Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.
{"ubuntucve": [{"lastseen": "2023-06-28T14:41:30", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6\nallows local users to cause a denial of service (BUG) or possibly have\nunspecified other impact via crafted use of the mmap and bpf system calls.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1581871>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-23T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4794", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2016-05-23T00:00:00", "id": "UB:CVE-2016-4794", "href": "https://ubuntu.com/security/CVE-2016-4794", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-03T14:35:33", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-23T10:59:00", "type": "cve", "title": "CVE-2016-4794", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2023-02-16T02:32:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2016-4794", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4794", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "android": [{"lastseen": "2021-07-28T14:34:31", "description": "Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-01T00:00:00", "type": "android", "title": "CVE-2016-4794", "bulletinFamily": "software", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4794"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-4794", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-4794.html", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:23", "description": "The [Dirty Cow vulnerability](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>) lived in Linux for close to a decade, and while it was patched in October in the kernel and in Linux distributions, Android users had to wait for more than a month for their fix.\n\nToday, Google included a patch for CVE-2016-5195 in the monthly [Android Security Bulletin](<https://source.android.com/security/bulletin/2016-12-01.html>), the final one for 2016. The Dirty Cow patch is one of 11 critical vulnerabilities, all of which are in the Dec. 5 patch level; a separate Dec. 1 patch level was also released today that included patches for 10 high-severity vulnerabilities.\n\nIn last month\u2019s bulletin, Google partially addressed Dirty Cow with a [supplemental firmware update for Nexus and Pixel handsets](<https://threatpost.com/google-releases-supplemental-patch-for-dirty-cow-vulnerability/121843/>), while Samsung was the lone handset maker to release a patch in November.\n\nDirty Cow was patched in October after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.\n\nThe flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory. Researcher Phil Oester disclosed the vulnerability and a proof-of-concept exploit.\n\n\u201cThis flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,\u201d Oester said.\n\nCopy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it\u2019s marked dirty.\n\nGoogle also patched a separate kernel memory subsystem bug rated critical. CVE-2016-4794 affects only the new Pixel, Pixel C and Pixel XL devices, and can also allow an attacker to elevate to root privileges.\n\nSix other critical bugs were addressed in the NVIDIA GPU and video drivers; the GPU bugs affect only Nexus 9 devices, while one of the video driver flaws also affects the Pixel C. The patches, Google said, are not publicly available and instead are contained in the latest binary drivers for Google devices.\n\nTwo other critical bugs in the kernel, kernel ION driver were also patched today, all of which allow an attacker to elevate their privileges.\n\nGoogle also patched additional vulnerabilities in Qualcomm components, which have been a sticking point this year in multiple updates and public attacks, most notably [Quadrooter](<https://threatpost.com/google-patches-quadrooter-vulnerabilities-in-android/120374/>), which was patched in September. Quadrooter was disclosed this summer at DEF CON and put hundreds of millions of devices at risk, similar to Stagefright. Researchers at Check Point Software Technologies disclosed the privilege escalation vulnerabilities, which could be used in remote code execution attacks. Multiple subsystems of the Qualcomm chipset were affected and the vulnerabilities could have been exploited to bypass existing mitigations in the Android Linux kernel, allowing an attacker to gain root privileges, Check Point said.\n\nGoogle said that today\u2019s patch addresses flaws that could also lead to code execution.\n\n\u201cAn elevation of privilege vulnerability in the Qualcomm MSM interface could enable a local malicious application to execute arbitrary code within the context of the kernel,\u201d Google said.\n\nThe Dec. 5 patch level also includes patches for vulnerabilities rated high severity in the kernel, kernel file system, HTC sound code, MediaTek drivers, Qualcomm codecs and drivers, and NVIDIA drivers among others. Most of the flaws are elevation of privilege issues.\n\nThe Dec. 1 patch level includes a patch for a remote code execution vulnerability in CURL/LIBCURL.\n\n\u201cThe most severe issue could enable a man-in-the-middle attacker using a forged certificate to execute arbitrary code within the context of a privileged process,\u201d Google said. \u201cThis issue is rated as High due to the attacker needing a forged certificate.\u201d\n\nThe remaining high-severity bugs in the Dec. 1 patch level affect libziparchive, Mediaserver, Framesequence and Telephony.\n", "cvss3": {}, "published": "2016-12-05T15:32:51", "type": "threatpost", "title": "Dirty Cow Vulnerability Patched in Android Security Bulletin", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5195"], "modified": "2016-12-05T20:32:51", "id": "THREATPOST:AAD833DA9CB72C65E36AA2758E011A09", "href": "https://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-bulletin/122266/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3056-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5243", "CVE-2016-4470", "CVE-2016-3135"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842852", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842852", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3056-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842852\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-11 05:37:23 +0200 (Thu, 11 Aug 2016)\");\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3056-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ben Hawkes discovered an integer overflow\n in the Linux netfilter implementation. On systems running 32 bit kernels, a\n local unprivileged attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code with administrative privileges.\n(CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did\nnot ensure a data structure was initialized before referencing it after an\nerror condition occurred. A local attacker could use this to cause a denial\nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code with\nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of\nthe Linux kernel. A local attacker could use this to obtain sensitive\ninformation from kernel memory. (CVE-2016-5243)\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3056-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3056-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1019-raspi2\", ver:\"4.4.0-1019.25\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:35:12", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2016:1798-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5829", "CVE-2016-4997", "CVE-2016-4470"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851367", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851367", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851367\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-15 05:27:52 +0200 (Fri, 15 Jul 2016)\");\n script_cve_id(\"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-4997\", \"CVE-2016-5829\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2016:1798-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security\n and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n\n - CVE-2016-5829: Multiple heap-based buffer overflows in the\n hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux\n kernel allow local users to cause a denial of service or possibly have\n unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)\n HIDIOCSUSAGES ioctl call (bnc#986572).\n\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bnc#984755).\n\n - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux\n kernel allowed local users to cause a denial of service (BUG)\n or possibly have unspecified other impact via crafted use of the mmap\n and bpf system calls (bnc#980265).\n\n The following non-security bugs were fixed:\n\n - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with\n head exceeding page size (bsc#978469).\n\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization).\n\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance).\n\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position\n updates for /proc/xen/xenbus (bsc#970275).\n\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a\n comment).\n\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n\n - base: make module_create_drivers_dir race-free (bnc#983977).\n\n - ipvs: count pre-established TCP states as active (bsc#970114).\n\n - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530).\n\n - net: thunderx: Fix link status reporting (bsc#986530).\");\n\n script_tag(name:\"affected\", value:\"kernel on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1798-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv\", rpm:\"kernel-pv~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base\", rpm:\"kernel-pv-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base-debuginfo\", rpm:\"kernel-pv-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debuginfo\", rpm:\"kernel-pv-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debugsource\", rpm:\"kernel-pv-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-devel\", rpm:\"kernel-pv-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa-xen\", rpm:\"kernel-obs-qa-xen~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:35", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-vivid USN-3053-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5243", "CVE-2016-1237", "CVE-2016-4470"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842859", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842859", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-vivid USN-3053-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842859\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-11 05:37:57 +0200 (Thu, 11 Aug 2016)\");\n script_cve_id(\"CVE-2016-1237\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-vivid USN-3053-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-vivid'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"A missing permission check when settings\n ACLs was discovered in nfsd. A local user could exploit this flaw to gain access\n to any file by setting an ACL. (CVE-2016-1237)\n\nIt was discovered that the keyring implementation in the Linux kernel did\nnot ensure a data structure was initialized before referencing it after an\nerror condition occurred. A local attacker could use this to cause a denial\nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code with\nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of\nthe Linux kernel. A local attacker could use this to obtain sensitive\ninformation from kernel memory. (CVE-2016-5243)\");\n script_tag(name:\"affected\", value:\"linux-lts-vivid on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3053-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3053-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-generic\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-generic-lpae\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-lowlatency\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-powerpc-e500mc\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-powerpc-smp\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-powerpc64-emb\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-66-powerpc64-smp\", ver:\"3.19.0-66.74~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:39", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3057-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5243", "CVE-2016-4470", "CVE-2016-3135"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842856", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842856", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3057-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842856\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-11 05:37:45 +0200 (Thu, 11 Aug 2016)\");\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3057-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ben Hawkes discovered an integer overflow\n in the Linux netfilter implementation. On systems running 32 bit kernels, a local\n unprivileged attacker could use this to cause a denial of service (system crash) or\n possibly execute arbitrary code with administrative privileges.\n (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did\nnot ensure a data structure was initialized before referencing it after an\nerror condition occurred. A local attacker could use this to cause a denial\nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code with\nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of\nthe Linux kernel. A local attacker could use this to obtain sensitive\ninformation from kernel memory. (CVE-2016-5243)\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3057-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3057-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1022-snapdragon\", ver:\"4.4.0-1022.25\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:33", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3054-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5243", "CVE-2016-4470", "CVE-2016-3135"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842860", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842860", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3054-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842860\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-11 05:38:01 +0200 (Thu, 11 Aug 2016)\");\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3054-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ben Hawkes discovered an integer overflow\n in the Linux netfilter implementation. On systems running 32 bit kernels, a local\n unprivileged attacker could use this to cause a denial of service (system crash)\n or possibly execute arbitrary code with administrative privileges.\n (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did\nnot ensure a data structure was initialized before referencing it after an\nerror condition occurred. A local attacker could use this to cause a denial\nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code with\nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of\nthe Linux kernel. A local attacker could use this to obtain sensitive\ninformation from kernel memory. (CVE-2016-5243)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3054-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3054-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-generic\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-generic-lpae\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-lowlatency\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc-e500mc\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc-smp\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc64-emb\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc64-smp\", ver:\"4.4.0-34.53~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:26", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux USN-3055-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5243", "CVE-2016-4470", "CVE-2016-3135"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842853", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842853", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3055-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842853\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-11 05:37:30 +0200 (Thu, 11 Aug 2016)\");\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3055-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Ben Hawkes discovered an integer overflow\n in the Linux netfilter implementation. On systems running 32 bit kernels, a\n local unprivileged attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code with administrative privileges.