ID CVE-2014-1737 Type cve Reporter NVD Modified 2017-12-20T21:29:00
Description
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
{"result": {"openvas": [{"id": "OPENVAS:1361412562310123389", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3041", "description": "Oracle Linux Local Security Checks ELSA-2014-3041", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123389", "cvelist": ["CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-07-24T12:53:24"}, {"id": "OPENVAS:1361412562310123392", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0740", "description": "Oracle Linux Local Security Checks ELSA-2014-0740", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123392", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-07-24T12:53:51"}, {"id": "OPENVAS:1361412562310123393", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0740-1", "description": "Oracle Linux Local Security Checks ELSA-2014-0740-1", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123393", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-07-24T12:52:39"}, {"id": "OPENVAS:1361412562310850807", "type": "openvas", "title": "SuSE Update for Linux SUSE-SU-2014:0667-1 (Linux)", "description": "Check the version of Linux", "published": "2015-10-13T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850807", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2017-12-12T11:16:59"}, {"id": "OPENVAS:1361412562310702928", "type": "openvas", "title": "Debian Security Advisory DSA 2928-1 (linux-2.6 - privilege escalation/denial of service/information leak)", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead\nto a denial of service, information leak or privilege escalation. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-0196 \nJiri Slaby discovered a race condition in the pty layer, which could lead\nto a denial of service or privilege escalation.\n\nCVE-2014-1737 CVE-2014-1738 \nMatthew Daley discovered an information leak and missing input\nsanitising in the FDRAWCMD ioctl of the floppy driver. This could result\nin a privilege escalation.", "published": "2014-05-14T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702928", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2018-04-06T11:11:41"}, {"id": "OPENVAS:702928", "type": "openvas", "title": "Debian Security Advisory DSA 2928-1 (linux-2.6 - privilege escalation/denial of service/information leak)", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead\nto a denial of service, information leak or privilege escalation. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-0196 \nJiri Slaby discovered a race condition in the pty layer, which could lead\nto a denial of service or privilege escalation.\n\nCVE-2014-1737 CVE-2014-1738 \nMatthew Daley discovered an information leak and missing input\nsanitising in the FDRAWCMD ioctl of the floppy driver. This could result\nin a privilege escalation.", "published": "2014-05-14T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=702928", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2017-07-28T10:48:44"}, {"id": "OPENVAS:1361412562310871180", "type": "openvas", "title": "RedHat Update for kernel RHSA-2014:0740-01", "description": "Check for the Version of kernel", "published": "2014-06-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871180", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2018-04-09T11:14:06"}, {"id": "OPENVAS:1361412562310881954", "type": "openvas", "title": "CentOS Update for kernel CESA-2014:0740 centos5 ", "description": "Check for the Version of kernel", "published": "2014-06-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881954", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2018-04-09T11:13:17"}, {"id": "OPENVAS:1361412562310702926", "type": "openvas", "title": "Debian Security Advisory DSA 2926-1 (linux - security update)", "description": "Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a denial of service, information leaks or privilege\nescalation:\n\nCVE-2014-0196 \nJiri Slaby discovered a race condition in the pty layer, which could\nlead to denial of service or privilege escalation.\n\nCVE-2014-1737 /\nCVE-2014-1738 \nMatthew Daley discovered that missing input sanitising in the\nFDRAWCMD ioctl and an information leak could result in privilege\nescalation.\n\nCVE-2014-2851 \nIncorrect reference counting in the ping_init_sock() function allows\ndenial of service or privilege escalation.\n\nCVE-2014-3122 \nIncorrect locking of memory can result in local denial of service.", "published": "2014-05-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702926", "cvelist": ["CVE-2014-3122", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196", "CVE-2014-2851"], "lastseen": "2018-04-06T11:12:19"}, {"id": "OPENVAS:1361412562310123388", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3043", "description": "Oracle Linux Local Security Checks ELSA-2014-3043", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123388", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-0203"], "lastseen": "2017-07-24T12:53:32"}], "redhat": [{"id": "RHSA-2014:0801", "type": "redhat", "title": "(RHSA-2014:0801) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\nRed Hat would like to thank Matthew Daley for reporting these issues.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-06-26T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0801", "cvelist": ["CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-09-09T07:20:24"}, {"id": "RHSA-2014:0772", "type": "redhat", "title": "(RHSA-2014:0772) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* A flaw was found in the way the Linux kernel's TCP/IP protocol suite\nimplementation handled TCP packets with both the SYN and FIN flags set.\nA remote attacker could use this flaw to consume an excessive amount of\nresources on the target system, potentially resulting in a denial of\nservice. (CVE-2012-6638, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738.\n\nThis update also fixes the following bugs:\n\n* While under heavy load, some Fibre Channel storage devices, such as\nHitachi and HP Open-V series, can send a logout (LOGO) message to the host\nsystem. However, due to a bug in the lpfc driver, this could result in a\nloss of active paths to the storage and the paths could not be recovered\nwithout manual intervention. This update corrects the lpfc driver to ensure\nautomatic recovery of the lost paths to the storage in this scenario.\n(BZ#1096060)\n\n* A bug in the futex system call could result in an overflow when passing a\nvery large positive timeout. As a consequence, the FUTEX_WAIT operation did\nnot work as intended and the system call was timing out immediately.\nA backported patch fixes this bug by limiting very large positive timeouts\nto the maximal supported value. (BZ#1091831)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-06-19T04:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0772", "cvelist": ["CVE-2012-6638", "CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-09-09T07:20:27"}, {"id": "RHSA-2014:0740", "type": "redhat", "title": "(RHSA-2014:0740) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* A NULL pointer dereference flaw was found in the rds_ib_laddr_check()\nfunction in the Linux kernel's implementation of Reliable Datagram Sockets\n(RDS). A local, unprivileged user could use this flaw to crash the system.\n(CVE-2013-7339, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738.\n\nThis update also fixes the following bugs:\n\n* A bug in the futex system call could result in an overflow when passing\na very large positive timeout. As a consequence, the FUTEX_WAIT operation\ndid not work as intended and the system call was timing out immediately.\nA backported patch fixes this bug by limiting very large positive timeouts\nto the maximal supported value. (BZ#1091832)\n\n* A new Linux Security Module (LSM) functionality related to the setrlimit\nhooks should produce a warning message when used by a third party module\nthat could not cope with it. However, due to a programming error, the\nkernel could print this warning message when a process was setting rlimits\nfor a different process, or if rlimits were modified by another than the\nmain thread even though there was no incompatible third party module. This\nupdate fixes the relevant code and ensures that the kernel handles this\nwarning message correctly. (BZ#1092869)\n\n* Previously, the kernel was unable to detect KVM on system boot if the\nHyper-V emulation was enabled. A patch has been applied to ensure that\nboth KVM and Hyper-V hypervisors are now correctly detected during system\nboot. (BZ#1094152)\n\n* A function in the RPC code responsible for verifying whether cached\ncredentials match the current process did not perform the check correctly.\nThe code checked only whether the groups in the current process\ncredentials appear in the same order as in the cached credentials but did\nnot ensure that no other groups are present in the cached credentials. As\na consequence, when accessing files in NFS mounts, a process with the same\nUID and GID as the original process but with a non-matching group list\ncould have been granted an unauthorized access to a file, or under certain\ncircumstances, the process could have been wrongly prevented from\naccessing the file. The incorrect test condition has been fixed and the\nproblem can no longer occur. (BZ#1095062)\n\n* When being under heavy load, some Fibre Channel storage devices, such as\nHitachi and HP Open-V series, can send a logout (LOGO) message to the\nhost system. However, due to a bug in the lpfc driver, this could result\nin a loss of active paths to the storage and the paths could not be\nrecovered without manual intervention. This update corrects the lpfc\ndriver to ensure automatic recovery of the lost paths to the storage in\nthis scenario. (BZ#1096061)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-06-10T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0740", "cvelist": ["CVE-2013-7339", "CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-09-08T08:36:44"}, {"id": "RHSA-2014:0800", "type": "redhat", "title": "(RHSA-2014:0800) Important: kernel security update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of\nCVE-2014-3153.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-06-26T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0800", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "lastseen": "2016-09-04T11:17:36"}, {"id": "RHSA-2014:0900", "type": "redhat", "title": "(RHSA-2014:0900) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of\nCVE-2014-3153.\n\nThis update also fixes the following bug:\n\n* A previous change that introduced global clock updates caused guest\nmachines to boot slowly when the host Time Stamp Counter (TSC) was marked\nas unstable. The slow down increased with the number of vCPUs allocated.\nTo resolve this problem, a patch has been applied to limit the rate of the\nglobal clock updates. (BZ#1102253)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-07-17T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0900", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "lastseen": "2016-09-04T11:17:40"}, {"id": "RHSA-2014:0557", "type": "redhat", "title": "(RHSA-2014:0557) Important: kernel-rt security update", "description": "The kernel-rt packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A race condition leading to a use-after-free flaw was found in the way\nthe Linux kernel's TCP/IP protocol suite implementation handled the\naddition of fragments to the LRU (Last-Recently Used) list under certain\nconditions. A remote attacker could use this flaw to crash the system or,\npotentially, escalate their privileges on the system by sending a large\namount of specially crafted fragmented packets to that system.\n(CVE-2014-0100, Important)\n\n* A race condition flaw, leading to heap-based buffer overflows, was found\nin the way the Linux kernel's N_TTY line discipline (LDISC) implementation\nhandled concurrent processing of echo output and TTY write operations\noriginating from user space when the underlying TTY driver was PTY.\nAn unprivileged, local user could use this flaw to crash the system or,\npotentially, escalate their privileges on the system. (CVE-2014-0196,\nImportant)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* A use-after-free flaw was found in the way the ping_init_sock() function\nof the Linux kernel handled the group_info reference counter. A local,\nunprivileged user could use this flaw to crash the system or, potentially,\nescalate their privileges on the system. (CVE-2014-2851, Important)\n\n* It was found that a remote attacker could use a race condition flaw in\nthe ath_tx_aggr_sleep() function to crash the system by creating large\nnetwork traffic on the system's Atheros 9k wireless network adapter.\n(CVE-2014-2672, Moderate)\n\n* A NULL pointer dereference flaw was found in the rds_iw_laddr_check()\nfunction in the Linux kernel's implementation of Reliable Datagram Sockets\n(RDS). A local, unprivileged user could use this flaw to crash the system.\n(CVE-2014-2678, Moderate)\n\n* A race condition flaw was found in the way the Linux kernel's mac80211\nsubsystem implementation handled synchronization between TX and STA wake-up\ncode paths. A remote attacker could use this flaw to crash the system.\n(CVE-2014-2706, Moderate)\n\n* It was found that the try_to_unmap_cluster() function in the Linux\nkernel's Memory Managment subsystem did not properly handle page locking in\ncertain cases, which could potentially trigger the BUG_ON() macro in the\nmlock_vma_page() function. A local, unprivileged user could use this flaw\nto crash the system. (CVE-2014-3122, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. The CVE-2014-0100 issue was discovered by Nikolay\nAleksandrov of Red Hat.\n\nUsers are advised to upgrade to these updated packages, which upgrade the\nkernel-rt kernel to version kernel-rt-3.10.33-rt32.34 and correct these\nissues. The system must be rebooted for this update to take effect.