The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandled destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2016-4557: The replace_map_fd_with_map_ptr function     in kernel/bpf/verifier.c in the Linux kernel did not     properly maintain an fd data structure, which allowed     local users to gain privileges or cause a denial of     service (use-after-free) via crafted BPF instructions     that reference an incorrect file descriptor     (bnc#979018).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4951: The tipc_nl_publ_dump function in     net/tipc/socket.c in the Linux kernel did not verify     socket existence, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     dumpit operation (bnc#981058).

  - CVE-2015-8787: The nf_nat_redirect_ipv4 function in     net/netfilter/nf_nat_redirect.c in the Linux kernel     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by sending certain IPv4     packets to an incompletely configured interface, a     related issue to CVE-2003-1604 (bnc#963931).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-6828: A use after free in     tcp_xmit_retransmit_queue() was fixed that could be used     by local attackers to crash the kernel (bsc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986362 986365 990058).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for man-in-the-middle     attackers to hijack TCP sessions via a blind in-window     attack (bnc#989152).

  - CVE-2016-1237: nfsd in the Linux kernel allowed local     users to bypass intended file-permission restrictions by     setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c,     and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

  - AF_VSOCK: Shrink the area influenced by prepare_to_wait     (bsc#994520).

  - KVM: arm/arm64: Handle forward time correction     gracefully (bnc#974266).

  - Linux 4.1.29. Refreshed patch:
    patches.xen/xen3-fixup-xen Deleted patches:
    patches.fixes/0001-Revert-ecryptfs-forbid-opening-files-     without-mmap-ha.patch     patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lo     wer-file-system.patch     patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compo     und-page-ar     patches.rpmify/Revert-powerpc-Update-TM-user-feature-bit     s-in-scan_f

  - Revert 'mm/swap.c: flush lru pvecs on compound page     arrival' (boo#989084).

  - Revert 'powerpc: Update TM user feature bits in     scan_features()'. Fix the build error of 4.1.28 on ppc.

  - Revive i8042_check_power_owner() for 4.1.31 kabi fix.

  - USB: OHCI: Do not mark EDs as ED_OPER if scheduling     fails (bnc#987886).

  - USB: validate wMaxPacketValue entries in endpoint     descriptors (bnc#991665).

  - Update     patches.fixes/0002-nfsd-check-permissions-when-setting-A     CLs.patch (bsc#986570 CVE-2016-1237).

  - Update     patches.fixes/0001-posix_acl-Add-set_posix_acl.patch     (bsc#986570 CVE-2016-1237).

  - netfilter: x_tables: fix 4.1 stable backport     (bsc#989176).

  - nfsd: check permissions when setting ACLs (bsc#986570).

  - posix_acl: Add set_posix_acl (bsc#986570).

  - ppp: defer netns reference release for ppp channel     (bsc#980371).

  - series.conf: Move a kABI patch to its own section

  - supported.conf: enable i2c-designware driver     (bsc#991110)

  - tcp: enable per-socket rate limiting of all 'challenge     acks' (bsc#989152).

Detections

Analytics

openSUSE Security Update : the Linux Kernel (openSUSE-2016-1076)

critical Nessus Plugin ID 93445

Version 2.9