\n (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did\nnot ensure a data structure was initialized before referencing it after an\nerror condition occurred. A local attacker could use this to cause a denial\nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code with\nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of\nthe Linux kernel. A local attacker could use this to obtain sensitive\ninformation from kernel memory. (CVE-2016-5243)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3055-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3055-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-generic\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-generic-lpae\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-lowlatency\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc-e500mc\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc-smp\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc64-emb\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-34-powerpc64-smp\", ver:\"4.4.0-34.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:38:58", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1527)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8787", "CVE-2014-0131", "CVE-2016-4794", "CVE-2017-6074", "CVE-2014-8134", "CVE-2016-2069", "CVE-2015-5364", "CVE-2014-9410", "CVE-2017-18203", "CVE-2014-9940", "CVE-2014-1874", "CVE-2014-3181", "CVE-2015-8812", "CVE-2017-12192", "CVE-2016-0728", "CVE-2015-5327", "CVE-2016-10318", "CVE-2017-18344", "CVE-2014-9428", "CVE-2013-4470"], "modified": "2020-02-05T00:00:00", "id": "OPENVAS:1361412562311220191527", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191527", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1527\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-4470\", \"CVE-2014-0131\", \"CVE-2014-1874\", \"CVE-2014-3181\", \"CVE-2014-8134\", \"CVE-2014-9410\", \"CVE-2014-9428\", \"CVE-2014-9940\", \"CVE-2015-5327\", \"CVE-2015-5364\", \"CVE-2015-8787\", \"CVE-2015-8812\", \"CVE-2016-0728\", \"CVE-2016-10318\", \"CVE-2016-2069\", \"CVE-2016-4794\", \"CVE-2017-12192\", \"CVE-2017-18203\", \"CVE-2017-18344\", \"CVE-2017-6074\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:05:12 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1527)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1527\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1527\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1527 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203)\n\nThe batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.(CVE-2014-9428)\n\nThe regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.(CVE-2014-9940)\n\nThe Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.(CVE-2013-4470)\n\nA use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.(CVE-2017-6074)\n\nA NULL-pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).(CVE-2015-8787)\n\nA use-after-free flaw was found in the CXGB3 kernel driver when the network was considered to be congested. The kernel incorrectly misinterpreted the congestion as an error condition and incorrectly freed or cleaned up the socket buffer (skb). When the device then sent the skb's queued data, these structures were referenced. A local attacker could use this flaw to panic the system (denia ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-11T15:45:07", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1494)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6787", "CVE-2016-7097", "CVE-2016-4794", "CVE-2016-6480", "CVE-2016-4913", "CVE-2016-4581", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-4569", "CVE-2016-6828", "CVE-2016-5829", "CVE-2016-6198", "CVE-2016-4997", "CVE-2016-6197", "CVE-2016-7039", "CVE-2016-5195", "CVE-2016-6786", "CVE-2016-4578", "CVE-2016-6327", "CVE-2016-4805", "CVE-2016-4580", "CVE-2016-4998", "CVE-2016-7042"], "modified": "2020-06-09T00:00:00", "id": "OPENVAS:1361412562311220191494", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191494", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1494\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_cve_id(\"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4580\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-4805\", \"CVE-2016-4913\", \"CVE-2016-4997\", \"CVE-2016-4998\", \"CVE-2016-5195\", \"CVE-2016-5696\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6197\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2016-6786\", \"CVE-2016-6787\", \"CVE-2016-6828\", \"CVE-2016-7039\", \"CVE-2016-7042\", \"CVE-2016-7097\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:56:13 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1494)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1494\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1494\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1494 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A vulnerability was found in Linux kernel. There is an information leak in file 'sound/core/timer.c' of the latest mainline Linux kernel, the stack object thread has a total size of 32 bytes. It contains a 8-bytes padding, which is not initialized but sent to user via copy_to_user(), resulting a kernel leak.(CVE-2016-4569)\n\nA vulnerability was found in Linux kernel. There is an information leak in file sound/core/timer.c of the latest mainline Linux kernel. The stack object r1 has a total size of 32 bytes. Its field event and val both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized.(CVE-2016-4578)\n\nThe x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)\n\nfs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.(CVE-2016-4581)\n\nUse after free vulnerability was found in percpu using previously allocated memory in bpf. First __alloc_percpu_gfp() is called, then the memory is freed with free_percpu() which triggers async pcpu_balance_work and then pcpu_extend_area_map could use a chunk after it has been freed.(CVE-2016-4794)\n\nUse-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.(CVE-2016-4805)\n\nA vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb __copy_to_user() from a buffer allocated by __get_free_page().(CVE-2016-4913)\n\nA flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This fl ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-11-04T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:2574-02", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-2384", "CVE-2016-4794", "CVE-2016-6480", "CVE-2016-3070", "CVE-2016-2069", "CVE-2016-4581", "CVE-2016-2053", "CVE-2016-5828", "CVE-2016-2847", "CVE-2016-3156", "CVE-2015-8746", "CVE-2016-6136", "CVE-2015-8812", "CVE-2016-4569", "CVE-2015-8543", "CVE-2015-8374", "CVE-2016-3699", "CVE-2016-5829", "CVE-2016-6198", "CVE-2015-8956", "CVE-2013-4312", "CVE-2016-4578", "CVE-2016-5412", "CVE-2016-6327", "CVE-2016-3841", "CVE-2015-8844", "CVE-2016-2117", "CVE-2015-8845"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871708", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871708", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2574-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871708\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-04 05:42:52 +0100 (Fri, 04 Nov 2016)\");\n script_cve_id(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\",\n \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\",\n \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\",\n \"CVE-2016-2847\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\",\n \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\",\n \"CVE-2016-4794\", \"CVE-2016-5412\", \"CVE-2016-5828\", \"CVE-2016-5829\",\n \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2574-02\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\n the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * It was found that the Linux kernel's IPv6 implementation mishandled\nsocket options. A local attacker could abuse concurrent access to the\nsocket options to escalate their privileges, or cause a denial of service\n(use-after-free and system crash) via a crafted sendmsg system call.\n(CVE-2016-3841, Important)\n\n * Several Moderate and Low impact security issues were found in the Linux\nkernel. Space precludes documenting each of these issues in this advisory.\nRefer to the CVE links in the References section for a description of each\nof these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543,\nCVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069,\nCVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412,\nCVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327,\nCVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384,\nCVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting\nCVE-2016-2053 Tetsuo Handa for reporting CVE-2016-2847 the Virtuozzo\nkernel team and Solar Designer (Openwall) for reporting CVE-2016-3156\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117 and Linn Crosetto\n(HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by\nVenkatesh Pottem (Red Hat Engineering) the CVE-2015-8844 and CVE-2015-8845\nissues were discovered by Miroslav Vadkerti (Red Hat Engineering) the\nCVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat) the\nCVE-2016-6198 issue was discovered by CAI Qian (Red Hat) and the\nCVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2574-02\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00010.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~514.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:40:12", "description": "The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security\n and bugfixes.\n\n The following security bugs were fixed:\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n - CVE-2016-5829: Multiple heap-based buffer overflows in the\n hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux\n kernel allow local users to cause a denial of service or possibly have\n unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)\n HIDIOCSUSAGES ioctl call (bnc#986572).\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bnc#984755).\n - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux\n kernel allowed local users to cause a denial of service (BUG)\n or possibly have unspecified other impact via crafted use of the mmap\n and bpf system calls (bnc#980265).\n\n The following non-security bugs were fixed:\n - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with\n head exceeding page size (bsc#978469).\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization).\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance).\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position\n updates for /proc/xen/xenbus (bsc#970275).\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a\n comment).\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n - base: make module_create_drivers_dir race-free (bnc#983977).\n - ipvs: count pre-established TCP states as active (bsc#970114).\n - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530).\n - net: thunderx: Fix link status reporting (bsc#986530).\n\n", "cvss3": {}, "published": "2016-07-14T14:08:15", "type": "suse", "title": "Security update for the Linux Kernel (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-4794", "CVE-2016-5829", "CVE-2016-4997", "CVE-2016-4470"], "modified": "2016-07-14T14:08:15", "id": "OPENSUSE-SU-2016:1798-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00014.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-05-18T14:26:32", "description": "Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3056-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3056-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92866", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3056-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92866);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_xref(name:\"USN\", value:\"3056-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3056-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ben Hawkes discovered an integer overflow in the Linux netfilter\nimplementation. On systems running 32 bit kernels, a local\nunprivileged attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code with administrative\nprivileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel\ndid not ensure a data structure was initialized before referencing it\nafter an error condition occurred. A local attacker could use this to\ncause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink\nimplementation of the Linux kernel. A local attacker could use this to\nobtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3056-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected linux-image-4.4-raspi2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3056-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1019-raspi2\", pkgver:\"4.4.0-1019.25\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-raspi2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:13", "description": "The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables handling could lead to a local privilege escalation. (bsc#986362)\n\n - CVE-2016-5829: Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (bnc#986572).\n\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bnc#984755).\n\n - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux kernel allowed local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (bnc#980265).\n\nThe following non-security bugs were fixed :\n\n - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with head exceeding page size (bsc#978469).\n\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization).\n\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance).\n\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position updates for /proc/xen/xenbus (bsc#970275).\n\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a comment).\n\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n\n - base: make module_create_drivers_dir race-free (bnc#983977).\n\n - ipvs: count pre-established TCP states as active (bsc#970114).\n\n - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530).\n\n - net: thunderx: Fix link status reporting (bsc#986530).", "cvss3": {}, "published": "2016-07-15T00:00:00", "type": "nessus", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2016-869)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4470", "CVE-2016-4794", "CVE-2016-4997", "CVE-2016-5829"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-pae-base", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-pae-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-pv", "p-cpe:/a:novell:opensuse:kernel-pv-base", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pv-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pv-debugsource", "p-cpe:/a:novell:opensuse:kernel-pv-devel", "p-cpe:/a:novell:opensuse:kernel-docs-html", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-docs-pdf", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-ec2", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-base", "p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen", "p-cpe:/a:novell:opensuse:kernel-ec2-debugsource", "p-cpe:/a:novell:opensuse:kernel-xen-base", "p-cpe:/a:novell:opensuse:kernel-ec2-devel", "p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debuginfo", "p-cpe:/a:novell:opensuse:kernel-macros", "p-cpe:/a:novell:opensuse:kernel-xen-debugsource", "p-cpe:/a:novell:opensuse:kernel-xen-devel", "p-cpe:/a:novell:opensuse:kernel-obs-build", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource", "p-cpe:/a:novell:opensuse:kernel-obs-qa", "p-cpe:/a:novell:opensuse:kernel-obs-qa-xen", "p-cpe:/a:novell:opensuse:kernel-pae"], "id": "OPENSUSE-2016-869.NASL", "href": "https://www.tenable.com/plugins/nessus/92308", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-869.