\n", "published": "2014-05-27T04:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0557", "cvelist": ["CVE-2014-3122", "CVE-2014-2672", "CVE-2014-0100", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196", "CVE-2014-2851", "CVE-2014-2678", "CVE-2014-2706"], "lastseen": "2017-03-03T19:18:31"}, {"id": "RHSA-2014:0786", "type": "redhat", "title": "(RHSA-2014:0786) Important: kernel security, bug fix, and enhancement update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A use-after-free flaw was found in the way the ping_init_sock() function\nof the Linux kernel handled the group_info reference counter. A local,\nunprivileged user could use this flaw to crash the system or, potentially,\nescalate their privileges on the system. (CVE-2014-2851, Important)\n\n* Use-after-free and information leak flaws were found in the way the\nLinux kernel's floppy driver processed the FDRAWCMD IOCTL command. A local\nuser with write access to /dev/fdX could use these flaws to escalate their\nprivileges on the system. (CVE-2014-1737, CVE-2014-1738, Important)\n\n* It was found that the aio_read_events_ring() function of the Linux\nkernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO\nring head received from user space. A local, unprivileged user could use\nthis flaw to disclose random parts of the (physical) memory belonging to\nthe kernel and/or other processes. (CVE-2014-0206, Moderate)\n\n* An out-of-bounds memory access flaw was found in the Netlink Attribute\nextension of the Berkeley Packet Filter (BPF) interpreter functionality in\nthe Linux kernel's networking implementation. A local, unprivileged user\ncould use this flaw to crash the system or leak kernel memory to user space\nvia a specially crafted socket filter. (CVE-2014-3144, CVE-2014-3145,\nModerate)\n\n* An information leak flaw was found in the way the skb_zerocopy() function\ncopied socket buffers (skb) that are backed by user-space buffers (for\nexample vhost-net and Xen netback), potentially allowing an attacker to\nread data from those buffers. (CVE-2014-2568, Low)\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153 and Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738.\nGoogle acknowledges Pinkie Pie as the original reporter of\nCVE-2014-3153. The CVE-2014-0206 issue was discovered by Mateusz Guzik of\nRed Hat.\n\nThis update also fixes the following bugs:\n\n* Due to incorrect calculation of Tx statistics in the qlcninc driver,\nrunning the \"ethtool -S ethX\" command could trigger memory corruption.\nAs a consequence, running the sosreport tool, that uses this command,\nresulted in a kernel panic. The problem has been fixed by correcting the\nsaid statistics calculation. (BZ#1104972)\n\n* When an attempt to create a file on the GFS2 file system failed due to a\nfile system quota violation, the relevant VFS inode was not completely\nuninitialized. This could result in a list corruption error. This update\nresolves this problem by correctly uninitializing the VFS inode in this\nsituation. (BZ#1097407)\n\n* Due to a race condition in the kernel, the getcwd() system call could\nreturn \"/\" instead of the correct full path name when querying a path name\nof a file or directory. Paths returned in the \"/proc\" file system could\nalso be incorrect. This problem was causing instability of various\napplications. The aforementioned race condition has been fixed and getcwd()\nnow always returns the correct paths. (BZ#1099048)\n\nIn addition, this update adds the following enhancements:\n\n* The kernel mutex code has been improved. The changes include improved\nqueuing of the MCS spin locks, the MCS code optimization, introduction of\nthe cancellable MCS spin locks, and improved handling of mutexes without\nwait locks. (BZ#1103631, BZ#1103629)\n\n* The handling of the Virtual Memory Area (VMA) cache and huge page faults\nhas been improved. (BZ#1103630)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements. The system must be rebooted for this update to take effect.\n", "published": "2014-06-24T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0786", "cvelist": ["CVE-2014-0206", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2568", "CVE-2014-2851", "CVE-2014-3144", "CVE-2014-3145", "CVE-2014-3153"], "lastseen": "2018-04-15T16:21:35"}, {"id": "RHSA-2014:0771", "type": "redhat", "title": "(RHSA-2014:0771) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* It was discovered that the proc_ns_follow_link() function did not\nproperly return the LAST_BIND value in the last pathname component as is\nexpected for procfs symbolic links, which could lead to excessive freeing\nof memory and consequent slab corruption. A local, unprivileged user could\nuse this flaw to crash the system. (CVE-2014-0203, Moderate)\n\n* A flaw was found in the way the Linux kernel handled exceptions when\nuser-space applications attempted to use the linkage stack. On IBM S/390\nsystems, a local, unprivileged user could use this flaw to crash the\nsystem. (CVE-2014-2039, Moderate)\n\n* An invalid pointer dereference flaw was found in the Marvell 8xxx\nLibertas WLAN (libertas) driver in the Linux kernel. A local user able to\nwrite to a file that is provided by the libertas driver and located on the\ndebug file system (debugfs) could use this flaw to crash the system. Note:\nThe debugfs file system must be mounted locally to exploit this issue.\nIt is not mounted by default. (CVE-2013-6378, Low)\n\n* A denial of service flaw was discovered in the way the Linux kernel's\nSELinux implementation handled files with an empty SELinux security\ncontext. A local user who has the CAP_MAC_ADMIN capability could use this\nflaw to crash the system. (CVE-2014-1874, Low)\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738,\nand Vladimir Davydov of Parallels for reporting CVE-2014-0203. Google\nacknowledges Pinkie Pie as the original reporter of CVE-2014-3153.\n\nThis update also fixes several bugs. Documentation for these changes will\nbe available shortly from the Technical Notes document linked to in the\nReferences section.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2014-06-19T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0771", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-2039", "CVE-2014-3153", "CVE-2014-0203"], "lastseen": "2017-03-07T05:18:50"}, {"id": "RHSA-2014:0815", "type": "redhat", "title": "(RHSA-2014:0815) Important: rhev-hypervisor6 security update", "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nA flaw was found in the way GnuTLS parsed session IDs from ServerHello\nmessages of the TLS/SSL handshake. A malicious server could use this flaw\nto send an excessively long session ID value, which would trigger a buffer\noverflow in a connecting TLS/SSL client application using GnuTLS, causing\nthe client application to crash or, possibly, execute arbitrary code.\n(CVE-2014-3466)\n\nIt was discovered that the asn1_get_bit_der() function of the libtasn1\nlibrary incorrectly reported the length of ASN.1-encoded data. Specially\ncrafted ASN.1 input could cause an application using libtasn1 to perform\nan out-of-bounds access operation, causing the application to crash or,\npossibly, execute arbitrary code. (CVE-2014-3468)\n\nMultiple incorrect buffer boundary check issues were discovered in\nlibtasn1. Specially crafted ASN.1 input could cause an application using\nlibtasn1 to crash. (CVE-2014-3467)\n\nMultiple NULL pointer dereference flaws were found in libtasn1's\nasn1_read_value() function. Specially crafted ASN.1 input could cause an\napplication using libtasn1 to crash, if the application used the\naforementioned function in a certain way. (CVE-2014-3469)\n\nRed Hat would like to thank GnuTLS upstream for reporting CVE-2014-3466,\nCVE-2014-3468, CVE-2014-3467, and CVE-2014-3469. Upstream acknowledges\nJoonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466.\n\nThis updated package provides an updated kernel component that includes\nfixes for various security issues. These issues have no security impact on\nRed Hat Enterprise Virtualization Hypervisor itself, however. The security\nfixes included in this update address the following CVE numbers:\n\nCVE-2013-6378, CVE-2014-0203, CVE-2014-1737, CVE-2014-1738, CVE-2014-1874,\nCVE-2014-2039 and CVE-2014-3153 (kernel issues)\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package.\n", "published": "2014-06-30T04:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0815", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-3466", "CVE-2014-3468", "CVE-2014-2039", "CVE-2014-3153", "CVE-2014-3469", "CVE-2014-0203", "CVE-2014-3467"], "lastseen": "2017-03-10T07:18:38"}], "nessus": [{"id": "REDHAT-RHSA-2014-0801.NASL", "type": "nessus", "title": "RHEL 5 : kernel (RHSA-2014:0801)", "description": "Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.6 Long Life.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\nRed Hat would like to thank Matthew Daley for reporting these issues.\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-11-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79290", "cvelist": ["CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-10-29T13:46:04"}, {"id": "ORACLELINUX_ELSA-2014-3041.NASL", "type": "nessus", "title": "Oracle Linux 6 : unbreakable enterprise kernel (ELSA-2014-3041)", "description": "Description of changes:\n\nkernel-uek [3.8.13-35.1.2.el6uek]\n- floppy: don't write kernel-only members to FDRAWCMD ioctl output (Matthew Daley) [Orabug: 19028443] {CVE-2014-1738}\n- floppy: ignore kernel-only members in FDRAWCMD ioctl input (Matthew Daley) [Orabug: 19028436] {CVE-2014-1737}", "published": "2014-06-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76184", "cvelist": ["CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2017-10-29T13:36:13"}, {"id": "SUSE_11_KERNEL-140513.NASL", "type": "nessus", "title": "SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9233 / 9236 / 9237)", "description": "The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix the following severe security issues :\n\n - The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798).\n (CVE-2014-1737)\n\n - The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device.\n (bnc#875798). (CVE-2014-1738)\n\n - The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the 'LECHO & !OPOST' case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (bnc#875690).\n (CVE-2014-0196)", "published": "2014-05-16T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74033", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2017-10-29T13:38:55"}, {"id": "ORACLELINUX_ELSA-2014-0740-1.NASL", "type": "nessus", "title": "Oracle Linux 5 : kernel (ELSA-2014-0740-1)", "description": "From Red Hat Security Advisory 2014:0740 :\n\nUpdated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\n* A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system. (CVE-2013-7339, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738.\n\nThis update also fixes the following bugs :\n\n* A bug in the futex system call could result in an overflow when passing a very large positive timeout. As a consequence, the FUTEX_WAIT operation did not work as intended and the system call was timing out immediately. A backported patch fixes this bug by limiting very large positive timeouts to the maximal supported value.\n(BZ#1091832)\n\n* A new Linux Security Module (LSM) functionality related to the setrlimit hooks should produce a warning message when used by a third party module that could not cope with it. However, due to a programming error, the kernel could print this warning message when a process was setting rlimits for a different process, or if rlimits were modified by another than the main thread even though there was no incompatible third party module. This update fixes the relevant code and ensures that the kernel handles this warning message correctly.\n(BZ#1092869)\n\n* Previously, the kernel was unable to detect KVM on system boot if the Hyper-V emulation was enabled. A patch has been applied to ensure that both KVM and Hyper-V hypervisors are now correctly detected during system boot. (BZ#1094152)\n\n* A function in the RPC code responsible for verifying whether cached credentials match the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credentials but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur. (BZ#1095062)\n\n* When being under heavy load, some Fibre Channel storage devices, such as Hitachi and HP Open-V series, can send a logout (LOGO) message to the host system. However, due to a bug in the lpfc driver, this could result in a loss of active paths to the storage and the paths could not be recovered without manual intervention. This update corrects the lpfc driver to ensure automatic recovery of the lost paths to the storage in this scenario. (BZ#1096061)\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-06-13T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74505", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-10-29T13:43:40"}, {"id": "REDHAT-RHSA-2014-0740.NASL", "type": "nessus", "title": "RHEL 5 : kernel (RHSA-2014:0740)", "description": "Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\n* A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system. (CVE-2013-7339, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738.\n\nThis update also fixes the following bugs :\n\n* A bug in the futex system call could result in an overflow when passing a very large positive timeout. As a consequence, the FUTEX_WAIT operation did not work as intended and the system call was timing out immediately. A backported patch fixes this bug by limiting very large positive timeouts to the maximal supported value.\n(BZ#1091832)\n\n* A new Linux Security Module (LSM) functionality related to the setrlimit hooks should produce a warning message when used by a third party module that could not cope with it. However, due to a programming error, the kernel could print this warning message when a process was setting rlimits for a different process, or if rlimits were modified by another than the main thread even though there was no incompatible third party module. This update fixes the relevant code and ensures that the kernel handles this warning message correctly.\n(BZ#1092869)\n\n* Previously, the kernel was unable to detect KVM on system boot if the Hyper-V emulation was enabled. A patch has been applied to ensure that both KVM and Hyper-V hypervisors are now correctly detected during system boot. (BZ#1094152)\n\n* A function in the RPC code responsible for verifying whether cached credentials match the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credentials but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur. (BZ#1095062)\n\n* When being under heavy load, some Fibre Channel storage devices, such as Hitachi and HP Open-V series, can send a logout (LOGO) message to the host system. However, due to a bug in the lpfc driver, this could result in a loss of active paths to the storage and the paths could not be recovered without manual intervention. This update corrects the lpfc driver to ensure automatic recovery of the lost paths to the storage in this scenario. (BZ#1096061)\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-06-11T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74458", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-10-29T13:37:01"}, {"id": "SL_20140610_KERNEL_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL5.x i386/x86_64", "description": "- A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n - It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\n - A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system. (CVE-2013-7339, Moderate)\n\nThis update also fixes the following bugs :\n\n - A bug in the futex system call could result in an overflow when passing a very large positive timeout. As a consequence, the FUTEX_WAIT operation did not work as intended and the system call was timing out immediately.