.novell.com/security/cve/CVE-2013-4162.html

http://support.novell.com/security/cve/CVE-2013-4163.html

Plugin Details

Severity: High

ID: 70039

File Name: suse_11_kernel-130827.nasl

Version: 1.5

Type: local

Agent: unix

Published: 9/21/2013

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:kernel-trace-extra, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, p-cpe:/a:novell:suse_linux:11:xen-kmp-default, p-cpe:/a:novell:suse_linux:11:xen-kmp-pae, p-cpe:/a:novell:suse_linux:11:xen-kmp-trace, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 8/27/2013

Reference Information

CVE: CVE-2013-1059, CVE-2013-1774, CVE-2013-1819, CVE-2013-1929, CVE-2013-2148, CVE-2013-2164, CVE-2013-2232, CVE-2013-2234, CVE-2013-2237, CVE-2013-2851, CVE-2013-4162, CVE-2013-4163