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92308);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-4997\", \"CVE-2016-5829\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2016-869)\");\n script_summary(english:\"Check for the openSUSE-2016-869 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE Leap 42.1 was updated to 4.1.27 to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit\n compat_setsockopt iptables handling could lead to a\n local privilege escalation. (bsc#986362)\n\n - CVE-2016-5829: Multiple heap-based buffer overflows in\n the hiddev_ioctl_usage function in\n drivers/hid/usbhid/hiddev.c in the Linux kernel allow\n local users to cause a denial of service or possibly\n have unspecified other impact via a crafted (1)\n HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call\n (bnc#986572).\n\n - CVE-2016-4470: The key_reject_and_link function in\n security/keys/key.c in the Linux kernel did not ensure\n that a certain data structure is initialized, which\n allowed local users to cause a denial of service (system\n crash) via vectors involving a crafted keyctl request2\n command (bnc#984755).\n\n - CVE-2016-4794: Use-after-free vulnerability in\n mm/percpu.c in the Linux kernel allowed local users to\n cause a denial of service (BUG) or possibly have\n unspecified other impact via crafted use of the mmap and\n bpf system calls (bnc#980265).\n\nThe following non-security bugs were fixed :\n\n - Refresh patches.xen/xen-netback-coalesce: Restore\n copying of SKBs with head exceeding page size\n (bsc#978469).\n\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT\n initialization).\n\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat\n inheritance).\n\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic\n file position updates for /proc/xen/xenbus (bsc#970275).\n\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant\n addition of a comment).\n\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n\n - base: make module_create_drivers_dir race-free\n (bnc#983977).\n\n - ipvs: count pre-established TCP states as active\n (bsc#970114).\n\n - net: thunderx: Fix TL4 configuration for secondary Qsets\n (bsc#986530).\n\n - net: thunderx: Fix link status reporting (bsc#986530).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=970114\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=970275\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=978469\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=980265\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=983977\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984755\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=986362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=986530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=986572\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pv-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-default-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-docs-html-4.1.27-24.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-docs-pdf-4.1.27-24.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-macros-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-obs-build-4.1.27-24.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-obs-build-debugsource-4.1.27-24.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-obs-qa-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-obs-qa-xen-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-source-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-source-vanilla-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"kernel-syms-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-debug-devel-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-ec2-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pae-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-pv-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-vanilla-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-vanilla-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-vanilla-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-vanilla-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"i686\", reference:\"kernel-xen-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-debug-devel-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pae-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-pv-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-devel-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-base-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-4.1.27-24.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-4.1.27-24.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-debug / kernel-debug-base / kernel-debug-base-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:26:53", "description": "Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3054-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3054-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92864", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3054-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92864);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_xref(name:\"USN\", value:\"3054-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3054-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ben Hawkes discovered an integer overflow in the Linux netfilter\nimplementation. On systems running 32 bit kernels, a local\nunprivileged attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code with administrative\nprivileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel\ndid not ensure a data structure was initialized before referencing it\nafter an error condition occurred. A local attacker could use this to\ncause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink\nimplementation of the Linux kernel. A local attacker could use this to\nobtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3054-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3054-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-34-generic\", pkgver:\"4.4.0-34.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-34-generic-lpae\", pkgver:\"4.4.0-34.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-34-lowlatency\", pkgver:\"4.4.0-34.53~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:26:54", "description": "Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : linux vulnerabilities (USN-3055-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3055-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92865", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3055-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92865);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_xref(name:\"USN\", value:\"3055-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux vulnerabilities (USN-3055-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ben Hawkes discovered an integer overflow in the Linux netfilter\nimplementation. On systems running 32 bit kernels, a local\nunprivileged attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code with administrative\nprivileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel\ndid not ensure a data structure was initialized before referencing it\nafter an error condition occurred. A local attacker could use this to\ncause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink\nimplementation of the Linux kernel. A local attacker could use this to\nobtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3055-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3055-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-34-generic\", pkgver:\"4.4.0-34.53\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-34-generic-lpae\", pkgver:\"4.4.0-34.53\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-34-lowlatency\", pkgver:\"4.4.0-34.53\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:26:33", "description": "Ben Hawkes discovered an integer overflow in the Linux netfilter implementation. On systems running 32 bit kernels, a local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3057-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-3057-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92867", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3057-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92867);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_xref(name:\"USN\", value:\"3057-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3057-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ben Hawkes discovered an integer overflow in the Linux netfilter\nimplementation. On systems running 32 bit kernels, a local\nunprivileged attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code with administrative\nprivileges. (CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel\ndid not ensure a data structure was initialized before referencing it\nafter an error condition occurred. A local attacker could use this to\ncause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink\nimplementation of the Linux kernel. A local attacker could use this to\nobtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3057-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected linux-image-4.4-snapdragon package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-3135\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3057-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1022-snapdragon\", pkgver:\"4.4.0-1022.25\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-snapdragon\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:27:03", "description": "A missing permission check when settings ACLs was discovered in nfsd.\nA local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-08-11T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3053-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1237", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3053-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92863", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3053-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92863);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2016-1237\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n script_xref(name:\"USN\", value:\"3053-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3053-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A missing permission check when settings ACLs was discovered in nfsd.\nA local user could exploit this flaw to gain access to any file by\nsetting an ACL. (CVE-2016-1237)\n\nIt was discovered that the keyring implementation in the Linux kernel\ndid not ensure a data structure was initialized before referencing it\nafter an error condition occurred. A local attacker could use this to\ncause a denial of service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu\nallocator in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode with administrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink\nimplementation of the Linux kernel. A local attacker could use this to\nobtain sensitive information from kernel memory. (CVE-2016-5243).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3053-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected linux-image-3.19-generic,\nlinux-image-3.19-generic-lpae and / or linux-image-3.19-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2023 Canonical, Inc. / NASL script (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1237\", \"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-5243\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3053-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-66-generic\", pkgver:\"3.19.0-66.74~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-66-generic-lpae\", pkgver:\"3.19.0-66.74~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-66-lowlatency\", pkgver:\"3.19.0-66.74~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.19-generic / linux-image-3.19-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:53", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - acpi: Disable ACPI table override if securelevel is set (Linn Crosetto) [Orabug: 25058966] (CVE-2016-3699)\n\n - aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060060] (CVE-2016-6480) (CVE-2016-6480)\n\n - audit: fix a double fetch in audit_log_single_execve_arg (Paul Moore) [Orabug: 25059969] (CVE-2016-6136)\n\n - ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 25023269] (CVE-2016-1583) (CVE-2016-1583)\n\n - Revert 'ecryptfs: forbid opening files without mmap handler' (Chuck Anderson) [Orabug: 24971921] (CVE-2016-1583)\n\n - percpu: fix synchronization between synchronous map extension and chunk destruction (Tejun Heo) [Orabug:\n 25060084] (CVE-2016-4794)\n\n - percpu: fix synchronization between chunk->map_extend_work and chunk destruction (Tejun Heo) [Orabug: 25060084] (CVE-2016-4794)\n\n - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug:\n 25059898] (CVE-2016-4578)\n\n - ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898] (CVE-2016-4578)\n\n - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059752] (CVE-2016-4569)\n\n - Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058894] (CVE-2015-8956)\n\n - ASN.1: Fix non-match detection failure on data overrun (David Howells) [Orabug: 25059037] (CVE-2016-2053)\n\n - mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059188] (CVE-2016-3070)\n\n - uek-rpm ol7: change uek-rpm/ol7/update-el release value from 7.1 to 7.3 (Chuck Anderson) [Orabug: 25050614]", "cvss3": {}, "published": "2016-11-22T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0162)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8956", "CVE-2016-1583", "CVE-2016-2053", "CVE-2016-3070", "CVE-2016-3699", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4794", "CVE-2016-6136", "CVE-2016-6480"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2016-0162.NASL", "href": "https://www.tenable.com/plugins/nessus/95045", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0162.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95045);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-8956\", \"CVE-2016-1583\", \"CVE-2016-2053\", \"CVE-2016-3070\", \"CVE-2016-3699\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4794\", \"CVE-2016-6136\", \"CVE-2016-6480\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0162)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - acpi: Disable ACPI table override if securelevel is set\n (Linn Crosetto) [Orabug: 25058966] (CVE-2016-3699)\n\n - aacraid: Check size values after double-fetch from user\n (Dave Carroll) [Orabug: 25060060] (CVE-2016-6480)\n (CVE-2016-6480)\n\n - audit: fix a double fetch in audit_log_single_execve_arg\n (Paul Moore) [Orabug: 25059969] (CVE-2016-6136)\n\n - ecryptfs: don't allow mmap when the lower fs doesn't\n support it (Jeff Mahoney) [Orabug: 25023269]\n (CVE-2016-1583) (CVE-2016-1583)\n\n - Revert 'ecryptfs: forbid opening files without mmap\n handler' (Chuck Anderson) [Orabug: 24971921]\n (CVE-2016-1583)\n\n - percpu: fix synchronization between synchronous map\n extension and chunk destruction (Tejun Heo) [Orabug:\n 25060084] (CVE-2016-4794)\n\n - percpu: fix synchronization between\n chunk->map_extend_work and chunk destruction (Tejun Heo)\n [Orabug: 25060084] (CVE-2016-4794)\n\n - ALSA: timer: Fix leak in events via\n snd_timer_user_tinterrupt (Kangjie Lu) [Orabug:\n 25059898] (CVE-2016-4578)\n\n - ALSA: timer: Fix leak in events via\n snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898]\n (CVE-2016-4578)\n\n - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS\n (Kangjie Lu) [Orabug: 25059752] (CVE-2016-4569)\n\n - Bluetooth: Fix potential NULL dereference in RFCOMM bind\n callback (Jaganath Kanakkassery) [Orabug: 25058894]\n (CVE-2015-8956)\n\n - ASN.1: Fix non-match detection failure on data overrun\n (David Howells) [Orabug: 25059037] (CVE-2016-2053)\n\n - mm: migrate dirty page without clear_page_dirty_for_io\n etc (Hugh Dickins) [Orabug: 25059188] (CVE-2016-3070)\n\n - uek-rpm ol7: change uek-rpm/ol7/update-el release value\n from 7.1 to 7.3 (Chuck Anderson) [Orabug: 25050614]\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-November/000587.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?29062942\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-61.1.19.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-61.1.19.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:37", "description": "The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-3644 advisory.