\n A backported patch fixes this bug by limiting very large positive timeouts to the maximal supported value.\n\n - A new Linux Security Module (LSM) functionality related to the setrlimit hooks should produce a warning message when used by a third party module that could not cope with it. However, due to a programming error, the kernel could print this warning message when a process was setting rlimits for a different process, or if rlimits were modified by another than the main thread even though there was no incompatible third party module.\n This update fixes the relevant code and ensures that the kernel handles this warning message correctly.\n\n - Previously, the kernel was unable to detect KVM on system boot if the Hyper-V emulation was enabled. A patch has been applied to ensure that both KVM and Hyper-V hypervisors are now correctly detected during system boot.\n\n - A function in the RPC code responsible for verifying whether cached credentials match the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credentials but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur.\n\n - When being under heavy load, some Fibre Channel storage devices, such as Hitachi and HP Open-V series, can send a logout (LOGO) message to the host system. However, due to a bug in the lpfc driver, this could result in a loss of active paths to the storage and the paths could not be recovered without manual intervention. This update corrects the lpfc driver to ensure automatic recovery of the lost paths to the storage in this scenario.\n\nThe system must be rebooted for this update to take effect.", "published": "2014-06-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74489", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-10-29T13:41:24"}, {"id": "REDHAT-RHSA-2014-0800.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2014:0800)", "description": "Updated kernel packages that fix three security issues are now available for Red Hat Enterprise Linux 6.2 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting CVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of CVE-2014-3153.\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-11-08T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79032", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "lastseen": "2018-02-17T15:51:03"}, {"id": "DEBIAN_DSA-2928.NASL", "type": "nessus", "title": "Debian DSA-2928-1 : linux-2.6 - privilege escalation/denial of service/information leak", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2014-0196 Jiri Slaby discovered a race condition in the pty layer, which could lead to a denial of service or privilege escalation.\n\n - CVE-2014-1737 CVE-2014-1738 Matthew Daley discovered an information leak and missing input sanitising in the FDRAWCMD ioctl of the floppy driver. This could result in a privilege escalation.", "published": "2014-05-16T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74027", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2017-10-29T13:37:35"}, {"id": "REDHAT-RHSA-2014-0900.NASL", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2014:0900)", "description": "Updated kernel packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.4 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting CVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of CVE-2014-3153.\n\nThis update also fixes the following bug :\n\n* A previous change that introduced global clock updates caused guest machines to boot slowly when the host Time Stamp Counter (TSC) was marked as unstable. The slow down increased with the number of vCPUs allocated. To resolve this problem, a patch has been applied to limit the rate of the global clock updates. (BZ#1102253)\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-11-08T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79035", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "lastseen": "2018-02-17T16:09:10"}, {"id": "CENTOS_RHSA-2014-0740.NASL", "type": "nessus", "title": "CentOS 5 : kernel (CESA-2014:0740)", "description": "Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.\n\n* A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system. (CVE-2013-7339, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738.\n\nThis update also fixes the following bugs :\n\n* A bug in the futex system call could result in an overflow when passing a very large positive timeout. As a consequence, the FUTEX_WAIT operation did not work as intended and the system call was timing out immediately. A backported patch fixes this bug by limiting very large positive timeouts to the maximal supported value.\n(BZ#1091832)\n\n* A new Linux Security Module (LSM) functionality related to the setrlimit hooks should produce a warning message when used by a third party module that could not cope with it. However, due to a programming error, the kernel could print this warning message when a process was setting rlimits for a different process, or if rlimits were modified by another than the main thread even though there was no incompatible third party module. This update fixes the relevant code and ensures that the kernel handles this warning message correctly.\n(BZ#1092869)\n\n* Previously, the kernel was unable to detect KVM on system boot if the Hyper-V emulation was enabled. A patch has been applied to ensure that both KVM and Hyper-V hypervisors are now correctly detected during system boot. (BZ#1094152)\n\n* A function in the RPC code responsible for verifying whether cached credentials match the current process did not perform the check correctly. The code checked only whether the groups in the current process credentials appear in the same order as in the cached credentials but did not ensure that no other groups are present in the cached credentials. As a consequence, when accessing files in NFS mounts, a process with the same UID and GID as the original process but with a non-matching group list could have been granted an unauthorized access to a file, or under certain circumstances, the process could have been wrongly prevented from accessing the file. The incorrect test condition has been fixed and the problem can no longer occur. (BZ#1095062)\n\n* When being under heavy load, some Fibre Channel storage devices, such as Hitachi and HP Open-V series, can send a logout (LOGO) message to the host system. However, due to a bug in the lpfc driver, this could result in a loss of active paths to the storage and the paths could not be recovered without manual intervention. This update corrects the lpfc driver to ensure automatic recovery of the lost paths to the storage in this scenario. (BZ#1096061)\n\nAll kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2014-06-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74471", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-10-29T13:42:22"}], "oraclelinux": [{"id": "ELSA-2014-3041", "type": "oraclelinux", "title": "unbreakable enterprise kernel security update", "description": "kernel-uek\n[3.8.13-35.1.2.el6uek]\n- floppy: don't write kernel-only members to FDRAWCMD ioctl output (Matthew Daley) [Orabug: 19028443] {CVE-2014-1738}\n- floppy: ignore kernel-only members in FDRAWCMD ioctl input (Matthew Daley) [Orabug: 19028436] {CVE-2014-1737}", "published": "2014-06-20T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-3041.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738"], "lastseen": "2016-09-04T11:16:55"}, {"id": "ELSA-2014-0740-1", "type": "oraclelinux", "title": "1 ", "description": "kernel\n[2.6.18-371.9.1.0.1]\n- i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649]\n- [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030]\n- [oprofile] export __get_user_pages_fast() function [orabug 14277030]\n- [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030]\n- [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030]\n- [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030]\n- [kernel] Initialize the local uninitialized variable stats. [orabug 14051367]\n- [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763]\n- [x86 ] fix fpu context corrupt when preempt in signal context [orabug 14038272]\n- [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075]\n- fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan)\n- [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan)\n- [x86] Fix lvt0 reset when hvm boot up with noapic param\n- [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason)\n [orabug 12342275]\n- [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346]\n- [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566]\n- [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042]\n- [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646]\n- fix filp_close() race (Joe Jin) [orabug 10335998]\n- make xenkbd.abs_pointer=1 by default [orabug 67188919]\n- [xen] check to see if hypervisor supports memory reservation change\n (Chuck Anderson) [orabug 7556514]\n- [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki)\n [orabug 10315433]\n- [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258]\n- [mm] Patch shrink_zone to yield during severe mempressure events, avoiding\n hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839]\n- [mm] Enhance shrink_zone patch allow full swap utilization, and also be\n NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919]\n- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]\n- [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson)\n [orabug 9107465]\n- [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson)\n [orabug 9764220]\n- Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615]\n- fix overcommit memory to use percpu_counter for (KOSAKI Motohiro,\n Guru Anbalagane) [orabug 6124033]\n- [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208]\n- [ib] fix memory corruption (Andy Grover) [orabug 9972346]\n- [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203]\n- [usb] usbcore: fix endpoint device creation (Junxiao Bi) [orabug 14795203]\n- [usb] usbcore: fix refcount bug in endpoint removal (Junxiao Bi) [orabug 14795203]", "published": "2014-06-11T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0740-1.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-08-22T10:00:02"}, {"id": "ELSA-2014-0740", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "kernel\n[2.6.18-371.9.1]\n- [nfs] sunrpc: don't use a credential with extra groups (Mateusz Guzik) [1095062 976201]\n- [scsi] lpfc: Remove NDLP reference put in lpfc_cmpl_els_logo_acc (Rob Evers) [1096061 1075228]\n- [infiniband] rds: dereference of a NULL device (Jacob Tanenbaum) [1079216 1079217] {CVE-2013-7339}\n- [kernel] futex: check relative timeouts for overflow (Denys Vlasenko) [1091832 1084168]\n- [virt] kvm: correctly detect KVM when hv emulation is enalbed (Jason Wang) [1094152 985767]\n- [security] Fix spurious warnings in security_ops_task_setrlimit (Mateusz Guzik) [1092869 916235]\n- [block] floppy: don't write kernel-only members to FDRAWCMD output (Denys Vlasenko) [1094302 1094303] {CVE-2014-1738 CVE-2014-1737}\n- [block] floppy: ignore kernel-only members in FDRAWCMD input (Denys Vlasenko) [1094302 1094303] {CVE-2014-1738 CVE-2014-1737}", "published": "2014-06-11T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0740.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2016-09-04T11:16:54"}, {"id": "ELSA-2014-3042", "type": "oraclelinux", "title": "unbreakable enterprise kernel security update", "description": "[2.6.39-400.215.3]\n- SELinux: Fix kernel BUG on empty security contexts. (Stephen Smalley) [Orabug: 19028380] {CVE-2014-1874}\n- floppy: don't write kernel-only members to FDRAWCMD ioctl output (Matthew Daley) [Orabug: 19028444] {CVE-2014-1738}\n- floppy: ignore kernel-only members in FDRAWCMD ioctl input (Matthew Daley) [Orabug: 19028438] {CVE-2014-1737}\n- libertas: potential oops in debugfs (Dan Carpenter) [Orabug: 19028416] {CVE-2013-6378}", "published": "2014-06-20T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-3042.html", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738"], "lastseen": "2016-09-04T11:16:12"}, {"id": "ELSA-2014-3043", "type": "oraclelinux", "title": "unbreakable enterprise kernel security update", "description": "kernel-uek\n[2.6.32-400.36.3uek]\n- fix autofs/afs/etc. magic mountpoint breakage (Al Viro) [Orabug: 19028505] {CVE-2014-0203}\n- SELinux: Fix kernel BUG on empty security contexts. (Stephen Smalley) [Orabug: 19028381] {CVE-2014-1874}\n- floppy: don't write kernel-only members to FDRAWCMD ioctl output (Matthew Daley) [Orabug: 19028446] {CVE-2014-1738}\n- floppy: ignore kernel-only members in FDRAWCMD ioctl input (Matthew Daley) [Orabug: 19028439] {CVE-2014-1737}\n- libertas: potential oops in debugfs (Dan Carpenter) [Orabug: 19028417] {CVE-2013-6378}", "published": "2014-06-20T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-3043.html", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-0203"], "lastseen": "2016-09-04T11:16:22"}, {"id": "ELSA-2014-0786", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "description": "[3.10.0-123.4.2]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-123.4.2]\n- [fs] aio: fix plug memory disclosure and fix reqs_active accounting backport (Jeff Moyer) [1094604 1094605] {CVE-2014-0206}\n- [fs] aio: plug memory disclosure and fix reqs_active accounting (Mateusz Guzik) [1094604 1094605] {CVE-2014-0206}\n[3.10.0-123.4.1]\n- [kernel] futex: Make lookup_pi_state more robust (Larry Woodman) [1104519 1104520] {CVE-2014-3153}\n- [kernel] futex: Always cleanup owner tid in unlock_pi (Larry Woodman) [1104519 1104520] {CVE-2014-3153}\n- [kernel] futex: Validate atomic acquisition in futex_lock_pi_atomic() (Larry Woodman) [1104519 1104520] {CVE-2014-3153}\n- [kernel] futex: prevent requeue pi on same futex (Larry Woodman) [1104519 1104520] {CVE-2014-3153}\n- [ethernet] qlcnic: Fix ethtool statistics length calculation (Michal Schmidt) [1104972 1099634]\n- Revert: [kernel] cputime: Default implementation of nsecs -> cputime conversion (Frederic Weisbecker) [1090974 1047732]\n- Revert: [kernel] cputime: Bring cputime -> nsecs conversion (Frederic Weisbecker) [1090974 1047732]\n- Revert: [kernel] cputime: Fix jiffies based cputime assumption on steal accounting (Frederic Weisbecker) [1090974 1047732]\n[3.10.0-123.3.1]\n- [kernel] mutexes: Give more informative mutex warning in the !lock->owner case (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] mutex: replace CONFIG_HAVE_ARCH_MUTEX_CPU_RELAX with simple ifdef (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutexes: Introduce cancelable MCS lock for adaptive spinning (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutexes: Modify the way optimistic spinners are queued (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutexes: Return false if task need_resched() in mutex_can_spin_on_owner() (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] Restructure the MCS lock defines and locking & Move mcs_spinlock.h into kernel/locking/ (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [misc] arch: Introduce smp_load_acquire(), smp_store_release() (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutex: Fix debug_mutexes (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutex: Fix debug checks (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n- [kernel] locking/mutexes: Unlock the mutex without the wait_lock (Larry Woodman) [1103629 1087655] [1103630 1087919] [1103631 1087922]\n[3.10.0-123.2.1]\n- [net] filter: prevent nla extensions to peek beyond the end of the message (Jiri Benc) [1096780 1096781] {CVE-2014-3144 CVE-2014-3145}\n- [block] floppy: don't write kernel-only members to FDRAWCMD ioctl output (Denys Vlasenko) [1094316 1094318] {CVE-2014-1737 CVE-2014-1738}\n- [block] floppy: ignore kernel-only members in FDRAWCMD ioctl input (Denys Vlasenko) [1094316 1094318] {CVE-2014-1737 CVE-2014-1738}\n- [net] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors (Jiri Pirko) [1091345 1079014] {CVE-2014-2568}\n- [net] ipv4: current group_info should be put after using (Jiri Benc) [1087415 1087416] {CVE-2014-2851}\n- [fs] dcache: make prepend_name() work correctly when called with negative *buflen (Mikulas Patocka) [1099048 1092746]\n- [fs] dcache: __dentry_path() fixes (Mikulas Patocka) [1099048 1092746]\n- [fs] dcache: prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts (Mikulas Patocka) [1099048 1092746]\n- [target] tcm_fc: Fix use-after-free of ft_tpg (Andy Grover) [1088110 1071340]\n- [s390] af_iucv: wrong mapping of sent and confirmed skbs (Hendrik Brueckner) [1103064 1098513]\n- [s390] kernel: avoid page table walk on user space access (Hendrik Brueckner) [1103062 1097687]\n- [s390] crypto: fix aes, des ctr mode concurrency finding (Hendrik Brueckner) [1103060 1097686]\n- [net] openvswitch: fix a possible deadlock and lockdep warning (Flavio Leitner) [1103318 1094867]\n- [mm] filemap: update find_get_pages_tag() to deal with shadow entries (Johannes Weiner) [1103065 1091795]\n- [mm] page-writeback: fix divide by zero in pos_ratio_polynom (Rik van Riel) [1103067 1091784]\n- [mm] page-writeback: add strictlimit feature (Rik van Riel) [1103067 1091784]\n- [fs] xfs: log vector rounding leaks log space (Brian Foster) [1103059 1091136]\n- [fs] xfs: truncate_setsize should be outside transactions (Brian Foster) [1103059 1091136]\n- [fs] gfs2: Fix uninitialized VFS inode in gfs2_create_inode (Abhijith Das) [1097407 1087995]\n- [kernel] futex: Fix pthread_cond_broadcast() to wake up all threads (Larry Woodman) [1103066 1084757]\n- [net] ip: generate unique IP identificator if local fragmentation is allowed (Jiri Pirko) [1090490 1076106]\n- [kernel] cputime: Fix jiffies based cputime assumption on steal accounting (Frederic Weisbecker) [1090974 1047732]\n- [kernel] cputime: Bring cputime -> nsecs conversion (Frederic Weisbecker) [1090974 1047732]\n- [kernel] cputime: Default implementation of nsecs -> cputime conversion (Frederic Weisbecker) [1090974 1047732]\n- [x86] irq, pic: Probe for legacy PIC and set legacy_pic appropriately (Vivek Goyal) [1094973 1037957]\n- [virt] hyperv/vmbus: Negotiate version 3.0 when running on ws2012r2 hosts (Vivek Goyal) [1094973 1037957]", "published": "2014-07-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0786.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2568", "CVE-2014-0206", "CVE-2014-3145", "CVE-2014-2851", "CVE-2014-3144", "CVE-2014-3153"], "lastseen": "2016-09-04T11:17:15"}, {"id": "ELSA-2014-0771", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "[2.6.32-431.20.3]\n- [kernel] futex: Make lookup_pi_state more robust (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: Always cleanup owner tid in unlock_pi (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: Validate atomic acquisition in futex_lock_pi_atomic() (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: prevent requeue pi on same futex (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [fs] autofs4: fix device ioctl mount lookup (Ian Kent) [1069630 999708]\n- [fs] vfs: introduce kern_path_mountpoint() (Ian Kent) [1069630 999708]\n- [fs] vfs: rename user_path_umountat() to user_path_mountpoint_at() (Ian Kent) [1069630 999708]\n- [fs] vfs: massage umount_lookup_last() a bit to reduce nesting (Ian Kent) [1069630 999708]\n- [fs] vfs: allow umount to handle mountpoints without revalidating them (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: allow umount to handle mountpoints without revalidating them (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: massage umount_lookup_last() a bit to reduce nesting (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: rename user_path_umountat() to user_path_mountpoint_at() (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: introduce kern_path_mountpoint() (Ian Kent) [1069630 999708]\n- Revert: [fs] autofs4: fix device ioctl mount lookup (Ian Kent) [1069630 999708]\n[2.6.32-431.20.2]\n- [block] floppy: don't write kernel-only members to FDRAWCMD ioctl output (Denys Vlasenko) [1094308 1094310] {CVE-2014-1738 CVE-2014-1737}\n- [block] floppy: ignore kernel-only members in FDRAWCMD ioctl input (Denys Vlasenko) [1094308 1094310] {CVE-2014-1738 CVE-2014-1737}\n- [fs] vfs: fix autofs/afs/etc magic mountpoint breakage (Frantisek Hrbata) [1094370 1079347] {CVE-2014-0203}\n- [char] n_tty: Fix n_tty_write crash when echoing in raw mode (Aristeu Rozanski) [1094236 1094237] {CVE-2014-0196}\n[2.6.32-431.20.1]\n- [net] rtnetlink: Only supply IFLA_VF_PORTS information when RTEXT_FILTER_VF is set (Jiri Pirko) [1092870 1081282]\n- [net] rtnetlink: Warn when interface's information won't fit in our packet (Jiri Pirko) [1092870 1081282]\n- [net] bridge: Correctly receive hw-accelerated vlan traffic (Vlad Yasevich) [1096214 1067722]\n- [net] vlan: Allow accelerated packets to flow through the bridge (Vlad Yasevich) [1096214 1067722]\n- [infiniband] qib: Add missing serdes init sequence (Doug Ledford) [1080104 1005491]\n- [infiniband] qib: Fix txselect regression (Doug Ledford) [1080104 1005491]\n- [netdrv] ixgbevf: fix vlan acceleration (Nikolay Aleksandrov) [1094287 1069028]\n- [security] selinux: Fix kernel BUG on empty security contexts (Paul Moore) [1062502 1064545] {CVE-2014-1874}\n- [netdrv] libertas: potential oops in debugfs (Denys Vlasenko) [1034176 1034177] {CVE-2013-6378}\n- [kernel] cgroup: move put_css_set() after setting CGRP_RELEASABLE bit to fix notify_on_release (Naoya Horiguchi) [1081909 1037465]\n- [kernel] sched: Use exit hook to avoid use-after-free crash (Naoya Horiguchi) [1081914 1032347]\n- [kernel] cgroup: replace list_del() with list_del_init() to avoid panic (Naoya Horiguchi) [1081915 1032343]\n- [x86] turbostat: display C8, C9, C10 residency (Neil Horman) [1096711 1080637]\n- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp list (Rob Evers) [1086839 1063699]\n- [s390] fix kernel crash due to linkage stack instructions (Hendrik Brueckner) [1067678 1067679] {CVE-2014-2039}\n- [x86] kvm: rate-limit global clock updates (Andrew Jones) [1090750 1072373]\n- [kernel] hrtimers: Move SMP function call to thread context (Mateusz Guzik) [1079869 1073129]\n- [kernel] hrtimers: Support resuming with two or more CPUs online (Mateusz Guzik) [1079869 1073129]\n- [fs] autofs4: fix device ioctl mount lookup (Ian Kent) [1069630 999708]\n- [fs] vfs: introduce kern_path_mountpoint() (Ian Kent) [1069630 999708]\n- [fs] vfs: rename user_path_umountat() to user_path_mountpoint_at() (Ian Kent) [1069630 999708]\n- [fs] vfs: massage umount_lookup_last() a bit to reduce nesting (Ian Kent) [1069630 999708]\n- [fs] vfs: allow umount to handle mountpoints without revalidating them (Ian Kent) [1069630 999708]\n- [fs] ext4: fix WARN_ON from ext4_releasepage() (Carlos Maiolino) [1063508 1036814]\n- [fs] vfs: fix getname() && do_getname() interaction (Oleg Nesterov) [1075653 1024689]\n- [x86] apic: Make disabled_cpu_apicid static read_mostly, fix typos (Nigel Croxon) [1082622 980621]\n- [x86] kexec: Add disable_cpu_apicid kernel parameter (Nigel Croxon) [1082622 980621]\n- [kvm] x86: use kvm_read/write_guest_virt_system in task switch (Paolo Bonzini) [1070296 1018581]\n- [kvm] x86: small cleanups to kvm_task_switch (Paolo Bonzini) [1070296 1018581]\n- [kvm] x86: propagate error from kvm_load_segment_descriptor (Paolo Bonzini) [1070296 1018581]\n- [kvm] x86: improve save_guest_segment_descriptor (Paolo Bonzini) [1070296 1018581]\n- [kvm] x86: introduce kvm_write_guest_virt_system (Paolo Bonzini) [1070296 1018581]\n- [kvm] x86: Fix task switch privilege checks (Paolo Bonzini) [1070296 1018581]\n- [powerpc] Make function that parses RTAS error logs global (Steve Best) [1091424 1028682]\n- [powerpc] pseries: Add RTAS event log v6 definition (Steve Best) [1091424 1028682]\n- [powerpc] pseries: Parse and handle EPOW interrupts (Steve Best) [1091424 1028682]\n- [fs] nfsd: don't try to reuse an expired DRC entry off the list (Jeff Layton) [1088779 1036972]\n- [fs] nfsd: when reusing an existing repcache entry, unhash it first (Jeff Layton) [1088779 1036972]\n[2.6.32-431.19.1]\n- [kernel] sched: fix cpu_power initialization (Radim Krcmar) [1091826 1065304]\n- [fs] gfs2: Fix uninitialized VFS inode in gfs2_create_inode (Abhijith Das) [1092002 1059808]\n[2.6.32-431.18.1]\n- [block] fix race between request completion and timeout handling (Jeff Moyer) [1089915 919756]", "published": "2014-06-19T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0771.html", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-0196", "CVE-2014-2039", "CVE-2014-3153", "CVE-2014-0203"], "lastseen": "2016-09-04T11:15:59"}, {"id": "ELSA-2014-0981", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "description": "[2.6.32-431.23.3]\n- [netdrv] pppol2tp: fail when socket option level is not SOL_PPPOL2TP [1119461 1119462] {CVE-2014-4943}\n[2.6.32-431.23.2]\n- [kernel] utrace: force IRET path after utrace_finish_vfork() (Oleg Nesterov) [1115932 1115933] {CVE-2014-4699}\n[2.6.32-431.23.1]\n- [net] ip_tunnel: fix ip_tunnel_find to return NULL in case the tunnel is not there (Jiri Pirko) [1107931 1104503]\n- [netdrv] bnx2x: Fix kernel crash and data miscompare after EEH recovery (Michal Schmidt) [1109269 1029600]\n- [netdrv] bnx2x: Adapter not recovery from EEH error injection (Michal Schmidt) [1109269 1029600]\n- [scsi] qla2xxx: Don't check for firmware hung during the reset context for ISP82XX (Chad Dupuis) [1110658 1054299]\n- [scsi] qla2xxx: Clear loop_id for ports that are marked lost during fabric scanning (Chad Dupuis) [1110658 1054299]\n- [scsi] qla2xxx: Issue abort command for outstanding commands during cleanup when only firmware is alive (Chad Dupuis) [1110658 1054299]\n- [scsi] qla2xxx: Reduce the time we wait for a command to complete during SCSI error handling (Chad Dupuis) [1110658 1054299]\n- [scsi] qla2xxx: Avoid escalating the SCSI error handler if the command is not found in firmware (Chad Dupuis) [1110658 1054299]\n- [scsi] qla2xxx: Set host can_queue value based on available resources (Chad Dupuis) [1110658 1054299]\n- [net] filter: prevent nla extensions to peek beyond the end of the message (Jiri Benc) [1096778 1096779] {CVE-2014-3144 CVE-2014-3145}\n- [net] bridge: add empty br_mdb_init() and br_mdb_uninit() definitions (Vlad Yasevich) [1106472 1097915]\n- [net] bridge: Correctly unregister MDB rtnetlink handlers (Vlad Yasevich) [1106472 1097915]\n- [net] rds: prevent dereference of a NULL device in rds_iw_laddr_check (Radomir Vrbovsky) [1083276 1083277] {CVE-2014-2678}\n- [s390] crypto: fix aes, des ctr mode concurrency finding (Hendrik Brueckner) [1110168 1096328]\n- [s390] crypto: fix des and des3_ede ctr concurrency issue (Hendrik Brueckner) [1109885 1065404]\n- [s390] crypto: fix des and des3_ede cbc concurrency issue (Hendrik Brueckner) [1109883 1065398]\n- [kernel] futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() (Mateusz Guzik) [1097759 1097760] {CVE-2012-6647}\n- [libata] ahci: accommodate tag ordered controller (David Milburn) [1099725 1083748]\n- [net] mac80211: crash dues to AP powersave TX vs. wakeup race (Jacob Tanenbaum) [1083531 1083532] {CVE-2014-2706}\n- [netdrv] ath9k: tid->sched race in ath_tx_aggr_sleep() (Jacob Tanenbaum) [1083249 1083250] {CVE-2014-2672}\n- [kernel] hrtimer: Prevent all reprogramming if hang detected (Prarit Bhargava) [1096059 1075805]\n- [net] ipv4: current group_info should be put after using (Jiri Benc) [1087412 1087414] {CVE-2014-2851}\n- [kernel] tracing: Reset ring buffer when changing trace_clocks (Marcelo Tosatti) [1093984 1018138]\n- [net] rds: dereference of a NULL device (Jacob Tanenbaum) [1079218 1079219] {CVE-2013-7339}\n- [s390] crypto: fix concurrency issue in aes-ctr mode (Hendrik Brueckner) [1110169 1063478]\n- [net] ipv4: processing ancillary IP_TOS or IP_TTL (Francesco Fusco) [1094403 990694]\n- [net] ipv4: IP_TOS and IP_TTL can be specified as ancillary data (Francesco Fusco) [1094403 990694]\n- [s390] crypto: Fix aes-xts parameter corruption (Hendrik Brueckner) [1110170 1043540]\n- [fs] ext3: pass custom EOF to generic_file_llseek_size() (Eric Sandeen) [1103068 1007459]\n- [fs] ext4: use core vfs llseek code for dir seeks (Eric Sandeen) [1103068 1007459]\n- [fs] vfs: allow custom EOF in generic_file_llseek code (Eric Sandeen) [1103068 1007459]\n- [fs] ext3: return 32/64-bit dir name hash according to usage type (Eric Sandeen) [1103068 1007459]\n- [fs] ext4: replace cut'n'pasted llseek code with generic_file_llseek_size (Eric Sandeen) [1103068 1007459]\n- [fs] vfs: add generic_file_llseek_size (Eric Sandeen) [1103068 1007459]\n- [net] bridge: disable snooping if there is no querier (Vlad Yasevich) [1090749 1090670]\n- [net] Revert 'bridge: only expire the mdb entry when query is received' (Vlad Yasevich) [1090749 1090670]\n- [net] Revert 'bridge: fix some kernel warning in multicast timer' (Vlad Yasevich) [1090749 1090670]\n- [net] Revert 'bridge: do not call setup_timer() multiple times' (Vlad Yasevich) [1090749 1090670]\n- [net] Revert 'bridge: update mdb expiration timer upon reports' (Vlad Yasevich) [1090749 1090670]\n- [kernel] futex: Make lookup_pi_state more robust (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: Always cleanup owner tid in unlock_pi (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: Validate atomic acquisition in futex_lock_pi_atomic() (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [kernel] futex: prevent requeue pi on same futex (Jerome Marchand) [1104516 1104517] {CVE-2014-3153}\n- [fs] autofs4: fix device ioctl mount lookup (Ian Kent) [1069630 999708]\n- [fs] vfs: introduce kern_path_mountpoint() (Ian Kent) [1069630 999708]\n- [fs] vfs: rename user_path_umountat() to user_path_mountpoint_at() (Ian Kent) [1069630 999708]\n- [fs] vfs: massage umount_lookup_last() a bit to reduce nesting (Ian Kent) [1069630 999708]\n- [fs] vfs: allow umount to handle mountpoints without revalidating them (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: allow umount to handle mountpoints without revalidating them (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: massage umount_lookup_last() a bit to reduce nesting (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: rename user_path_umountat() to user_path_mountpoint_at() (Ian Kent) [1069630 999708]\n- Revert: [fs] vfs: introduce kern_path_mountpoint() (Ian Kent) [1069630 999708]\n- Revert: [fs] autofs4: fix device ioctl mount lookup (Ian Kent) [1069630 999708]\n- [block] floppy: don't write kernel-only members to FDRAWCMD ioctl output (Denys Vlasenko) [1094308 1094310] {CVE-2014-1738 CVE-2014-1737}\n- [block] floppy: ignore kernel-only members in FDRAWCMD ioctl input (Denys Vlasenko) [1094308 1094310] {CVE-2014-1738 CVE-2014-1737}\n- [fs] vfs: fix autofs/afs/etc magic mountpoint breakage (Frantisek Hrbata) [1094370 1079347] {CVE-2014-0203}\n[2.6.32-431.22.1]\n- [fs] cifs: Check if prefixpath starts with '\\' in cifs_parse_mount_options (Sachin Prabhu) [1107503 1104268]\n- [virt] kvm: enable PCI multiple-segments for pass-through device (Michael S. Tsirkin) [1103972 1103471]\n- [fs] GFS2: Lock i_mutex and use a local gfs2_holder for fallocate (Robert S Peterson) [1102313 1061910]\n[2.6.32-431.21.1]\n- [kvm] mmu: fix incorrect check of guest cr4 bits (Bandan Das) [1103821 1007164]\n- [drm] nouveau: fix nasty bug which can clobber SOR0's clock setup (Ben Skeggs) [1100574 1095796]\n- [net] tcp: tsq: restore minimal amount of queueing (Jiri Pirko) [1103825 1044053]", "published": "2014-07-29T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0981.html", "cvelist": ["CVE-2014-2672", "CVE-2012-6647", "CVE-2014-1737", "CVE-2014-4699", "CVE-2014-1738", "CVE-2014-4943", "CVE-2014-3145", "CVE-2013-7339", "CVE-2014-2851", "CVE-2014-2678", "CVE-2014-3144", "CVE-2014-3153", "CVE-2014-2706", "CVE-2014-0203"], "lastseen": "2016-09-04T11:15:57"}], "debian": [{"id": "DSA-2928", "type": "debian", "title": "linux-2.6 -- privilege escalation/denial of service/information leak", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2014-0196](<https://security-tracker.debian.org/tracker/CVE-2014-0196>)\n\nJiri Slaby discovered a race condition in the pty layer, which could lead to a denial of service or privilege escalation.\n\n * [CVE-2014-1737](<https://security-tracker.debian.org/tracker/CVE-2014-1737>) [CVE-2014-1738](<https://security-tracker.debian.org/tracker/CVE-2014-1738>)\n\nMatthew Daley discovered an information leak and missing input sanitising in the FDRAWCMD ioctl of the floppy driver. This could result in a privilege escalation.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 2.6.32-48squeeze6.\n\nThe following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update:\n\n| Debian 6.0 (squeeze) \n---|--- \nuser-mode-linux | 2.6.32-1um-4+48squeeze6 \n \nWe recommend that you upgrade your linux-2.6 and user-mode-linux packages. \n\n**Note**: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or \"leap-frog\" fashion.", "published": "2014-05-14T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2928", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2016-09-02T18:20:50"}, {"id": "DSA-2926", "type": "debian", "title": "linux -- security update", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leaks or privilege escalation:\n\n * [CVE-2014-0196](<https://security-tracker.debian.org/tracker/CVE-2014-0196>)\n\nJiri Slaby discovered a race condition in the pty layer, which could lead to denial of service or privilege escalation.\n\n * [CVE-2014-1737](<https://security-tracker.debian.org/tracker/CVE-2014-1737>) / [CVE-2014-1738](<https://security-tracker.debian.org/tracker/CVE-2014-1738>)\n\nMatthew Daley discovered that missing input sanitising in the FDRAWCMD ioctl and an information leak could result in privilege escalation.\n\n * [CVE-2014-2851](<https://security-tracker.debian.org/tracker/CVE-2014-2851>)\n\nIncorrect reference counting in the ping_init_sock() function allows denial of service or privilege escalation.\n\n * [CVE-2014-3122](<https://security-tracker.debian.org/tracker/CVE-2014-3122>)\n\nIncorrect locking of memory can result in local denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 3.2.57-3+deb7u1. This update also fixes a regression in the isci driver and suspend problems with certain AMD CPUs (introduced in the updated kernel from the Wheezy 7.5 point release).\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your linux packages.", "published": "2014-05-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2926", "cvelist": ["CVE-2014-3122", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196", "CVE-2014-2851"], "lastseen": "2018-01-08T16:53:02"}], "suse": [{"id": "SUSE-SU-2014:0667-1", "type": "suse", "title": "Security update for Linux Kernel (important)", "description": "The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix the\n following severe security issues:\n\n *\n\n CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c\n in the Linux kernel through 3.14.3 does not properly handle error\n conditions during processing of an FDRAWCMD ioctl call, which allows local\n users to trigger kfree operations and gain privileges by leveraging write\n access to a /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1738: The raw_cmd_copyout function in\n drivers/block/floppy.c in the Linux kernel through 3.14.3 does not\n properly restrict access to certain pointers during processing of an\n FDRAWCMD ioctl call, which allows local users to obtain sensitive\n information from kernel heap memory by leveraging write access to a\n /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in\n the Linux kernel through 3.14.3 does not properly manage tty driver access\n in the "LECHO & !OPOST" case, which allows local users to cause a denial\n of service (memory corruption and system crash) or gain privileges by\n triggering a race condition involving read and write operations with long\n strings. (bnc#875690)\n\n Security Issues references:\n\n * CVE-2014-0196\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196</a>>\n * CVE-2014-1737\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737</a>>\n * CVE-2014-1738\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738</a>>\n", "published": "2014-05-16T03:04:20", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00007.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2016-09-04T12:05:28"}, {"id": "SUSE-SU-2014:0683-1", "type": "suse", "title": "Security update for Linux kernel (important)", "description": "The SUSE Linux Enterprise 11 Service Pack 3 RealTime Extension kernel has\n been updated to fix two critical security issues.\n\n The following security bugs have been fixed:\n\n *\n\n CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c\n in the Linux kernel through 3.14.3 does not properly handle error\n conditions during processing of an FDRAWCMD ioctl call, which allows local\n users to trigger kfree operations and gain privileges by leveraging write\n access to a /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1738: The raw_cmd_copyout function in\n drivers/block/floppy.c in the Linux kernel through 3.14.3 does not\n properly restrict access to certain pointers during processing of an\n FDRAWCMD ioctl call, which allows local users to obtain sensitive\n information from kernel heap memory by leveraging write access to a\n /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in\n the Linux kernel through 3.14.3 does not properly manage tty driver access\n in the "LECHO & !OPOST" case, which allows local users to cause a denial\n of service (memory corruption and system crash) or gain privileges by\n triggering a race condition involving read and write operations with long\n strings. (bnc#875690)\n", "published": "2014-05-20T19:04:37", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00012.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-0196"], "lastseen": "2016-09-04T11:31:56"}, {"id": "OPENSUSE-SU-2014:0678-1", "type": "suse", "title": "kernel: security and bugfix update (important)", "description": "This Linux kernel security update fixes various security issues and bugs.\n\n The Linux Kernel was updated to fix various security issues and bugs.\n\n Main security issues fixed:\n\n A security issue in the tty layer that was fixed that could be used by\n local attackers for code execution (CVE-2014-0196).\n\n Two security issues in the floppy driver were fixed that could be used by\n local attackers on machines with the floppy to crash the kernel or\n potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738).\n\n Other security issues and bugfixes:\n - netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper\n (bnc#860835 CVE-2014-1690).\n\n - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH\n (bnc#866102, CVE-2014-0101).\n\n - [media] ivtv: Fix Oops when no firmware is loaded (bnc#875440).\n\n - ALSA: hda - Add dock pin setups for Thinkpad T440 (bnc#876699).\n\n - ip6tnl: fix double free of fb_tnl_dev on exit (bnc#876531).\n\n - Update arm config files: Enable all USB-to-serial drivers Specifically,\n enable USB_SERIAL_WISHBONE and USB_SERIAL_QT2 on all arm flavors.\n\n - mei: limit the number of consecutive resets (bnc#821619,bnc#852656).\n - mei: revamp mei reset state machine (bnc#821619,bnc#852656).\n - mei: use hbm idle state to prevent spurious resets (bnc#821619).\n - mei: do not run reset flow from the interrupt thread\n (bnc#821619,bnc#852656).\n - mei: don't get stuck in select during reset (bnc#821619).\n - mei: wake also writers on reset (bnc#821619).\n - mei: remove flash_work_queue (bnc#821619,bnc#852656).\n\n - mei: me: do not load the driver if the FW doesn't support MEI interface\n (bnc#821619).\n\n - Update ec2 config files: Disable CONFIG_CAN CAN support is disabled\n everywhere else, so disable it in ec2 too.\n\n - Refresh Xen patches (bnc#851244).\n\n - Update arm/exynos config file: disable AHCI_IMX This driver is only used\n on Freescale i.MX systems so it isn't needed on Exynos.\n\n - drm: Prefer noninterlace cmdline mode unless explicitly specified\n (bnc#853350).\n\n - kabi/severities: add exception for irda. The changes resulted in a 4x\n performance increase. Any external users of this API will also want to\n rebuild their modules.\n\n - i7core_edac: Fix PCI device reference count.\n\n - KABI: revert tcp: TSO packets automatic sizing.\n - KABI: revert tcp: TSQ can use a dynamic limit.\n\n - kabi: add exceptions for kvm and l2tp\n\n - patches.fixes/sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch:\n Move include of utsname.h to where it's needed to avoid kABI breakage\n due to utsname becoming defined.\n\n - Update kabi files. The kABI references were never establishd at release.\n\n - Refresh patches.rpmify/chipidea-clean-up-dependencies Replace OF_DEVICE\n by OF (OF_DEVICE does not exist anymore.)\n\n - inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu\n functions (bnc#857643 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265).\n - inet: prevent leakage of uninitialized memory to user in recv syscalls\n (bnc#857643 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7281).\n\n - Update config files: re-enable twofish crypto support Software twofish\n crypto support was disabled in several architectures since openSUSE\n 10.3. For i386 and x86_64 it was on purpose, because\n hardware-accelerated alternatives exist. However for all other\n architectures it was by accident. Re-enable software twofish crypto\n support in arm, ia64 and ppc configuration files, to guarantee that at\n least one implementation is always available (bnc#871325).\n\n - kvm: optimize away THP checks in kvm_is_mmio_pfn() (bnc#871160).\n - Update patches.fixes/mm-close-PageTail-race.patch (bnc#871160).\n - Update patches.fixes/mm-hugetlbfs-fix-hugetlbfs-optimization.patch\n (bnc#871160).\n\n - mm: close PageTail race (bnc#81660).\n - mm: hugetlbfs: fix hugetlbfs optimization (bnc#81660).\n\n - Update config files: disable CONFIG_TOUCHSCREEN_W90X900 The w90p910_ts\n driver only makes sense on the W90x900 architecture, which we do not\n support.\n\n - ath9k: protect tid->sched check (bnc#871148,CVE-2014-2672).\n\n - Update ec2 config files: disable CONFIG_INPUT_FF_MEMLESS This helper\n module is useless on EC2.\n\n - SELinux: Fix kernel BUG on empty security contexts\n (bnc#863335,CVE-2014-1874).\n\n - hamradio/yam: fix info leak in ioctl (bnc#858872,CVE-2014-1446).\n\n - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages\n (bnc#868653 CVE-2014-2523).\n\n - ath9k_htc: properly set MAC address and BSSID mask\n (bnc#851426,CVE-2013-4579).\n\n - drm/ttm: don't oops if no invalidate_caches() (bnc#869414).\n\n - Btrfs: do not bug_on if we try to cow a free space cache inode\n (bnc#863235).\n\n - Update vanilla config files: enable console rotation It's enabled in all\n other kernel flavors so it should be enabled in vanilla too.\n\n - Update config files. (CONFIG_EFIVAR_FS=m) Due to systemd can auto-load\n efivarfs.ko, so wet CONFIG_EFIVAR_FS to module on x86_64.\n\n - libata, freezer: avoid block device removal while system is frozen\n (bnc#849334).\n\n - Enable CONFIG_IRDA_FAST_RR=y (bnc#860502)\n\n - [media] bttv: don't setup the controls if there are no video devices\n (bnc#861750).\n\n - drm/i915/dp: add native aux defer retry limit (bnc#867718).\n - drm/i915/dp: increase native aux defer retry timeout (bnc#867718).\n\n - rpc_pipe: fix cleanup of dummy gssd directory when notification fails\n (bnc#862746).\n - sunrpc: add an "info" file for the dummy gssd pipe (bnc#862746).\n - rpc_pipe: remove the clntXX dir if creating the pipe fails (bnc#862746).\n\n - Delete rpm/_constraints after mismerge\n\n Sat Mar 8 00:41:07 CET 2014 - jbohac@xxxxxxx\n\n - Refresh\n patches.fixes/tcp-syncookies-reduce-cookie-lifetime-to-128-seconds.patch.\n\n - tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968).\n - tcp: syncookies: reduce mss table to four values (bnc#833968).