\n\n - The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (CVE-2016-1583)\n\n - The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)\n\n - The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. (CVE-2016-2053)\n\n - The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)\n\n - sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.\n (CVE-2016-4578)\n\n - Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)\n\n - The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move. (CVE-2016-3070)\n\n - The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd. (CVE-2016-3699)\n\n - Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls. (CVE-2016-4794)\n\n - Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a double fetch vulnerability. (CVE-2016-6136)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2016-11-22T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3644)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8956", "CVE-2016-1583", "CVE-2016-2053", "CVE-2016-3070", "CVE-2016-3699", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4794", "CVE-2016-6136", "CVE-2016-6480"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.19.el6uek", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.19.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2016-3644.NASL", "href": "https://www.tenable.com/plugins/nessus/95042", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3644.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95042);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2015-8956\",\n \"CVE-2016-1583\",\n \"CVE-2016-2053\",\n \"CVE-2016-3070\",\n \"CVE-2016-3699\",\n \"CVE-2016-4569\",\n \"CVE-2016-4578\",\n \"CVE-2016-4794\",\n \"CVE-2016-6136\",\n \"CVE-2016-6480\"\n );\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3644)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2016-3644 advisory.\n\n - The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows\n local users to gain privileges or cause a denial of service (stack memory consumption) via vectors\n involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (CVE-2016-1583)\n\n - The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local\n users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors\n involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)\n\n - The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to\n cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. (CVE-2016-2053)\n\n - The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not\n initialize a certain data structure, which allows local users to obtain sensitive information from kernel\n stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)\n\n - sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which\n allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA\n timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.\n (CVE-2016-4578)\n\n - Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel\n through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by\n changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)\n\n - The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel\n before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service\n (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a\n certain page move. (CVE-2016-3070)\n\n - The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted\n with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute\n untrusted code by appending ACPI tables to the initrd. (CVE-2016-3699)\n\n - Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a\n denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf\n system calls. (CVE-2016-4794)\n\n - Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through\n 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by\n changing a certain string, aka a double fetch vulnerability. (CVE-2016-6136)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-3644.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4794\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.19.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.19.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-61.1.19.el6uek', '4.1.12-61.1.19.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-3644');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'dtrace-modules-4.1.12-61.1.19.el6uek-0.5.3-2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-4.1.12-61.1.19.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-61.1.19.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-61.1.19.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-61.1.19.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-61.1.19.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-61.1.19.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'},\n {'reference':'dtrace-modules-4.1.12-61.1.19.el7uek-0.5.3-2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-4.1.12-61.1.19.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-61.1.19.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-61.1.19.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-61.1.19.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-61.1.19.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-61.1.19.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dtrace-modules-4.1.12-61.1.19.el6uek / dtrace-modules-4.1.12-61.1.19.el7uek / kernel-uek / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-23T02:30:33", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with\n __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203i1/4%0\n\n - The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N.\n implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.(CVE-2014-9428i1/4%0\n\n - The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.(CVE-2014-9940i1/4%0\n\n - The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0\n\n - A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.(CVE-2017-6074i1/4%0\n\n - A NULL-pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).(CVE-2015-8787i1/4%0\n\n - A use-after-free flaw was found in the CXGB3 kernel driver when the network was considered to be congested.\n The kernel incorrectly misinterpreted the congestion as an error condition and incorrectly freed or cleaned up the socket buffer (skb). When the device then sent the skb's queued data, these structures were referenced. A local attacker could use this flaw to panic the system (denial of service) or, with a local account, escalate their privileges.(CVE-2015-8812i1/4%0\n\n - A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.(CVE-2015-5364i1/4%0\n\n - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn't properly validate the sigevent-i1/4zsigev_notify field, which leads to out-of-bounds access in the show_timer function.(CVE-2017-18344i1/4%0\n\n - A flaw was discovered in the way the Linux kernel dealt with paging structures. When the kernel invalidated a paging structure that was not in use locally, it could, in principle, race against another CPU that is switching to a process that uses the paging structure in question. A local user could use a thread running with a stale cached virtual-i1/4zphysical translation to potentially escalate their privileges if the translation in question were writable and the physical page got reused for something critical (for example, a page table).(CVE-2016-2069i1/4%0\n\n - Use after free vulnerability was found in percpu using previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is freed with free_percpu() which triggers async pcpu_balance_work and then pcpu_extend_area_map could use a chunk after it has been freed.(CVE-2016-4794i1/4%0\n\n - A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and f2fs filesystem encryption support in the Linux kernel allows a user to assign an encryption policy to a directory owned by a different user, potentially creating a denial of service.(CVE-2016-10318i1/4%0\n\n - The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context.(CVE-2014-1874i1/4%0\n\n - The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe31.c in the MSM-VFE31 driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate a certain id value, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.(CVE-2014-9410i1/4%0\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192i1/4%0\n\n - Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.(CVE-2015-5327i1/4%0\n\n - It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.(CVE-2014-8134i1/4%0\n\n - An out-of-bounds write flaw was found in the way the Apple Magic Mouse/Trackpad multi-touch driver handled Human Interface Device (HID) reports with an invalid size. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3181i1/4%0\n\n - A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system.(CVE-2016-0728i1/4%0\n\n - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.(CVE-2014-0131i1/4%0\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4470", "CVE-2014-0131", "CVE-2014-1874", "CVE-2014-3181", "CVE-2014-8134", "CVE-2014-9410", "CVE-2014-9428", "CVE-2014-9940", "CVE-2015-5327", "CVE-2015-5364", "CVE-2015-8787", "CVE-2015-8812", "CVE-2016-0728", "CVE-2016-10318", "CVE-2016-2069", "CVE-2016-4794", "CVE-2017-12192", "CVE-2017-18203", "CVE-2017-18344", "CVE-2017-6074"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1527.NASL", "href": "https://www.tenable.com/plugins/nessus/124980", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124980);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2013-4470\",\n \"CVE-2014-0131\",\n \"CVE-2014-1874\",\n \"CVE-2014-3181\",\n \"CVE-2014-8134\",\n \"CVE-2014-9410\",\n \"CVE-2014-9428\",\n \"CVE-2014-9940\",\n \"CVE-2015-5327\",\n \"CVE-2015-5364\",\n \"CVE-2015-8787\",\n \"CVE-2015-8812\",\n \"CVE-2016-0728\",\n \"CVE-2016-10318\",\n \"CVE-2016-2069\",\n \"CVE-2016-4794\",\n \"CVE-2017-12192\",\n \"CVE-2017-18203\",\n \"CVE-2017-18344\",\n \"CVE-2017-6074\"\n );\n script_bugtraq_id(\n 63359,\n 65459,\n 66101,\n 69779,\n 71650,\n 71847,\n 75510\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The Linux kernel, before version 4.14.3, is vulnerable\n to a denial of service in\n drivers/md/dm.c:dm_get_from_kobject() which can be\n caused by local users leveraging a race condition with\n __dm_destroy() during creation and removal of DM\n devices. Only privileged local users (with\n CAP_SYS_ADMIN capability) can directly perform the\n ioctl operations for dm device creation and removal and\n this would typically be outside the direct control of\n the unprivileged attacker.(CVE-2017-18203i1/4%0\n\n - The batadv_frag_merge_packets function in\n net/batman-adv/fragmentation.c in the B.A.T.M.A.N.\n implementation in the Linux kernel through 3.18.1 uses\n an incorrect length field during a calculation of an\n amount of memory, which allows remote attackers to\n cause a denial of service (mesh-node system crash) via\n fragmented packets.(CVE-2014-9428i1/4%0\n\n - The regulator_ena_gpio_free function in\n drivers/regulator/core.c in the Linux kernel allows\n local users to gain privileges or cause a denial of\n service (use-after-free) via a crafted\n application.(CVE-2014-9940i1/4%0\n\n - The Linux kernel before 3.12, when UDP Fragmentation\n Offload (UFO) is enabled, does not properly initialize\n certain data structures, which allows local users to\n cause a denial of service (memory corruption and system\n crash) or possibly gain privileges via a crafted\n application that uses the UDP_CORK option in a\n setsockopt system call and sends both short and long\n packets, related to the ip_ufo_append_data function in\n net/ipv4/ip_output.c and the ip6_ufo_append_data\n function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0\n\n - A use-after-free flaw was found in the way the Linux\n kernel's Datagram Congestion Control Protocol (DCCP)\n implementation freed SKB (socket buffer) resources for\n a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO\n option is set on the socket. A local, unprivileged user\n could use this flaw to alter the kernel memory,\n allowing them to escalate their privileges on the\n system.(CVE-2017-6074i1/4%0\n\n - A NULL-pointer dereference vulnerability was found in\n the Linux kernel's TCP stack, in\n net/netfilter/nf_nat_redirect.c in the\n nf_nat_redirect_ipv4() function. A remote,\n unauthenticated user could exploit this flaw to create\n a system crash (denial of service).(CVE-2015-8787i1/4%0\n\n - A use-after-free flaw was found in the CXGB3 kernel\n driver when the network was considered to be congested.\n The kernel incorrectly misinterpreted the congestion as\n an error condition and incorrectly freed or cleaned up\n the socket buffer (skb). When the device then sent the\n skb's queued data, these structures were referenced. A\n local attacker could use this flaw to panic the system\n (denial of service) or, with a local account, escalate\n their privileges.(CVE-2015-8812i1/4%0\n\n - A flaw was found in the way the Linux kernel's\n networking implementation handled UDP packets with\n incorrect checksum values. A remote attacker could\n potentially use this flaw to trigger an infinite loop\n in the kernel, resulting in a denial of service on the\n system, or cause a denial of service in applications\n using the edge triggered epoll\n functionality.(CVE-2015-5364i1/4%0\n\n - The timer_create syscall implementation in\n kernel/time/posix-timers.c in the Linux kernel doesn't\n properly validate the sigevent-i1/4zsigev_notify field,\n which leads to out-of-bounds access in the show_timer\n function.(CVE-2017-18344i1/4%0\n\n - A flaw was discovered in the way the Linux kernel dealt\n with paging structures. When the kernel invalidated a\n paging structure that was not in use locally, it could,\n in principle, race against another CPU that is\n switching to a process that uses the paging structure\n in question. A local user could use a thread running\n with a stale cached virtual-i1/4zphysical translation to\n potentially escalate their privileges if the\n translation in question were writable and the physical\n page got reused for something critical (for example, a\n page table).(CVE-2016-2069i1/4%0\n\n - Use after free vulnerability was found in percpu using\n previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is\n freed with free_percpu() which triggers async\n pcpu_balance_work and then pcpu_extend_area_map could\n use a chunk after it has been freed.(CVE-2016-4794i1/4%0\n\n - A missing authorization check in the\n fscrypt_process_policy function in fs/crypto/policy.c\n in the ext4 and f2fs filesystem encryption support in\n the Linux kernel allows a user to assign an encryption\n policy to a directory owned by a different user,\n potentially creating a denial of\n service.(CVE-2016-10318i1/4%0\n\n - The security_context_to_sid_core function in\n security/selinux/ss/services.c in the Linux kernel\n before 3.13.4 allows local users to cause a denial of\n service (system crash) by leveraging the CAP_MAC_ADMIN\n capability to set a zero-length security\n context.(CVE-2014-1874i1/4%0\n\n - The vfe31_proc_general function in\n drivers/media/video/msm/vfe/msm_vfe31.c in the\n MSM-VFE31 driver for the Linux kernel 3.x, as used in\n Qualcomm Innovation Center (QuIC) Android contributions\n for MSM devices and other products, does not validate a\n certain id value, which allows attackers to gain\n privileges or cause a denial of service (memory\n corruption) via an application that makes a crafted\n ioctl call.(CVE-2014-9410i1/4%0\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on a negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192i1/4%0\n\n - Out-of-bounds memory read in the x509_decode_time\n function in x509_cert_parser.c in Linux kernels 4.3-rc1\n and after.(CVE-2015-5327i1/4%0\n\n - It was found that the espfix functionality does not\n work for 32-bit KVM paravirtualized guests. A local,\n unprivileged guest user could potentially use this flaw\n to leak kernel stack addresses.(CVE-2014-8134i1/4%0\n\n - An out-of-bounds write flaw was found in the way the\n Apple Magic Mouse/Trackpad multi-touch driver handled\n Human Interface Device (HID) reports with an invalid\n size. An attacker with physical access to the system\n could use this flaw to crash the system or,\n potentially, escalate their privileges on the\n system.(CVE-2014-3181i1/4%0\n\n - A use-after-free flaw was found in the way the Linux\n kernel's key management subsystem handled keyring\n object reference counting in certain error path of the\n join_session_keyring() function. A local, unprivileged\n user could use this flaw to escalate their privileges\n on the system.(CVE-2016-0728i1/4%0\n\n - Use-after-free vulnerability in the skb_segment\n function in net/core/skbuff.c in the Linux kernel\n through 3.13.6 allows attackers to obtain sensitive\n information from kernel memory by leveraging the\n absence of a certain orphaning\n operation.(CVE-2014-0131i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1527\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dfd6ac3d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-08T00:27:45", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A vulnerability was found in Linux kernel. There is an information leak in file 'sound/core/timer.c' of the latest mainline Linux kernel, the stack object aEURoetreadaEUR has a total size of 32 bytes. It contains a 8-bytes padding, which is not initialized but sent to user via copy_to_user(), resulting a kernel leak.(CVE-2016-4569)\n\n - A vulnerability was found in Linux kernel. There is an information leak in file sound/core/timer.c of the latest mainline Linux kernel. The stack object aEURoer1aEUR has a total size of 32 bytes. Its field aEURoeeventaEUR and aEURoevalaEUR both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized.(CVE-2016-4578)\n\n - The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.(CVE-2016-4581)\n\n - Use after free vulnerability was found in percpu using previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is freed with free_percpu() which triggers async pcpu_balance_work and then pcpu_extend_area_map could use a chunk after it has been freed.(CVE-2016-4794)\n\n - Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.(CVE-2016-4805)\n\n - A vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb\n __copy_to_user() from a buffer allocated by\n __get_free_page().(CVE-2016-4913)\n\n - A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.(CVE-2016-4997)\n\n - An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments.(CVE-2016-4998)\n\n - A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.(CVE-2016-5195)\n\n - It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.(CVE-2016-5696)\n\n - A heap-based buffer overflow vulnerability was found in the Linux kernel's hiddev driver. This flaw could allow a local attacker to corrupt kernel memory, possible privilege escalation or crashing the system.(CVE-2016-5829)\n\n - When creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.(CVE-2016-6136)\n\n - It was found that the unlink and rename functionality in overlayfs did not verify the upper dentry for staleness. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to panic or crash the system.(CVE-2016-6197)\n\n - A flaw was found that the vfs_rename() function did not detect hard links on overlayfs. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to crash the system.(CVE-2016-6198)\n\n - System using the infiniband support module ib_srpt were vulnerable to a denial of service by system crash by a local attacker who is able to abort writes to a device using this initiator.(CVE-2016-6327)\n\n - A race condition flaw was found in the ioctl_send_fib() function in the Linux kernel's aacraid implementation.\n A local attacker could use this flaw to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value.(CVE-2016-6480)\n\n - kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.(CVE-2016-6786)\n\n - kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.(CVE-2016-6787)\n\n - A use-after-free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions.\n This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection.(CVE-2016-6828)\n\n - Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel.(CVE-2016-7039)\n\n - It was found that when the gcc stack protector was enabled, reading the /proc/keys file could cause a panic in the Linux kernel due to stack corruption. This happened because an incorrect buffer size was used to hold a 64-bit timeout value rendered as weeks.(CVE-2016-7042)\n\n - It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications.(CVE-2016-7097)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-15T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4580", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-4805", "CVE-2016-4913", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5195", "CVE-2016-5696", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6197", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-6786", "CVE-2016-6787", "CVE-2016-6828", "CVE-2016-7039", "CVE-2016-7042", "CVE-2016-7097"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1494.NASL", "href": "https://www.tenable.com/plugins/nessus/125100", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125100);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-4569\",\n \"CVE-2016-4578\",\n \"CVE-2016-4580\",\n \"CVE-2016-4581\",\n \"CVE-2016-4794\",\n \"CVE-2016-4805\",\n \"CVE-2016-4913\",\n \"CVE-2016-4997\",\n \"CVE-2016-4998\",\n \"CVE-2016-5195\",\n \"CVE-2016-5696\",\n \"CVE-2016-5829\",\n \"CVE-2016-6136\",\n \"CVE-2016-6197\",\n \"CVE-2016-6198\",\n \"CVE-2016-6327\",\n \"CVE-2016-6480\",\n \"CVE-2016-6786\",\n \"CVE-2016-6787\",\n \"CVE-2016-6828\",\n \"CVE-2016-7039\",\n \"CVE-2016-7042\",\n \"CVE-2016-7097\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A vulnerability was found in Linux kernel. There is an\n information leak in file 'sound/core/timer.c' of the\n latest mainline Linux kernel, the stack object\n aEURoetreadaEUR has a total size of 32 bytes. It contains a\n 8-bytes padding, which is not initialized but sent to\n user via copy_to_user(), resulting a kernel\n leak.(CVE-2016-4569)\n\n - A vulnerability was found in Linux kernel. There is an\n information leak in file sound/core/timer.c of the\n latest mainline Linux kernel. The stack object aEURoer1aEUR\n has a total size of 32 bytes. Its field aEURoeeventaEUR and\n aEURoevalaEUR both contain 4 bytes padding. These 8 bytes\n padding bytes are sent to user without being\n initialized.(CVE-2016-4578)\n\n - The x25_negotiate_facilities function in\n net/x25/x25_facilities.c in the Linux kernel before\n 4.5.5 does not properly initialize a certain data\n structure, which allows attackers to obtain sensitive\n information from kernel stack memory via an X.25 Call\n Request.(CVE-2016-4580)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not\n properly traverse a mount propagation tree in a certain\n case involving a slave mount, which allows local users\n to cause a denial of service (NULL pointer dereference\n and OOPS) via a crafted series of mount system\n calls.(CVE-2016-4581)\n\n - Use after free vulnerability was found in percpu using\n previously allocated memory in bpf. First\n __alloc_percpu_gfp() is called, then the memory is\n freed with free_percpu() which triggers async\n pcpu_balance_work and then pcpu_extend_area_map could\n use a chunk after it has been freed.(CVE-2016-4794)\n\n - Use-after-free vulnerability in\n drivers/net/ppp/ppp_generic.c in the Linux kernel\n before 4.5.2 allows local users to cause a denial of\n service (memory corruption and system crash, or\n spinlock) or possibly have unspecified other impact by\n removing a network namespace, related to the\n ppp_register_net_channel and ppp_unregister_channel\n functions.(CVE-2016-4805)\n\n - A vulnerability was found in the Linux kernel. Payloads\n of NM entries are not supposed to contain NUL. When\n such entry is processed, only the part prior to the\n first NUL goes into the concatenation (i.e. the\n directory entry name being encoded by a bunch of NM\n entries). The process stops when the amount collected\n so far + the claimed amount in the current NM entry\n exceed 254. However, the value returned as the total\n length is the sum of *claimed* sizes, not the actual\n amount collected. And that's what will be passed to\n readdir() callback as the name length - 8Kb\n __copy_to_user() from a buffer allocated by\n __get_free_page().(CVE-2016-4913)\n\n - A flaw was discovered in processing setsockopt for 32\n bit processes on 64 bit systems. This flaw will allow\n attackers to alter arbitrary kernel memory when\n unloading a kernel module. This action is usually\n restricted to root-privileged users but can also be\n leveraged if the kernel is compiled with CONFIG_USER_NS\n and CONFIG_NET_NS and the user is granted elevated\n privileges.(CVE-2016-4997)\n\n - An out-of-bounds heap memory access leading to a Denial\n of Service, heap disclosure, or further impact was\n found in setsockopt(). The function call is normally\n restricted to root, however some processes with\n cap_sys_admin may also be able to trigger this flaw in\n privileged container environments.(CVE-2016-4998)\n\n - A race condition was found in the way the Linux\n kernel's memory subsystem handled the copy-on-write\n (COW) breakage of private read-only memory mappings. An\n unprivileged, local user could use this flaw to gain\n write access to otherwise read-only memory mappings and\n thus increase their privileges on the\n system.(CVE-2016-5195)\n\n - It was found that the RFC 5961 challenge ACK rate\n limiting as implemented in the Linux kernel's\n networking subsystem allowed an off-path attacker to\n leak certain information about a given connection by\n creating congestion on the global challenge ACK rate\n limit counter and then measuring the changes by probing\n packets. An off-path attacker could use this flaw to\n either terminate TCP connection and/or inject payload\n into non-secured TCP connection between two endpoints\n on the network.(CVE-2016-5696)\n\n - A heap-based buffer overflow vulnerability was found in\n the Linux kernel's hiddev driver. This flaw could allow\n a local attacker to corrupt kernel memory, possible\n privilege escalation or crashing the\n system.(CVE-2016-5829)\n\n - When creating audit records for parameters to executed\n children processes, an attacker can convince the Linux\n kernel audit subsystem can create corrupt records which\n may allow an attacker to misrepresent or evade logging\n of executing commands.(CVE-2016-6136)\n\n - It was found that the unlink and rename functionality\n in overlayfs did not verify the upper dentry for\n staleness. A local, unprivileged user could use the\n rename syscall on overlayfs on top of xfs to panic or\n crash the system.(CVE-2016-6197)\n\n - A flaw was found that the vfs_rename() function did not\n detect hard links on overlayfs. A local, unprivileged\n user could use the rename syscall on overlayfs on top\n of xfs to crash the system.(CVE-2016-6198)\n\n - System using the infiniband support module ib_srpt were\n vulnerable to a denial of service by system crash by a\n local attacker who is able to abort writes to a device\n using this initiator.(CVE-2016-6327)\n\n - A race condition flaw was found in the ioctl_send_fib()\n function in the Linux kernel's aacraid implementation.\n A local attacker could use this flaw to cause a denial\n of service (out-of-bounds access or system crash) by\n changing a certain size value.(CVE-2016-6480)\n\n - kernel/events/core.c in the performance subsystem in\n the Linux kernel before 4.0 mismanages locks during\n certain migrations, which allows local users to gain\n privileges via a crafted application, aka Android\n internal bug 30955111.(CVE-2016-6786)\n\n - kernel/events/core.c in the performance subsystem in\n the Linux kernel before 4.0 mismanages locks during\n certain migrations, which allows local users to gain\n privileges via a crafted application, aka Android\n internal bug 31095224.(CVE-2016-6787)\n\n - A use-after-free vulnerability was found in\n tcp_xmit_retransmit_queue and other tcp_* functions.\n This condition could allow an attacker to send an\n incorrect selective acknowledgment to existing\n connections, possibly resetting a\n connection.(CVE-2016-6828)\n\n - Linux kernel built with the 802.1Q/802.1ad\n VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local\n Area Network(CONFIG_VXLAN) with Transparent Ethernet\n Bridging(TEB) GRO support, is vulnerable to a stack\n overflow issue. It could occur while receiving large\n packets via GRO path, as an unlimited recursion could\n unfold in both VLAN and TEB modules, leading to a stack\n corruption in the kernel.(CVE-2016-7039)\n\n - It was found that when the gcc stack protector was\n enabled, reading the /proc/keys file could cause a\n panic in the Linux kernel due to stack corruption. This\n happened because an incorrect buffer size was used to\n hold a 64-bit timeout value rendered as\n weeks.(CVE-2016-7042)\n\n - It was found that when file permissions were modified\n via chmod and the user modifying them was not in the\n owning group or capable of CAP_FSETID, the setgid bit\n would be cleared. Setting a POSIX ACL via setxattr sets\n the file permissions as well as the new ACL, but\n doesn't clear the setgid bit in a similar way. This\n could allow a local user to gain group privileges via\n certain setgid applications.(CVE-2016-7097)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1494\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e64722c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5829\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.6_42\",\n \"kernel-devel-3.10.0-862.14.1.6_42\",\n \"kernel-headers-3.10.0-862.14.1.6_42\",\n \"kernel-tools-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-devel-3.10.0-862.14.1.6_42\",\n \"perf-3.10.0-862.14.1.6_42\",\n \"python-perf-3.10.0-862.14.1.6_42\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-18T14:29:45", "description": "An update for kernel-rt is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {}, "published": "2016-11-04T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel-rt (RHSA-2016:2584)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2017-13167"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2016-2584.NASL", "href": "https://www.tenable.com/plugins/nessus/94547", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2584. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94547);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2017-13167\");\n script_xref(name:\"RHSA\", value:\"2016:2584\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2016:2584)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled\nsocket options. A local attacker could abuse concurrent access to the\nsocket options to escalate their privileges, or cause a denial of\nservice (use-after-free and system crash) via a crafted sendmsg system\ncall. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the\nLinux kernel. Space precludes documenting each of these issues in this\nadvisory. Refer to the CVE links in the References section for a\ndescription of each of these vulnerabilities. (CVE-2013-4312,\nCVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844,\nCVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847,\nCVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5829,\nCVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480,\nCVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384,\nCVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting\nCVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo\nkernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn\nCrosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was\ndiscovered by Venkatesh Pottem (Red Hat Engineering); the\nCVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav\nVadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered\nby Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered\nby CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by\nJan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2584\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8374\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8543\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8845\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8956\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3156\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5829\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-13167\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2017-13167\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2584\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2584\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-rt-doc-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-3.10.0-514.rt56.420.