\n\n - rpm/mkspec: Generate a per-architecture per-package _constraints file\n\n - rpm/mkspec: Remove dead code\n\n - Refresh patches.fixes/rtc-cmos-add-an-alarm-disable-quirk.patch.\n\n - rtc-cmos: Add an alarm disable quirk (bnc#812592).\n - Refresh patches.xen/xen-x86-EFI.\n\n - Refresh\n patches.apparmor/apparmor-compatibility-patch-for-v5-network-control.\n patches.drivers/pstore_disable_efi_backend_by_default.patch.\n patches.fixes/dm-table-switch-to-readonly.\n patches.fixes/kvm-ioapic.patch. patches.fixes/kvm-macos.patch.\n patches.fixes/remount-no-shrink-dcache.\n patches.fixes/scsi-dh-queuedata-accessors.\n patches.suse/0001-vfs-Hooks-for-more-fine-grained-directory-permission.patc\n h. patches.suse/ovl01-vfs-add-i_op-dentry_open.patch.\n patches.suse/sd_init.mark_majors_busy.patch.\n\n - rpm/mkspec: Fix whitespace in NoSource lines\n\n - rpm/kernel-binary.spec.in: Do not zero modules.dep before using it\n (bnc#866075)\n\n - rpm/kernel-obs-build.spec: Drop useless ExclusiveArch statement\n\n - Update config files. Set CONFIG_EFIVAR_FS to build-in for MOK support\n Update config files. Set CONFIG_EFIVAR_FS to build-in for MOK support\n\n - nfs: always make sure page is up-to-date before extending a write to\n cover the entire page (bnc#864867 bnc#865075).\n\n - x86, cpu, amd: Add workaround for family 16h, erratum 793 (bnc#852967\n CVE-2013-6885).\n - Refresh patches.xen/xen3-patch-3.10.\n\n - cifs: ensure that uncached writes handle unmapped areas correctly\n (bnc#864025 CVE-2014-0069).\n\n - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (bnc#858638\n CVE-2014-1438).\n\n - rpm/kernel-obs-build.spec: Do not mount /sys, the build script does it\n\n - Update config files: Disable TS5500-specific drivers These drivers are\n useless without TS5500 board support: mtd-ts5500, gpio-ts5500 and max197.\n\n - balloon: don't crash in HVM-with-PoD guests.\n - usbback: fix after c/s 1232:8806dfb939d4 (bnc#842553).\n - hwmon: (coretemp) Fix truncated name of alarm attributes.\n\n - rpm/kernel-obs-build.spec: Fix for ppc64le\n\n - Scripts: .nosrc.rpm should contain only the specfile (bnc #639379)\n\n - config: update arm7hl/exynos\n - Enhances exynos support:\n * Add USB support\n * Add sound support\n * Add devices (accelerometer, etc.) on arndale board\n\n - drm/cirrus: Fix cirrus drm driver for fbdev + qemu (bnc#856760).\n\n - Spec: zeroing modules.dep to get identical builds among different\n machines\n\n - doc/README.SUSE: Update to match the current package layout\n\n - Add the README.SUSE file to the packaging branch\n\n - lockd: send correct lock when granting a delayed lock (bnc#859342).\n\n - mm/page-writeback.c: do not count anon pages as dirtyable memory\n (reclaim stalls).\n - mm/page-writeback.c: fix dirty_balance_reserve subtraction from\n dirtyable memory (reclaim stalls).\n\n", "published": "2014-05-19T14:10:36", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00010.html", "cvelist": ["CVE-2014-2672", "CVE-2013-7265", "CVE-2014-1737", "CVE-2014-1874", "CVE-2014-1738", "CVE-2013-7264", "CVE-2014-1446", "CVE-2014-0196", "CVE-2013-4579", "CVE-2013-7263", "CVE-2014-1438", "CVE-2013-6885", "CVE-2013-7281", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-0069", "CVE-2014-1690"], "lastseen": "2016-09-04T11:59:17"}, {"id": "OPENSUSE-SU-2014:0677-1", "type": "suse", "title": "kernel: security and bugfix update (important)", "description": "The Linux Kernel was updated to fix various security issues and bugs.\n\n Main security issues fixed:\n\n A security issue in the tty layer that was fixed that could be used by\n local attackers for code execution (CVE-2014-0196).\n\n Two security issues in the floppy driver were fixed that could be used by\n local attackers on machines with the floppy to crash the kernel or\n potentially execute code in the kernel (CVE-2014-1737 CVE-2014-1738).\n\n Other security issues and bugs that were fixed:\n - netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper\n (bnc#860835 CVE-2014-1690).\n\n - net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH\n (bnc#866102, CVE-2014-0101).\n\n - n_tty: Fix a n_tty_write crash and code execution when echoing in raw\n mode (bnc#871252 bnc#875690 CVE-2014-0196).\n\n - netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones (bnc#873717).\n\n - Update config files: re-enable twofish crypto support Software twofish\n crypto support was disabled in several architectures since openSUSE\n 10.3. For i386 and x86_64 it was on purpose, because\n hardware-accelerated alternatives exist. However for all other\n architectures it was by accident. Re-enable software twofish crypto\n support in arm, ia64 and ppc configuration files, to guarantee that at\n least one implementation is always available (bnc#871325).\n\n - Update config files: disable CONFIG_TOUCHSCREEN_W90X900 The w90p910_ts\n driver only makes sense on the W90x900 architecture, which we do not\n support.\n\n - ath9k: protect tid->sched check (bnc#871148,CVE-2014-2672).\n\n - Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug\n (bnc#869898).\n\n - SELinux: Fix kernel BUG on empty security contexts\n (bnc#863335,CVE-2014-1874).\n\n - hamradio/yam: fix info leak in ioctl (bnc#858872, CVE-2014-1446).\n\n - wanxl: fix info leak in ioctl (bnc#858870, CVE-2014-1445).\n\n - farsync: fix info leak in ioctl (bnc#858869, CVE-2014-1444).\n\n - ARM: 7809/1: perf: fix event validation for software group leaders\n (CVE-2013-4254, bnc#837111).\n\n - netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages\n (bnc#868653, CVE-2014-2523).\n\n - ath9k_htc: properly set MAC address and BSSID mask (bnc#851426,\n CVE-2013-4579).\n\n - drm/ttm: don't oops if no invalidate_caches() (bnc#869414).\n\n - Apply missing patches.fixes/drm-nouveau-hwmon-rename-fan0-to-fan1.patch\n\n - xfs: growfs: use uncached buffers for new headers (bnc#858233).\n\n - xfs: use btree block initialisation functions in growfs (bnc#858233).\n\n - Revert "Delete\n patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end\n ." (bnc#858233) Put back again the patch\n patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end\n back as there is a better fix than reverting the affecting patch.\n\n - Delete\n patches.fixes/xfs-fix-xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end\n . It turned out that this patch causes regressions (bnc#858233) The\n upstream 3.7.x also reverted it in the end (commit c3793e0d94af2).\n\n - tcp: syncookies: reduce cookie lifetime to 128 seconds (bnc#833968).\n - tcp: syncookies: reduce mss table to four values (bnc#833968).\n\n - x86, cpu, amd: Add workaround for family 16h, erratum 793 (bnc#852967\n CVE-2013-6885).\n\n - cifs: ensure that uncached writes handle unmapped areas correctly\n (bnc#864025 CVE-2014-0069).\n\n - x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (bnc#858638\n CVE-2014-1438).\n\n - xencons: generalize use of add_preferred_console() (bnc#733022,\n bnc#852652).\n - balloon: don't crash in HVM-with-PoD guests.\n - hwmon: (coretemp) Fix truncated name of alarm attributes.\n\n - NFS: Avoid PUTROOTFH when managing leases (bnc#811746).\n\n - cifs: delay super block destruction until all cifsFileInfo objects are\n gone (bnc#862145).\n\n", "published": "2014-05-19T14:04:14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00009.html", "cvelist": ["CVE-2014-2672", "CVE-2014-1737", "CVE-2014-1874", "CVE-2013-4254", "CVE-2014-1738", "CVE-2014-1446", "CVE-2014-0196", "CVE-2013-4579", "CVE-2014-1444", "CVE-2014-1438", "CVE-2013-6885", "CVE-2014-1445", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-0069", "CVE-2014-1690"], "lastseen": "2016-09-04T11:26:04"}, {"id": "SUSE-SU-2014:0696-1", "type": "suse", "title": "Security update for Linux kernel (important)", "description": "The SUSE Linux Enterprise Server 11 SP2 LTSS kernel received a roll-up\n update to fix security and non-security issues.\n\n The following security bugs have been fixed:\n\n *\n\n CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation\n Offload (UFO) is enabled, does not properly initialize certain data\n structures, which allows local users to cause a denial of service (memory\n corruption and system crash) or possibly gain privileges via a crafted\n application that uses the UDP_CORK option in a setsockopt system call and\n sends both short and long packets, related to the ip_ufo_append_data\n function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in\n net/ipv6/ip6_output.c. (bnc#847672)\n\n *\n\n CVE-2013-4579: The ath9k_htc_set_bssid_mask function in\n drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through\n 3.12 uses a BSSID masking approach to determine the set of MAC addresses\n on which a Wi-Fi device is listening, which allows remote attackers to\n discover the original MAC address after spoofing by sending a series of\n packets to MAC addresses with certain bit manipulations. (bnc#851426)\n\n *\n\n CVE-2013-6382: Multiple buffer underflows in the XFS implementation\n in the Linux kernel through 3.12.1 allow local users to cause a denial of\n service (memory corruption) or possibly have unspecified\n other impact by leveraging the CAP_SYS_ADMIN capability for a (1)\n XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call\n with a crafted length value, related to the xfs_attrlist_by_handle\n function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle\n function in fs/xfs/xfs_ioctl32.c. (bnc#852553)\n\n *\n\n CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors\n does not properly handle the interaction between locked instructions and\n write-combined memory types, which allows local users to cause a denial of\n service (system hang) via a crafted application, aka the errata 793 issue.\n (bnc#852967)\n\n *\n\n CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length\n values before ensuring that associated data structures have been\n initialized, which allows local users to obtain sensitive information from\n kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,\n net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)\n\n *\n\n CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in\n the Linux kernel before 3.12.4 updates a certain length value before\n ensuring that an associated data structure has been initialized, which\n allows local users to obtain sensitive information from kernel stack\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.\n (bnc#857643)\n\n *\n\n CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in\n the Linux kernel before 3.12.4 updates a certain length value before\n ensuring that an associated data structure has been initialized, which\n allows local users to obtain sensitive information from kernel stack\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.\n (bnc#857643)\n\n *\n\n CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in\n the Linux kernel before 3.12.8 allows local users to cause a denial of\n service (NULL pointer dereference and system crash) or possibly have\n unspecified other impact via a bind system call for an RDS socket on a\n system that lacks RDS transports. (bnc#869563)\n\n *\n\n CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in\n the Linux kernel through 3.13.5 does not properly handle uncached write\n operations that copy fewer than the requested number of bytes, which\n allows local users to obtain sensitive information from kernel memory,\n cause a denial of service (memory corruption and system crash), or\n possibly gain privileges via a writev system call with a crafted pointer.\n (bnc#864025)\n\n *\n\n CVE-2014-0101: The sctp_sf_do_5_1D_ce function in\n net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not\n validate certain auth_enable and auth_capable fields before making an\n sctp_sf_authenticate call, which allows remote attackers to cause a denial\n of service (NULL pointer dereference and system crash) via an SCTP\n handshake with a modified INIT chunk and a crafted AUTH chunk before a\n COOKIE_ECHO chunk. (bnc#866102)\n\n *\n\n CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in\n the Linux kernel through 3.14.3 does not properly manage tty driver access\n in the "LECHO & !OPOST" case, which allows local users to cause a denial\n of service (memory corruption and system crash) or gain privileges by\n triggering a race condition involving read and write operations with long\n strings. (bnc#875690)\n\n *\n\n CVE-2014-1444: The fst_get_iface function in\n drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not\n properly initialize a certain data structure, which allows local users to\n obtain sensitive information from kernel memory by leveraging the\n CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)\n\n *\n\n CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c\n in the Linux kernel before 3.11.7 does not properly initialize a certain\n data structure, which allows local users to obtain sensitive information\n from kernel memory via an ioctl call. (bnc#858870)\n\n *\n\n CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c\n in the Linux kernel before 3.12.8 does not initialize a certain structure\n member, which allows local users to obtain sensitive information from\n kernel memory by leveraging the CAP_NET_ADMIN capability for an\n SIOCYAMGCFG ioctl call. (bnc#858872)\n\n *\n\n CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c\n in the Linux kernel through 3.14.3 does not properly handle error\n conditions during processing of an FDRAWCMD ioctl call, which allows local\n users to trigger kfree operations and gain privileges by leveraging write\n access to a /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1738: The raw_cmd_copyout function in\n drivers/block/floppy.c in the Linux kernel through 3.14.3 does not\n properly restrict access to certain pointers during processing of an\n FDRAWCMD ioctl call, which allows local users to obtain sensitive\n information from kernel heap memory by leveraging write access to a\n /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1874: The security_context_to_sid_core function in\n security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows\n local users to cause a denial of service (system crash) by leveraging the\n CAP_MAC_ADMIN capability to set a zero-length security context.\n (bnc#863335)\n\n *\n\n CVE-2014-2039: arch/s390/kernel/head64.S in the Linux kernel before\n 3.13.5 on the s390 platform does not properly handle attempted use of the\n linkage stack, which allows local users to cause a denial of service\n (system crash) by executing a crafted instruction. (bnc#865307)\n\n *\n\n CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux\n kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows\n remote attackers to cause a denial of service (system crash)\n or possibly execute arbitrary code via a DCCP packet that triggers a\n call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.