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-debuginfo-3.10.0-514.rt56.420.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:30:43", "description": "Security Fix(es) :\n\n - It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n(CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nAdditional Changes :", "cvss3": {}, "published": "2016-12-15T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20161103)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20161103_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95841", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95841);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5412\", \"CVE-2016-5828\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20161103)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that the Linux kernel's IPv6 implementation\n mishandled socket options. A local attacker could abuse\n concurrent access to the socket options to escalate\n their privileges, or cause a denial of service\n (use-after-free and system crash) via a crafted sendmsg\n system call. (CVE-2016-3841, Important)\n\n(CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812,\nCVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069,\nCVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794,\nCVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136,\nCVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746,\nCVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070,\nCVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nAdditional Changes :\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1612&L=scientific-linux-errata&F=&S=&P=12735\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?77976f21\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:30:18", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {}, "published": "2016-11-04T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel (RHSA-2016:2574)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3044", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7914", "CVE-2016-7915", "CVE-2016-9794", "CVE-2017-13167", "CVE-2018-16597"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2016-2574.NASL", "href": "https://www.tenable.com/plugins/nessus/94537", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2574. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94537);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3044\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5412\", \"CVE-2016-5828\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2016-7914\", \"CVE-2016-7915\", \"CVE-2016-9794\", \"CVE-2017-13167\", \"CVE-2018-16597\");\n script_xref(name:\"RHSA\", value:\"2016:2574\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2016:2574)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled\nsocket options. A local attacker could abuse concurrent access to the\nsocket options to escalate their privileges, or cause a denial of\nservice (use-after-free and system crash) via a crafted sendmsg system\ncall. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the\nLinux kernel. Space precludes documenting each of these issues in this\nadvisory. Refer to the CVE links in the References section for a\ndescription of each of these vulnerabilities. (CVE-2013-4312,\nCVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844,\nCVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847,\nCVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412,\nCVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198,\nCVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956,\nCVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699,\nCVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting\nCVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo\nkernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn\nCrosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was\ndiscovered by Venkatesh Pottem (Red Hat Engineering); the\nCVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav\nVadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered\nby Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered\nby CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by\nJan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2574\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-4312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8374\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8543\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8845\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8956\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3044\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3156\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5828\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5829\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7914\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-13167\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-16597\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3044\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5412\", \"CVE-2016-5828\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2016-7914\", \"CVE-2016-7915\", \"CVE-2016-9794\", \"CVE-2017-13167\", \"CVE-2018-16597\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2574\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2574\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-514.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:19:47", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-2574 advisory.\n\n - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)\n\n - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)\n\n - The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data. (CVE-2016-2117)\n\n - The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service (system crash) via a rename system call, related to fs/namei.c and fs/open.c. (CVE-2016-6198)\n\n - Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. (CVE-2016-2069)\n\n - The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses. (CVE-2016-3156)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls. (CVE-2016-4581)\n\n - fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. (CVE-2016-2847)\n\n - fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action. (CVE-2015-8374)\n\n - Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)\n\n - The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application. (CVE-2015-8844)\n\n - The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application. (CVE-2015-8845)\n\n - The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)\n\n - The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. (CVE-2016-2053)\n\n - Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)\n\n - The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)\n\n - sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.\n (CVE-2016-4578)\n\n - arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction. (CVE-2016-5412)\n\n - drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation. (CVE-2016-6327)\n\n - Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)\n\n - fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) via crafted network traffic. (CVE-2015-8746)\n\n - drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use- after-free) via crafted packets. (CVE-2015-8812)\n\n - The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move. (CVE-2016-3070)\n\n - The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd. (CVE-2016-3699)\n\n - The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841)\n\n - Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls. (CVE-2016-4794)\n\n - The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc platforms mishandles transactional state, which allows local users to cause a denial of service (invalid process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by starting and suspending a transaction before an exec system call. (CVE-2016-5828)\n\n - Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a double fetch vulnerability. (CVE-2016-6136)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2016-11-11T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : kernel (ELSA-2016-2574)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3044", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7914", "CVE-2016-7915", "CVE-2016-9794", "CVE-2017-13167", "CVE-2018-16597"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-2574.NASL", "href": "https://www.tenable.com/plugins/nessus/94697", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-2574.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94697);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2013-4312\",\n \"CVE-2015-8374\",\n \"CVE-2015-8543\",\n \"CVE-2015-8746\",\n \"CVE-2015-8812\",\n \"CVE-2015-8844\",\n \"CVE-2015-8845\",\n \"CVE-2015-8956\",\n \"CVE-2016-2053\",\n \"CVE-2016-2069\",\n \"CVE-2016-2117\",\n \"CVE-2016-2384\",\n \"CVE-2016-2847\",\n \"CVE-2016-3044\",\n \"CVE-2016-3070\",\n \"CVE-2016-3156\",\n \"CVE-2016-3699\",\n \"CVE-2016-3841\",\n \"CVE-2016-4569\",\n \"CVE-2016-4578\",\n \"CVE-2016-4581\",\n \"CVE-2016-4794\",\n \"CVE-2016-5412\",\n \"CVE-2016-5828\",\n \"CVE-2016-5829\",\n \"CVE-2016-6136\",\n \"CVE-2016-6198\",\n \"CVE-2016-6327\",\n \"CVE-2016-6480\",\n \"CVE-2016-7914\",\n \"CVE-2016-7915\",\n \"CVE-2016-9794\",\n \"CVE-2017-13167\",\n \"CVE-2018-16597\"\n );\n script_xref(name:\"RHSA\", value:\"2016:2574\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2016-2574)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2016-2574 advisory.\n\n - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of\n service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to\n net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)\n\n - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,\n does not validate protocol identifiers for certain protocol families, which allows local users to cause a\n denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by\n leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)\n\n - The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2\n incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from\n kernel memory by reading packet data. (CVE-2016-2117)\n\n - The filesystem layer in the Linux kernel before 4.5.5 proceeds with post-rename operations after an\n OverlayFS file is renamed to a self-hardlink, which allows local users to cause a denial of service\n (system crash) via a rename system call, related to fs/namei.c and fs/open.c. (CVE-2016-6198)\n\n - Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges\n by triggering access to a paging structure by a different CPU. (CVE-2016-2069)\n\n - The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which\n allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large\n number of IP addresses. (CVE-2016-3156)\n\n - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a\n certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted series of mount system calls. (CVE-2016-4581)\n\n - fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows\n local users to cause a denial of service (memory consumption) by creating many pipes with non-default\n sizes. (CVE-2016-2847)\n\n - fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local\n users to obtain sensitive pre-truncation information from a file via a clone action. (CVE-2015-8374)\n\n - Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in\n the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified\n other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)\n\n - The signal implementation in the Linux kernel before 4.3.5 on powerpc platforms does not check for an MSR\n with both the S and T bits set, which allows local users to cause a denial of service (TM Bad Thing\n exception and panic) via a crafted application. (CVE-2015-8844)\n\n - The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on\n powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call,\n which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted\n application. (CVE-2015-8845)\n\n - The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local\n users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors\n involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)\n\n - The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to\n cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. (CVE-2016-2053)\n\n - Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel\n before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have\n unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)\n\n - The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not\n initialize a certain data structure, which allows local users to obtain sensitive information from kernel\n stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)\n\n - sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which\n allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA\n timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.\n (CVE-2016-4578)\n\n - arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when\n CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite\n loop) by making a H_CEDE hypercall during the existence of a suspended transaction. (CVE-2016-5412)\n\n - drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a\n denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a\n device write operation. (CVE-2016-6327)\n\n - Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel\n through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by\n changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)\n\n - fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 does not properly initialize memory\n for migration recovery operations, which allows remote NFS servers to cause a denial of service (NULL\n pointer dereference and panic) via crafted network traffic. (CVE-2015-8746)\n\n - drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error\n conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-\n after-free) via crafted packets. (CVE-2015-8812)\n\n - The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel\n before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service\n (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a\n certain page move. (CVE-2016-3070)\n\n - The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted\n with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute\n untrusted code by appending ACPI tables to the initrd. (CVE-2016-3699)\n\n - The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain\n privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system\n call. (CVE-2016-3841)\n\n - Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a\n denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf\n system calls. (CVE-2016-4794)\n\n - The start_thread function in arch/powerpc/kernel/process.c in the Linux kernel through 4.6.3 on powerpc\n platforms mishandles transactional state, which allows local users to cause a denial of service (invalid\n process state or TM Bad Thing exception, and system crash) or possibly have unspecified other impact by\n starting and suspending a transaction before an exec system call. (CVE-2016-5828)\n\n - Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through\n 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by\n changing a certain string, aka a double fetch vulnerability. (CVE-2016-6136)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-2574.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8812\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['3.10.0-514.el7'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-2574');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '3.10';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-3.10.0'},\n {'reference':'kernel-abi-whitelists-3.10.0-514.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-whitelists-3.10.0'},\n {'reference':'kernel-debug-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-3.10.0'},\n {'reference':'kernel-debug-devel-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-3.10.0'},\n {'reference':'kernel-devel-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-3.10.0'},\n {'reference':'kernel-headers-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-3.10.0'},\n {'reference':'kernel-tools-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-3.10.0'},\n {'reference':'kernel-tools-libs-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-3.10.0'},\n {'reference':'kernel-tools-libs-devel-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-3.10.0'},\n {'reference':'perf-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-3.10.0-514.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:54", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {}, "published": "2016-11-28T00:00:00", "type": "nessus", "title": "CentOS 7 : kernel (CESA-2016:2574)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3044", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7914", "CVE-2016-7915", "CVE-2016-9794", "CVE-2017-13167", "CVE-2018-16597"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2016-2574.NASL", "href": "https://www.tenable.com/plugins/nessus/95321", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2574 and \n# CentOS Errata and Security Advisory 2016:2574 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95321);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-4312\", \"CVE-2015-8374\", \"CVE-2015-8543\", \"CVE-2015-8746\", \"CVE-2015-8812\", \"CVE-2015-8844\", \"CVE-2015-8845\", \"CVE-2015-8956\", \"CVE-2016-2053\", \"CVE-2016-2069\", \"CVE-2016-2117\", \"CVE-2016-2384\", \"CVE-2016-2847\", \"CVE-2016-3044\", \"CVE-2016-3070\", \"CVE-2016-3156\", \"CVE-2016-3699\", \"CVE-2016-3841\", \"CVE-2016-4569\", \"CVE-2016-4578\", \"CVE-2016-4581\", \"CVE-2016-4794\", \"CVE-2016-5412\", \"CVE-2016-5828\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6198\", \"CVE-2016-6327\", \"CVE-2016-6480\", \"CVE-2016-7914\", \"CVE-2016-7915\", \"CVE-2016-9794\", \"CVE-2017-13167\", \"CVE-2018-16597\");\n script_xref(name:\"RHSA\", value:\"2016:2574\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2016:2574)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that the Linux kernel's IPv6 implementation mishandled\nsocket options. A local attacker could abuse concurrent access to the\nsocket options to escalate their privileges, or cause a denial of\nservice (use-after-free and system crash) via a crafted sendmsg system\ncall. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the\nLinux kernel. Space precludes documenting each of these issues in this\nadvisory. Refer to the CVE links in the References section for a\ndescription of each of these vulnerabilities. (CVE-2013-4312,\nCVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844,\nCVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847,\nCVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412,\nCVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198,\nCVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956,\nCVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699,\nCVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting\nCVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo\nkernel team and Solar Designer (Openwall) for reporting CVE-2016-3156;\nJustin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn\nCrosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was\ndiscovered by Venkatesh Pottem (Red Hat Engineering); the\nCVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav\nVadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered\nby Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered\nby CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by\nJan Stancek (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2016-November/003609.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e4a0f0ff\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8812\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2023-06-03T15:48:40", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * linux-snapdragon \\- Linux kernel for Snapdragon Processors\n\nBen Hawkes discovered an integer overflow in the Linux netfilter \nimplementation. On systems running 32 bit kernels, a local unprivileged \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code with administrative privileges. \n(CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot ensure a data structure was initialized before referencing it after an \nerror condition occurred. A local attacker could use this to cause a denial \nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu \nallocator in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of \nthe Linux kernel. A local attacker could use this to obtain sensitive \ninformation from kernel memory. (CVE-2016-5243)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-10T00:00:00", "type": "ubuntu", "title": "Linux kernel (Qualcomm Snapdragon) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-10T00:00:00", "id": "USN-3057-1", "href": "https://ubuntu.com/security/notices/USN-3057-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-03T15:48:41", "description": "## Releases\n\n * Ubuntu 14.04 ESM\n\n## Packages\n\n * linux-lts-xenial \\- Linux hardware enablement kernel from Xenial for Trusty\n\nBen Hawkes discovered an integer overflow in the Linux netfilter \nimplementation. On systems running 32 bit kernels, a local unprivileged \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code with administrative privileges. \n(CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot ensure a data structure was initialized before referencing it after an \nerror condition occurred. A local attacker could use this to cause a denial \nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu \nallocator in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of \nthe Linux kernel. A local attacker could use this to obtain sensitive \ninformation from kernel memory. (CVE-2016-5243)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-10T00:00:00", "type": "ubuntu", "title": "Linux kernel (Xenial HWE) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-10T00:00:00", "id": "USN-3054-1", "href": "https://ubuntu.com/security/notices/USN-3054-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-18T04:01:31", "description": "## Releases\n\n * Ubuntu 14.04 ESM\n\n## Packages\n\n * linux-lts-vivid \\- Linux hardware enablement kernel from Vivid for Trusty\n\nA missing permission check when settings ACLs was discovered in nfsd. A \nlocal user could exploit this flaw to gain access to any file by setting an \nACL. (CVE-2016-1237)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot ensure a data structure was initialized before referencing it after an \nerror condition occurred. A local attacker could use this to cause a denial \nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu \nallocator in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of \nthe Linux kernel. A local attacker could use this to obtain sensitive \ninformation from kernel memory. (CVE-2016-5243)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-10T00:00:00", "type": "ubuntu", "title": "Linux kernel (Vivid HWE) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1237", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-10T00:00:00", "id": "USN-3053-1", "href": "https://ubuntu.com/security/notices/USN-3053-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-03T15:48:42", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * linux \\- Linux kernel\n\nBen Hawkes discovered an integer overflow in the Linux netfilter \nimplementation. On systems running 32 bit kernels, a local unprivileged \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code with administrative privileges. \n(CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot ensure a data structure was initialized before referencing it after an \nerror condition occurred. A local attacker could use this to cause a denial \nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu \nallocator in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of \nthe Linux kernel. A local attacker could use this to obtain sensitive \ninformation from kernel memory. (CVE-2016-5243)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-10T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-10T00:00:00", "id": "USN-3055-1", "href": "https://ubuntu.com/security/notices/USN-3055-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-03T15:48:41", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * linux-raspi2 \\- Linux kernel for Raspberry Pi 2\n\nBen Hawkes discovered an integer overflow in the Linux netfilter \nimplementation. On systems running 32 bit kernels, a local unprivileged \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code with administrative privileges. \n(CVE-2016-3135)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot ensure a data structure was initialized before referencing it after an \nerror condition occurred. A local attacker could use this to cause a denial \nof service (system crash). (CVE-2016-4470)\n\nSasha Levin discovered that a use-after-free existed in the percpu \nallocator in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code with \nadministrative privileges. (CVE-2016-4794)\n\nKangjie Lu discovered an information leak in the netlink implementation of \nthe Linux kernel. A local attacker could use this to obtain sensitive \ninformation from kernel memory. (CVE-2016-5243)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-10T00:00:00", "type": "ubuntu", "title": "Linux kernel (Raspberry Pi 2) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3135", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-10T00:00:00", "id": "USN-3056-1", "href": "https://ubuntu.com/security/notices/USN-3056-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2023-09-24T05:46:28", "description": "USN-3053-1/USN-3037-1 Linux kernel (Vivid HWE) vulnerability\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nA missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. ([CVE-2016-1237](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1237.html>))\n\nIt was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). ([CVE-2016-4470](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4470.html>))\n\nSasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. ([CVE-2016-4794](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4794.html>))\n\nKangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. ([CVE-2016-5243](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5243.html>))\n\nJan Stancek discovered that the Linux kernel\u2019s memory manager did not properly handle moving pages mapped by the asynchronous I/O (AIO) ring buffer to the other nodes. A local attacker could use this to cause a denial of service (system crash).\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.19 AND 3232.x versions prior to 3232.16 AND other versions prior to 3262.8 are vulnerable\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team has released patched BOSH stemcells 3146.19 and 3232.16 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.19 OR 3232.x versions to 3232.16\n\n# Credit\n\nSasha Levin, Kangjie Lu, and Jan Stancek\n\n# References\n\n * <http://www.ubuntu.com/usn/USN-3053-1/>\n * <http://www.ubuntu.com/usn/usn-3037-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1237.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4470.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4794.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5243.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3070.html>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-25T00:00:00", "type": "cloudfoundry", "title": "USN-3053-1/USN-3037-1 Linux kernel (Vivid HWE) vulnerability | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1237", "CVE-2016-3070", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-5243"], "modified": "2016-08-25T00:00:00", "id": "CFOUNDRY:897C3471765453EA05465A73CDC16BBB", "href": "https://www.cloudfoundry.org/blog/usn-3053-1usn-3037-1/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2023-09-24T09:29:40", "description": "This update is based on the upstream 4.4.16 kernel and fixes at least theese security issues: nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c. (CVE-2016-1237). The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (CVE-2016-1583). The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (CVE-2016-4470). Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (CVE-2016-4794). The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation (CVE-2016-4951). The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement. (CVE-2016-4997). The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (CVE-2016-4998). Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (CVE-2016-5829). For other fixes in this update, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-31T15:32:33", "type": "mageia", "title": "Updated kernel-linus packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1237", "CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-4951", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5829"], "modified": "2016-08-31T15:32:33", "id": "MGASA-2016-0284", "href": "https://advisories.mageia.org/MGASA-2016-0284.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-24T09:29:40", "description": "This update is based on the upstream 4.4.16 kernel and fixes at least theese security issues: nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c. (CVE-2016-1237). The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (CVE-2016-1583). The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (CVE-2016-4470). Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (CVE-2016-4794). The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation (CVE-2016-4951). The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement. (CVE-2016-4997). The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (CVE-2016-4998). A flaw was found in the implementation of the Linux kernel handling of networking challenge ack where an attacker is able to determine the shared counter. This may allow an attacker to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack (CVE-2016-5696). Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (CVE-2016-5829). For other fixes in this update, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-07-31T20:39:13", "type": "mageia", "title": "Updated kernel packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1237", "CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-4951", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5696", "CVE-2016-5829"], "modified": "2016-07-31T20:39:13", "id": "MGASA-2016-0271", "href": "https://advisories.mageia.org/MGASA-2016-0271.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-24T09:29:40", "description": "This update is based on the upstream 4.4.16 kernel and fixes at least theese security issues: nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c. (CVE-2016-1237). The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling (CVE-2016-1583). The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (CVE-2016-4470). Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls (CVE-2016-4794). The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation (CVE-2016-4951). The compat IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement. (CVE-2016-4997). The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary (CVE-2016-4998). A flaw was found in the implementation of the Linux kernel handling of networking challenge ack where an attacker is able to determine the shared counter. This may allow an attacker to inject or take over a TCP connection between a server and client without having to be a traditional Man In the Middle (MITM) style attack (CVE-2016-5696). Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call (CVE-2016-5829). For other fixes in this update, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-31T15:32:33", "type": "mageia", "title": "Updated kernel-tmb packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1237", "CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4794", "CVE-2016-4951", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5696", "CVE-2016-5829"], "modified": "2016-08-31T15:32:33", "id": "MGASA-2016-0283", "href": "https://advisories.mageia.org/MGASA-2016-0283.