\n (bnc#868653)\n\n *\n\n CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in\n the Linux kernel through 3.14 allows local users to cause a denial of\n service (NULL pointer dereference and system crash) or possibly have\n unspecified other impact via a bind system call for an RDS socket on a\n system that lacks RDS transports. (bnc#871561)\n\n *\n\n CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the\n Linux kernel before 3.14.3 does not properly consider which pages must be\n locked, which allows local users to cause a denial of service (system\n crash) by triggering a memory-usage pattern that requires removal of\n page-table mappings. (bnc#876102)\n\n Also the following non-security bugs have been fixed:\n\n * kabi: protect symbols modified by bnc#864833 fix (bnc#864833).\n * arch: Fix incorrect config symbol in #ifdef (bnc#844513).\n * ACPICA: Add a lock to the internal object reference count mechanism\n (bnc#857499).\n * x86/PCI: reduce severity of host bridge window conflict warnings\n (bnc#858534).\n * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)\n (bnc#874108).\n * timer: Prevent overflow in apply_slack (bnc#873061).\n * xen: Close a race condition in Xen nested spinlock (bnc#858280,\n bnc#819351).\n * storvsc: NULL pointer dereference fix (bnc#865330).\n * sched: Make scale_rt_power() deal with backward clocks (bnc#865310).\n * sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri\n check (bnc#871861).\n *\n\n sched: update_rq_clock() must skip ONE update (bnc#868528,\n bnc#869033).\n\n *\n\n md: Change handling of save_raid_disk and metadata update during\n recovery (bnc#849364).\n\n * dm-mpath: Fixup race condition in activate_path() (bnc#708296).\n * dm-mpath: do not detach stale hardware handler (bnc#708296).\n * dm-multipath: Improve logging (bnc#708296).\n * scsi_dh_alua: Simplify state machine (bnc#854025).\n * scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342).\n *\n\n scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025).\n\n *\n\n vfs,proc: guarantee unique inodes in /proc.\n\n * FS-Cache: Handle removal of unadded object to the\n fscache_object_list rb tree (bnc#855885).\n * NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure\n (bnc#853455).\n * NFS: Avoid occasional hang with NFS (bnc#852488).\n * NFS: do not try to use lock state when we hold a delegation\n (bnc#831029) - add to series.conf\n * btrfs: do not loop on large offsets in readdir (bnc#863300).\n * btrfs: restrict snapshotting to own subvolumes (bnc#736697).\n * btrfs: fix extent boundary check in bio_readpage_error.\n *\n\n btrfs: fix extent_map block_len after merging.\n\n *\n\n net: add missing bh_unlock_sock() calls (bnc#862429).\n\n * inet: Pass inetpeer root into inet_getpeer*() interfaces\n (bnc#864833).\n * inet: Hide route peer accesses behind helpers (bnc#864833).\n * inet: Avoid potential NULL peer dereference (bnc#864833).\n * inet: handle rt{,6}_bind_peer() failure correctly (bnc#870801).\n * inetpeer: prevent unlinking from unused list twice (bnc#867953).\n * net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604).\n * tcp: clear xmit timers in tcp_v4_syn_recv_sock() (bnc#862429).\n * ipv6: fix race condition regarding dst->expires and dst->from\n (bnc#843185).\n *\n\n ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support,\n warn about missing CREATE flag (bnc#865783).\n\n *\n\n mpt2sas: Do not check DIF for unwritten blocks (bnc#746500,\n bnc#836347).\n\n * mpt2sas: Add a module parameter that permits overriding protection\n capabilities (bnc#746500).\n *\n\n mpt2sas: Return the correct sense key for DIF errors (bnc#746500).\n\n *\n\n s390/cio: Delay scan for newly available I/O devices (bnc#855347,\n bnc#814788, bnc#856083).\n\n * s390/cio: More efficient handling of CHPID availability events\n (bnc#855347, bnc#814788, bnc#856083).\n * s390/cio: Relax subchannel scan loop (bnc#855347, bnc#814788,\n bnc#856083).\n *\n\n s390/css: stop stsch loop after cc 3 (bnc#855347, bnc#814788,\n bnc#856083).\n\n *\n\n supported.conf: Driver corgi_bl was renamed to generic_bl in kernel\n 2.6.29.\n\n * supported.conf: Add drivers/of/of_mdio That was a missing dependency\n for mdio-gpio on ppc64.\n * supported.conf: Fix mdio-gpio module name Module mdio-ofgpio was\n renamed to mdio-gpio in kernel 2.6.29, this should have been\n reflected in supported.conf.\n * supported.conf: Adjust radio-si470x module names\n * Update config files: re-enable twofish crypto support. (bnc#871325)\n", "published": "2014-05-22T02:04:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00013.html", "cvelist": ["CVE-2014-3122", "CVE-2013-7265", "CVE-2014-1737", "CVE-2014-1874", "CVE-2014-1738", "CVE-2013-7264", "CVE-2014-1446", "CVE-2013-7339", "CVE-2014-0196", "CVE-2014-2678", "CVE-2013-6382", "CVE-2014-2039", "CVE-2013-4579", "CVE-2013-7263", "CVE-2014-1444", "CVE-2013-6885", "CVE-2014-1445", "CVE-2013-4470", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-0069"], "lastseen": "2016-09-04T11:57:50"}, {"id": "SUSE-SU-2014:0807-1", "type": "suse", "title": "Security update for Linux Kernel (important)", "description": "The SUSE Linux Enterprise Server 11 SP1 LTSS kernel received a roll-up\n update to fix security and non-security issues.\n\n The following security issues have been fixed:\n\n *\n\n CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used for\n privilege escalation for non root users. (bnc#880892)\n\n *\n\n CVE-2012-6647: The futex_wait_requeue_pi function in kernel/futex.c\n in the Linux kernel before 3.5.1 does not ensure that calls have two\n different futex addresses, which allows local users to cause a denial\n of service (NULL pointer dereference and system crash) or possibly\n have unspecified other impact via a crafted FUTEX_WAIT_REQUEUE_PI command.\n (bnc#878289)\n\n *\n\n CVE-2013-6382: Multiple buffer underflows in the XFS implementation\n in the Linux kernel through 3.12.1 allow local users to cause a denial of\n service (memory corruption) or possibly have unspecified\n other impact by leveraging the CAP_SYS_ADMIN capability for a (1)\n XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call\n with a crafted length value, related to the xfs_attrlist_by_handle\n function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle\n function in fs/xfs/xfs_ioctl32.c. (bnc#852553)\n\n *\n\n CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors\n does not properly handle the interaction between locked instructions and\n write-combined memory types, which allows local users to cause a denial of\n service (system hang) via a crafted application, aka the errata 793 issue.\n (bnc#852967)\n\n *\n\n CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length\n values before ensuring that associated data structures have been\n initialized, which allows local users to obtain sensitive information from\n kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,\n net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)\n\n *\n\n CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in\n the Linux kernel before 3.12.4 updates a certain length value before\n ensuring that an associated data structure has been initialized, which\n allows local users to obtain sensitive information from kernel stack\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.\n (bnc#857643)\n\n *\n\n CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in\n the Linux kernel before 3.12.4 updates a certain length value before\n ensuring that an associated data structure has been initialized, which\n allows local users to obtain sensitive information from kernel stack\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.\n (bnc#857643)\n\n *\n\n CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in\n the Linux kernel before 3.12.8 allows local users to cause a denial of\n service (NULL pointer dereference and system crash) or possibly have\n unspecified other impact via a bind system call for an RDS socket on a\n system that lacks RDS transports. (bnc#869563)\n\n *\n\n CVE-2014-0101: The sctp_sf_do_5_1D_ce function in\n net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not\n validate certain auth_enable and auth_capable fields before making an\n sctp_sf_authenticate call, which allows remote attackers to cause a denial\n of service (NULL pointer dereference and system crash) via an SCTP\n handshake with a modified INIT chunk and a crafted AUTH chunk before a\n COOKIE_ECHO chunk. (bnc#866102)\n\n *\n\n CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in\n the Linux kernel through 3.14.3 does not properly manage tty driver access\n in the "LECHO & !OPOST" case, which allows local users to cause a denial\n of service (memory corruption and system crash) or gain privileges by\n triggering a race condition involving read and write operations with long\n strings. (bnc#875690)\n\n *\n\n CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c\n in the Linux kernel through 3.14.3 does not properly handle error\n conditions during processing of an FDRAWCMD ioctl call, which allows local\n users to trigger kfree operations and gain privileges by leveraging write\n access to a /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1738: The raw_cmd_copyout function in\n drivers/block/floppy.c in the Linux kernel through 3.14.3 does not\n properly restrict access to certain pointers during processing of an\n FDRAWCMD ioctl call, which allows local users to obtain sensitive\n information from kernel heap memory by leveraging write access to a\n /dev/fd device. (bnc#875798)\n\n *\n\n CVE-2014-1874: The security_context_to_sid_core function in\n security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows\n local users to cause a denial of service (system crash) by leveraging the\n CAP_MAC_ADMIN capability to set a zero-length security context.\n (bnc#863335)\n\n *\n\n CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux\n kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows\n remote attackers to cause a denial of service (system crash)\n or possibly execute arbitrary code via a DCCP packet that triggers a\n call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.\n (bnc#868653)\n\n *\n\n CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in\n the Linux kernel through 3.14 allows local users to cause a denial of\n service (NULL pointer dereference and system crash) or possibly have\n unspecified other impact via a bind system call for an RDS socket on a\n system that lacks RDS transports. (bnc#871561)\n\n *\n\n CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the\n Linux kernel before 3.14.3 does not properly consider which pages must be\n locked, which allows local users to cause a denial of service (system\n crash) by triggering a memory-usage pattern that requires removal of\n page-table mappings. (bnc#876102)\n\n *\n\n CVE-2013-7027: The ieee80211_radiotap_iterator_init function in\n net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check\n whether a frame contains any data outside of the header, which might allow\n attackers to cause a denial of service (buffer over-read) via a crafted\n header. (bnc#854634)\n\n The following non-security issues have been fixed:\n\n * sched: protect scale_rt_power() from clock aberations (bnc#630970,\n bnc#661605, bnc#865310).\n * sched: fix divide by zero at {thread_group,task}_times (bnc#761774,\n bnc#873070).\n * clocksource: avoid unnecessary overflow in cyclecounter_cyc2ns()\n (bnc#865310).\n * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)\n (bnc#874108).\n * block: Wait for queue cleanup until the queue is empty before queue\n cleanup (bnc#792407).\n * fs: do_add_mount()/umount -l races (bnc#663516).\n * vfs,proc: guarantee unique inodes in /proc (bnc#868049).\n * nfs: Allow nfsdv4 to work when fips=1 (bnc#868488).\n * inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state\n (bnc#854743).\n * bonding: send unsolicited NA for all addresses (bnc#856756).\n * bonding: send unsolicited neighbour advertisements to all-nodes\n (bnc#856756).\n\n Security Issues references:\n\n * CVE-2012-6647\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6647\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6647</a>>\n * CVE-2013-6382\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382</a>>\n * CVE-2013-6885\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885</a>>\n * CVE-2013-7027\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7027\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7027</a>>\n * CVE-2013-7263\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263</a>>\n * CVE-2013-7264\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7264\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7264</a>>\n * CVE-2013-7265\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265</a>>\n * CVE-2013-7339\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7339\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7339</a>>\n * CVE-2014-0101\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101</a>>\n * CVE-2014-0196\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196</a>>\n * CVE-2014-1737\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737</a>>\n * CVE-2014-1738\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738</a>>\n * CVE-2014-1874\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874</a>>\n * CVE-2014-2523\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523</a>>\n * CVE-2014-2678\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678</a>>\n * CVE-2014-3122\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122</a>>\n * CVE-2014-3153\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153</a>>\n", "published": "2014-06-18T01:04:38", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00022.html", "cvelist": ["CVE-2014-3122", "CVE-2013-7027", "CVE-2012-6647", "CVE-2013-7265", "CVE-2014-1737", "CVE-2014-1874", "CVE-2014-1738", "CVE-2013-7264", "CVE-2013-7339", "CVE-2014-0196", "CVE-2014-2678", "CVE-2013-6382", "CVE-2014-3153", "CVE-2013-7263", "CVE-2013-6885", "CVE-2014-2523", "CVE-2014-0101"], "lastseen": "2016-09-04T12:38:49"}], "centos": [{"id": "CESA-2014:0740", "type": "centos", "title": "kernel security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0740\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* A NULL pointer dereference flaw was found in the rds_ib_laddr_check()\nfunction in the Linux kernel's implementation of Reliable Datagram Sockets\n(RDS). A local, unprivileged user could use this flaw to crash the system.\n(CVE-2013-7339, Moderate)\n\nRed Hat would like to thank Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738.\n\nThis update also fixes the following bugs:\n\n* A bug in the futex system call could result in an overflow when passing\na very large positive timeout. As a consequence, the FUTEX_WAIT operation\ndid not work as intended and the system call was timing out immediately.\nA backported patch fixes this bug by limiting very large positive timeouts\nto the maximal supported value. (BZ#1091832)\n\n* A new Linux Security Module (LSM) functionality related to the setrlimit\nhooks should produce a warning message when used by a third party module\nthat could not cope with it. However, due to a programming error, the\nkernel could print this warning message when a process was setting rlimits\nfor a different process, or if rlimits were modified by another than the\nmain thread even though there was no incompatible third party module. This\nupdate fixes the relevant code and ensures that the kernel handles this\nwarning message correctly. (BZ#1092869)\n\n* Previously, the kernel was unable to detect KVM on system boot if the\nHyper-V emulation was enabled. A patch has been applied to ensure that\nboth KVM and Hyper-V hypervisors are now correctly detected during system\nboot. (BZ#1094152)\n\n* A function in the RPC code responsible for verifying whether cached\ncredentials match the current process did not perform the check correctly.\nThe code checked only whether the groups in the current process\ncredentials appear in the same order as in the cached credentials but did\nnot ensure that no other groups are present in the cached credentials. As\na consequence, when accessing files in NFS mounts, a process with the same\nUID and GID as the original process but with a non-matching group list\ncould have been granted an unauthorized access to a file, or under certain\ncircumstances, the process could have been wrongly prevented from\naccessing the file. The incorrect test condition has been fixed and the\nproblem can no longer occur. (BZ#1095062)\n\n* When being under heavy load, some Fibre Channel storage devices, such as\nHitachi and HP Open-V series, can send a logout (LOGO) message to the\nhost system. However, due to a bug in the lpfc driver, this could result\nin a loss of active paths to the storage and the paths could not be\nrecovered without manual intervention. This update corrects the lpfc\ndriver to ensure automatic recovery of the lost paths to the storage in\nthis scenario. (BZ#1096061)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-June/020363.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0740.html", "published": "2014-06-11T11:01:17", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-June/020363.html", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339"], "lastseen": "2017-10-03T18:24:56"}, {"id": "CESA-2014:0771", "type": "centos", "title": "kernel, perf, python security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0771\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\n* It was discovered that the proc_ns_follow_link() function did not\nproperly return the LAST_BIND value in the last pathname component as is\nexpected for procfs symbolic links, which could lead to excessive freeing\nof memory and consequent slab corruption. A local, unprivileged user could\nuse this flaw to crash the system. (CVE-2014-0203, Moderate)\n\n* A flaw was found in the way the Linux kernel handled exceptions when\nuser-space applications attempted to use the linkage stack. On IBM S/390\nsystems, a local, unprivileged user could use this flaw to crash the\nsystem. (CVE-2014-2039, Moderate)\n\n* An invalid pointer dereference flaw was found in the Marvell 8xxx\nLibertas WLAN (libertas) driver in the Linux kernel. A local user able to\nwrite to a file that is provided by the libertas driver and located on the\ndebug file system (debugfs) could use this flaw to crash the system. Note:\nThe debugfs file system must be mounted locally to exploit this issue.\nIt is not mounted by default. (CVE-2013-6378, Low)\n\n* A denial of service flaw was discovered in the way the Linux kernel's\nSELinux implementation handled files with an empty SELinux security\ncontext. A local user who has the CAP_MAC_ADMIN capability could use this\nflaw to crash the system. (CVE-2014-1874, Low)\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738,\nand Vladimir Davydov of Parallels for reporting CVE-2014-0203. Google\nacknowledges Pinkie Pie as the original reporter of CVE-2014-3153.\n\nThis update also fixes several bugs. Documentation for these changes will\nbe available shortly from the Technical Notes document linked to in the\nReferences section.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-June/020379.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0771.html", "published": "2014-06-20T10:10:41", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-June/020379.html", "cvelist": ["CVE-2014-1737", "CVE-2013-6378", "CVE-2014-1874", "CVE-2014-1738", "CVE-2014-2039", "CVE-2014-3153", "CVE-2014-0203"], "lastseen": "2017-10-03T18:26:24"}], "ubuntu": [{"id": "USN-2219-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel for systems that lack RDS transports. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-7339)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)", "published": "2014-05-26T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2219-1/", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339", "CVE-2014-2678"], "lastseen": "2018-03-29T18:21:29"}, {"id": "USN-2220-1", "type": "ubuntu", "title": "Linux kernel (EC2) vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel for systems that lack RDS transports. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2013-7339)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)", "published": "2014-05-26T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2220-1/", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2013-7339", "CVE-2014-2678"], "lastseen": "2018-03-29T18:21:13"}, {"id": "USN-2226-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nT\u00f6r\u00f6k Edwin discovered a flaw with Xen netback driver when used with Linux configurations that do not allow sleeping in softirq context. A guest administrator could exploit this flaw to cause a denial of service (system crash) on the host. (CVE-2014-2580)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nHannes Frederic Sowa reported a hash collision ordering problem in the xfs filesystem in the Linux kernel. A local user could exploit this flaw to cause filesystem corruption and a denial of service (oops or panic). (CVE-2014-7283)", "published": "2014-05-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2226-1/", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-7283", "CVE-2014-2851", "CVE-2014-2580", "CVE-2014-0077"], "lastseen": "2018-03-29T18:17:13"}, {"id": "USN-2223-1", "type": "ubuntu", "title": "Linux kernel (Quantal HWE) vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the Linux kernel\u2019s IPC reference counting. An unprivileged local user could exploit this flaw to cause a denial of service (OOM system crash). (CVE-2013-4483)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nSasha Levin reported a bug in the Linux kernel\u2019s virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122)", "published": "2014-05-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2223-1/", "cvelist": ["CVE-2014-3122", "CVE-2014-2672", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2851", "CVE-2014-2309", "CVE-2014-2678", "CVE-2013-4483", "CVE-2014-0055", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-2706"], "lastseen": "2018-03-29T18:17:30"}, {"id": "USN-2228-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nNikolay Aleksandrov discovered a race condition in Linux kernel\u2019s IPv4 fragment handling code. Remote attackers could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact. (CVE-2014-0100)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAdhemerval Zanella Neto discovered a flaw the in the Transactional Memory \u2122 implementation for powerpc based machine. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2673)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)", "published": "2014-05-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2228-1/", "cvelist": ["CVE-2014-2672", "CVE-2014-0100", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2851", "CVE-2014-2673", "CVE-2014-2309", "CVE-2014-2678", "CVE-2014-0055", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-2706"], "lastseen": "2018-03-29T18:17:47"}, {"id": "USN-2260-1", "type": "ubuntu", "title": "Linux kernel (Trusty HWE) vulnerabilities", "description": "A flaw was discovered in the Linux kernel\u2019s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges. (CVE-2014-0196)\n\nPinkie Pie discovered a flaw in the Linux kernel\u2019s futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nMatthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nAn information leak was discovered in the netfilter subsystem of the Linux kernel. An attacker could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-2568)\n\nT\u00f6r\u00f6k Edwin discovered a flaw with Xen netback driver when used with Linux configurations that do not allow sleeping in softirq context. A guest administrator could exploit this flaw to cause a denial of service (system crash) on the host. (CVE-2014-2580)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nSasha Levin reported a bug in the Linux kernel\u2019s virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122)\n\nHannes Frederic Sowa reported a hash collision ordering problem in the xfs filesystem in the Linux kernel. A local user could exploit this flaw to cause filesystem corruption and a denial of service (oops or panic). (CVE-2014-7283)", "published": "2014-06-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2260-1/", "cvelist": ["CVE-2014-3122", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2568", "CVE-2014-7283", "CVE-2014-0196", "CVE-2014-2851", "CVE-2014-3153", "CVE-2014-2580", "CVE-2014-0077"], "lastseen": "2018-03-29T18:18:57"}, {"id": "USN-2221-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the Linux kernel\u2019s IPC reference counting. An unprivileged local user could exploit this flaw to cause a denial of service (OOM system crash). (CVE-2013-4483)\n\nAl Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nJouni Malinen reported a flaw in the handling of fragmentation in the mac8Linux subsystem of the kernel. A remote attacker could exploit this flaw to obtain potential sensitive cleartext information by reading packets. (CVE-2014-8709)", "published": "2014-05-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2221-1/", "cvelist": ["CVE-2014-2672", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-8709", "CVE-2014-2851", "CVE-2014-2309", "CVE-2014-2678", "CVE-2013-4483", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-0069", "CVE-2014-2706"], "lastseen": "2018-03-29T18:20:10"}, {"id": "USN-2224-1", "type": "ubuntu", "title": "Linux kernel (Raring HWE) vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nSasha Levin reported a bug in the Linux kernel\u2019s virtual memory management subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3122)", "published": "2014-05-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2224-1/", "cvelist": ["CVE-2014-3122", "CVE-2014-2672", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2851", "CVE-2014-2309", "CVE-2014-2678", "CVE-2014-0055", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-2706"], "lastseen": "2018-03-29T18:20:31"}, {"id": "USN-2227-1", "type": "ubuntu", "title": "Linux kernel (OMAP4) vulnerabilities", "description": "A flaw was discovered in the Linux kernel\u2019s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges. (CVE-2014-0196)\n\nMatthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the Linux kernel\u2019s IPC reference counting. An unprivileged local user could exploit this flaw to cause a denial of service (OOM system crash). (CVE-2013-4483)\n\nAl Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged local user could exploit this flaw to cause a denial of service (system crash), obtain sensitive information from kernel memory, or possibly gain privileges. (CVE-2014-0069)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nJouni Malinen reported a flaw in the handling of fragmentation in the mac8Linux subsystem of the kernel. A remote attacker could exploit this flaw to obtain potential sensitive cleartext information by reading packets. (CVE-2014-8709)", "published": "2014-05-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2227-1/", "cvelist": ["CVE-2014-2672", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-8709", "CVE-2014-0196", "CVE-2014-2851", "CVE-2014-2309", "CVE-2014-2678", "CVE-2013-4483", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-0069", "CVE-2014-2706"], "lastseen": "2018-03-29T18:18:54"}, {"id": "USN-2225-1", "type": "ubuntu", "title": "Linux kernel (Saucy HWE) vulnerabilities", "description": "Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738)\n\nMatthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)\n\nA flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS. (CVE-2014-0077)\n\nNikolay Aleksandrov discovered a race condition in Linux kernel\u2019s IPv4 fragment handling code. Remote attackers could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact. (CVE-2014-0100)\n\nA flaw was discovered in the Linux kernel\u2019s handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)\n\nA flaw was discovered in the handling of routing information in Linux kernel\u2019s IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)\n\nAn error was discovered in the Linux kernel\u2019s DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)\n\nMax Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)\n\nAdhemerval Zanella Neto discovered a flaw the in the Transactional Memory \u2122 implementation for powerpc based machine. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2673)\n\nAn error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)\n\nYaara Rozenblum discovered a race condition in the Linux kernel\u2019s Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2706)\n\nA flaw was discovered in the Linux kernel\u2019s ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851)\n\nVincent Tondellier discovered an integer overflow in the Linux kernel\u2019s netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system). (CVE-2014-9715)", "published": "2014-05-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2225-1/", "cvelist": ["CVE-2014-9715", "CVE-2014-2672", "CVE-2014-0100", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-2851", "CVE-2014-2673", "CVE-2014-2309", "CVE-2014-2678", "CVE-2014-0055", "CVE-2014-0077", "CVE-2014-2523", "CVE-2014-0101", "CVE-2014-2706"], "lastseen": "2018-03-29T18:18:11"}]}}