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:39", "description": "kernel-uek\n[4.1.12-61.1.19]\n- acpi: Disable ACPI table override if securelevel is set (Linn Crosetto) [Orabug: 25058966] {CVE-2016-3699}\n- aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060060] {CVE-2016-6480} {CVE-2016-6480}\n- audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [Orabug: 25059969] {CVE-2016-6136}\n- ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 25023269] {CVE-2016-1583} {CVE-2016-1583}\n- Revert 'ecryptfs: forbid opening files without mmap handler' (Chuck Anderson) [Orabug: 24971921] {CVE-2016-1583}\n- percpu: fix synchronization between synchronous map extension and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794}\n- percpu: fix synchronization between chunk->map_extend_work and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794}\n- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578}\n- ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578}\n- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059752] {CVE-2016-4569}\n- Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058894] {CVE-2015-8956}\n- ASN.1: Fix non-match detection failure on data overrun (David Howells) [Orabug: 25059037] {CVE-2016-2053}\n- mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059188] {CVE-2016-3070}\n[4.1.12-61.1.18]\n- uek-rpm ol7: change uek-rpm/ol7/update-el release value from 7.1 to 7.3 (Chuck Anderson) [Orabug: 25050614]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-20T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8956", "CVE-2016-1583", "CVE-2016-2053", "CVE-2016-3070", "CVE-2016-3699", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4794", "CVE-2016-6136", "CVE-2016-6480"], "modified": "2016-11-20T00:00:00", "id": "ELSA-2016-3644", "href": "http://linux.oracle.com/errata/ELSA-2016-3644.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:24:50", "description": "- [3.10.0-514.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [bug 24817676]\n[3.10.0-514]\n- [mm] remove gup_flags FOLL_WRITE games from __get_user_pages() (Larry Woodman) [1385124] {CVE-2016-5195}\n[3.10.0-513]\n- [md] dm raid: fix compat_features validation (Mike Snitzer) [1383726]\n[3.10.0-512]\n- [fs] revert 'ext4: pre-zero allocated blocks for DAX IO' (Eric Sandeen) [1380571]\n- [fs] nfsd: fix corruption in notifier registration ('J. Bruce Fields') [1378363]\n- [fs] xfs: log recovery tracepoints to track current lsn and buffer submission (Brian Foster) [1362730]\n- [fs] xfs: update metadata LSN in buffers during log recovery (Brian Foster) [1362730]\n- [fs] xfs: dont warn on buffers not being recovered due to LSN (Brian Foster) [1362730]\n- [fs] xfs: pass current lsn to log recovery buffer validation (Brian Foster) [1362730]\n- [fs] xfs: rework log recovery to submit buffers on LSN boundaries (Brian Foster) [1362730]\n- [x86] perf/uncore: Disable uncore on kdump kernel (Jiri Olsa) [1379569]\n- [netdrv] mlx4_core: Fix to clean devlink resources (Kamal Heib) [1379504]\n[3.10.0-511]\n- [net] add recursion limit to GRO (Sabrina Dubroca) [1374191] {CVE-2016-7039}\n- [mm] cgroup: fix hugetlb_cgroup_read() (Jerome Marchand) [1378236]\n- [fs] nfs: change invalidatepage prototype to accept length (Benjamin Coddington) [1366131]\n- [fs] xfs: quiesce the filesystem after recovery on readonly mount (Eric Sandeen) [1375457]\n- [fs] xfs: rework buffer dispose list tracking (Brian Foster) [1349175]\n- [fs] ext4: pre-zero allocated blocks for DAX IO (Eric Sandeen) [1367989]\n- [fs] gfs2: Initialize atime of I_NEW inodes (Andreas Grunbacher) [1379447]\n- [fs] gfs2: Update file times after grabbing glock (Andreas Grunbacher) [1379447]\n- [x86] topology: Handle CPUID bogosity gracefully (Vitaly Kuznetsov) [1377988]\n- [netdrv] sfc: check async completer is !NULL before calling (Jarod Wilson) [1368201]\n- [infiniband] ib/mlx5: Fix iteration overrun in GSI qps (Don Dutile) [1376941]\n[3.10.0-510]\n- [kernel] audit: fix exe_file access in audit_exe_compare (Richard Guy Briggs) [1374478]\n- [kernel] mm: introduce get_task_exe_file (Richard Guy Briggs) [1374478]\n- [kernel] prctl: avoid using mmap_sem for exe_file serialization (Richard Guy Briggs) [1374478]\n- [kernel] mm: rcu-protected get_mm_exe_file() (Richard Guy Briggs) [1374478]\n- [dm] dm-raid: reverse validation of nosync+rebuild flags (Heinz Mauelshagen) [1371717]\n- [x86] kvm: correctly reset dest_map->vector when restoring LAPIC state (Paolo Bonzini) [1367716]\n- [s390] dasd: fix hanging device after clear subchannel (Gustavo Duarte) [1368068]\n- [netdrv] bna: fix crash in bnad_get_strings() (Ivan Vecera) [1376508]\n- [netdrv] bna: add missing per queue ethtool stat (Ivan Vecera) [1376508]\n- [powerpc] kvm: Implement kvm_arch_intc_initialized() for PPC (David Gibson) [1375778]\n- [powerpc] kvm: book3s: Dont crash if irqfd used with no in-kernel XICS emulation (David Gibson) [1375778]\n[3.10.0-509]\n- [mm] sparse: use memblock apis for early memory allocations (Koki Sanagi) [1375453]\n- [mm] memblock: add memblock memory allocation apis (Koki Sanagi) [1375453]\n- [mm] thp: harden the debug kernel with a strict check for thp_mmu_gather (Andrea Arcangeli) [1369365]\n- [mm] thp: initialize thp_mmu_gather for newly allocated migrated pages (Andrea Arcangeli) [1369365]\n- [mm] thp: put_huge_zero_page() with MMU gather #2 (Andrea Arcangeli) [1369365]\n- [fs] nfs: fix BUG() crash in notify_change() with patch to chown_common() ('J. Bruce Fields') [1342695]\n- [net] ipv6: gro: fix forwarding of tunneled packets (Jiri Benc) [1375438]\n- [net] sctp: hold the transport before using it in sctp_hash_cmp (Xin Long) [1368884]\n- [net] sctp: identify chunks that need to be fragmented at IP level (Xin Long) [1371377]\n- [scsi] be2iscsi: revert: _bh for io_sgl_lock and mgmt_sgl_lock (Maurizio Lombardi) [1374223]\n- [block] blk-mq: Allow timeouts to run while queue is freezing (Gustavo Duarte) [1372483]\n- [block] defer timeouts to a workqueue (Gustavo Duarte) [1372483]\n- [netdrv] tg3: Fix for disallow tx coalescing time to be 0 (Ivan Vecera) [1368885]\n- [netdrv] tg3: Fix for diasllow rx coalescing time to be 0 (Ivan Vecera) [1368885]\n- [infiniband] rdma/ocrdma: Support user AH creation for RoCE-v2 (Don Dutile) [1376120]\n- [infiniband] rdma/ocrdma: Support RoCE-v2 in the RC path (Don Dutile) [1376120]\n- [infiniband] rdma/ocrdma: Support RoCE-v2 in the UD path (Don Dutile) [1376120]\n- [infiniband] rdma/ocrdma: Export udp encapsulation capability (Don Dutile) [1376120]\n- [infiniband] ib/mlx5: Fix wrong naming of port_rcv_data counter (Don Dutile) [1374862]\n[3.10.0-508]\n- [drm] i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: implement missing case for SKL watermarks calculation (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: fix the watermark res_blocks value (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: fix plane_blocks_per_line on watermarks calculations (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: minimum scanlines for Y tile is not always 4 (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: fix the WaWmMemoryReadLatency implementation (Lyude Paul) [1341633 1355776]\n- [drm] i915/skl: Dont try to update plane watermarks if they havent changed (Lyude Paul) [1341633 1355776]\n- [drm] i915/skl: Update DDB values atomically with wms/plane attrs (Lyude Paul) [1341633 1355776]\n- [drm] i915: Move CRTC updating in atomic_commit into its own hook (Lyude Paul) [1341633 1355776]\n- [drm] i915/skl: Ensure pipes with changed wms get added to the state (Lyude Paul) [1341633 1355776]\n- [drm] i915/skl: Update plane watermarks atomically during plane updates (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: Only copy WM results for changed pipes to skl_hw (Lyude Paul) [1341633 1355776]\n- [drm] i915/skl: Add support for the SAGV, fix underrun hangs (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen6+: Interpret mailbox error flags (Lyude Paul) [1341633 1355776]\n- [drm] i915/gen9: Only copy WM results for changed pipes to skl_hw (Lyude Paul) [1341633 1355776]\n[3.10.0-507]\n- [netdrv] ixgbe: fix spoofed packets with macvlans (Ken Cox) [1324631]\n- [tools] perf mem: Fix -t store option for record command (Jiri Olsa) [1357531 1357543]\n- [x86] clock: Fix kvm guest tsc initialization (Prarit Bhargava) [1372759]\n- [x86] tsc: Enumerate BXT tsc_khz via CPUID (Prarit Bhargava) [1372759]\n- [drm] i915: Enable polling when we dont have hpd (Lyude Paul) [1277863]\n- [drm] i915/vlv: Disable HPD in valleyview_crt_detect_hotplug() (Lyude Paul) [1277863]\n- [drm] i915/vlv: Reset the ADPA in vlv_display_power_well_init() (Lyude Paul) [1277863]\n- [drm] i915/vlv: Make intel_crt_reset() per-encoder (Lyude Paul) [1277863]\n- [fs] Fix NULL pointer dereference in bl_free_device() (Benjamin Coddington) [1356796]\n- [fs] nfs/blocklayout: support RH/Fedora dm-mpath device nodes (Benjamin Coddington) [1356796]\n- [fs] nfs/blocklayout: refactor open-by-wwn (Benjamin Coddington) [1356796]\n- [fs] nfs/blocklayout: use proper fmode for opening block devices (Benjamin Coddington) [1356796]\n- [fs] sunrpc: fix UDP memory accounting (Paolo Abeni) [1298899]\n[3.10.0-506]\n- [kernel] timekeeping: Cap adjustments so they dont exceed the maxadj value (Marcelo Tosatti) [1246218]\n- [kernel] fork: allocate idle task for a CPU always on its local node (Oleg Nesterov) [1339635]\n- [kernel] sys: do_sysinfo() use get_monotonic_boottime() (Milos Vyletel) [1373224]\n- [fs] proc/uptime: uptime_proc_show() use get_monotonic_boottime() (Milos Vyletel) [1373224]\n- [fs] exec: de_thread: mt-exec should update ->real_start_time (Milos Vyletel) [1373224]\n- [fs] ovl: clear nlink on rmdir (Miklos Szeredi) [1373787]\n- [fs] ovl: share inode for hard link (Miklos Szeredi) [1373787]\n- [fs] ovl: use generic_delete_inode (Miklos Szeredi) [1373787]\n- [fs] ovl: handle umask and posix_acl_default correctly on creation (Miklos Szeredi) [1351863]\n- [fs] ovl: fix sgid on directory (Miklos Szeredi) [1351863]\n- [fs] ovl: copyattr after setting POSIX ACL (Miklos Szeredi) [1371638]\n- [fs] ovl: Switch to generic_removexattr (Miklos Szeredi) [1371651]\n- [fs] ovl: Get rid of ovl_xattr_noacl_handlers array (Miklos Szeredi) [1371651]\n- [fs] ext4: print ext4 mount option data_err=abort correctly (Lukas Czerner) [1342403]\n- [fs] nfs4: Avoid migration loops (Benjamin Coddington) [1355977]\n- [fs] nfs: dont create zero-length requests (Benjamin Coddington) [1324635]\n- [fs] xfs: dont assert fail on non-async buffers on ioacct decrement (Brian Foster) [1363822]\n- [fs] btrfs: set S_IOPS_WRAPPER consistently (Eric Sandeen) [1182456]\n- [fs] xfs: prevent dropping ioend completions during buftarg wait (Brian Foster) [1370177]\n- [fs] gfs2: Fix extended attribute readahead optimization (Robert S Peterson) [1256539]\n- [mm] page_alloc: dont re-init pageset in zone_pcp_update() (Yasuaki Ishimatsu) [1374114]\n- [mm] readahead: Move readahead limit outside of readahead, and advisory syscalls (Kyle Walker) [1351353]\n- [net] veth: sctp: add NETIF_F_SCTP_CRC to device features (Xin Long) [1367105]\n- [net] veth: Update features to include all tunnel GSO types (Xin Long) [1367105]\n- [tty] serial: 8250_dw: add ability to handle the peripheral clock (Prarit Bhargava) [1367476]\n- [x86] mm: Fix regression panic at boot time seen on some NUMA systems (Larry Woodman) [1372047]\n- [x86] mm: non-linear virtual memory fix for KNL4 erratum (Larry Woodman) [1372047]\n- [x86] tsc: Add rdtscll() merge helper (Mitsuhiro Tanino) [1372398]\n- [x86] kvm: Expose more Intel AVX512 feature to guest (Paolo Bonzini) [1369038]\n- [s390] pci: remove iomap sanity checks (Jason Wang) [1373503]\n- [nvme] Add device IDs with stripe quirk (David Milburn) [1371642]\n- [scsi] mpt3sas: Fix panic when aer correct error occurred (Frank Ramsay) [1374745]\n- [iommu] vt-d: Disable passthrough mode on Kexec kernel (Myron Stowe) [1367621]\n- [netdrv] ixgbe: Eliminate useless message and improve logic (Ken Cox) [1369519]\n- [netdrv] sfc: check MTU against minimum threshold (Jarod Wilson) [1363683]\n[3.10.0-505]\n- [hv] balloon: replace ha_region_mutex with spinlock (Vitaly Kuznetsov) [1361245]\n- [hv] balloon: dont wait for ol_waitevent when memhp_auto_online is enabled (Vitaly Kuznetsov) [1361245]\n- [hv] balloon: account for gaps in hot add regions (Vitaly Kuznetsov) [1361245]\n- [hv] balloon: keep track of where ha_region starts (Vitaly Kuznetsov) [1361245]\n- [mm] memory-hotplug: add hot-added memory ranges to memblock before allocate node_data for a node (Yasuaki Ishimatsu) [1365766]\n- [mm] memory-hotplug: fix wrong edge when hot add a new node (Yasuaki Ishimatsu) [1365766]\n- [rtc] rtc-rx8581: Mark tech preview (Prarit Bhargava) [1362164]\n- [rtc] rtc-rx8581.c: add SMBus-only adapters support (Prarit Bhargava) [1362164]\n- [rtc] rtc-rx8581.c: remove empty function (Prarit Bhargava) [1362164]\n- [pci] Restore original checksums of pci symbols (Stanislav Kozina) [1370477]\n- [net] reserve kABI fields in struct packet_type (Jiri Benc) [1358738]\n- [net] openvswitch: Ignore negative headroom value (Jakub Sitnicki) [1369642]\n- [scsi] qla2xxx: Update the driver version to 8.07.00.33.07.3-k1 (Chad Dupuis) [1367530]\n- [scsi] qla2xxx: Set FLOGI retry in additional firmware options for P2P (N2N) mode (Chad Dupuis) [1361279]\n- [scsi] qla2xxx: prevent board_disable from running during EEH (Chad Dupuis) [1367530]\n- [kernel] sched/fair: Fix typo in sync_throttle() (Xunlei Pang) [1341003]\n- [kernel] sched/fair: Rework throttle_count sync (Xunlei Pang) [1341003]\n- [kernel] sched/fair: Do not announce throttled next buddy in dequeue_task_fair() (Xunlei Pang) [1341003]\n- [kernel] sched/fair: Initialize throttle_count for new task-groups lazily (Xunlei Pang) [1341003]\n- [kernel] audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [1359306] {CVE-2016-6136}\n- [powerpc] revert 'pci: Assign fixed PHB number based on device-tree properties' (Gustavo Duarte) [1360353 1373109]\n- [powerpc] revert 'pci: Fix endian bug in fixed PHB numbering' (Gustavo Duarte) [1360353 1373109]\n- [infiniband] rdma/ocrdma: Fix the max_sge reported from FW (Honggang Li) [1369540]\n[3.10.0-504]\n- [fs] dax: disable dax on ext2 and ext3 (Jeff Moyer) [1369900]\n- [fs] dax: mark tech preview (Jeff Moyer) [1369825]\n- [fs] pmem: disable dax mounting in the prsence of media errors (Jeff Moyer) [1367132]\n- [fs] xfs: Add alignment check for DAX mount (Jeff Moyer) [1367132]\n- [fs] ext4: Add alignment check for DAX mount (Jeff Moyer) [1367132]\n- [fs] block: Add bdev_dax_supported() for dax mount checks (Jeff Moyer) [1367132]\n- [fs] block: Add vfs_msg() interface (Jeff Moyer) [1367132]\n- [tools] x86/insn: remove pcommit (Jeff Moyer) [1350153]\n- [x86] revert 'kvm: x86: add pcommit support' (Jeff Moyer) [1350153]\n- [tools] pmem: kill __pmem address space (Jeff Moyer) [1350153]\n- [kernel] pmem: kill wmb_pmem() (Jeff Moyer) [1350153]\n- [nvdimm] libnvdimm, pmem: use nvdimm_flush() for namespace I/O writes (Jeff Moyer) [1350153]\n- [fs] dax: remove wmb_pmem() (Jeff Moyer) [1350153]\n- [kernel] libnvdimm, pmem: flush posted-write queues on shutdown (Jeff Moyer) [1350153]\n- [nvdimm] libnvdimm, pmem: use REQ_FUA, REQ_FLUSH for nvdimm_flush() (Jeff Moyer) [1350153]\n- [nvdimm] libnvdimm: cycle flush hints (Jeff Moyer) [1350153]\n- [kernel] libnvdimm: introduce nvdimm_flush() and nvdimm_has_flush() (Jeff Moyer) [1350153]\n- [nvdimm] libnvdimm: keep region data alive over namespace removal (Jeff Moyer) [1350153]\n- [tools] testing/nvdimm: simulate multiple flush hints per-dimm (Jeff Moyer) [1350153]\n- [kernel] libnvdimm, nfit: move flush hint mapping to region-device driver-data (Jeff Moyer) [1350153]\n- [kernel] libnvdimm, nfit: remove nfit_spa_map() infrastructure (Jeff Moyer) [1350153]\n- [kernel] libnvdimm: introduce devm_nvdimm_memremap(), convert nfit_spa_map() users (Jeff Moyer) [1350153]\n- [acpi] nfit: dont override return value of nfit_mem_init (Jeff Moyer) [1350153]\n- [acpi] nfit: always associate flush hints (Jeff Moyer) [1350153]\n- [tools] testing/nvdimm: remove __wrap_devm_memremap_pages placeholder (Jeff Moyer) [1350153]\n- [kernel] devm: add helper devm_add_action_or_reset() (Jeff Moyer) [1350153]\n[3.10.0-503]\n- [scsi] sas: remove is_sas_attached() (Ewan Milne) [1370231]\n- [scsi] ses: use scsi_is_sas_rphy instead of is_sas_attached (Ewan Milne) [1370231]\n- [scsi] sas: provide stub implementation for scsi_is_sas_rphy (Ewan Milne) [1370231]\n- [target] lio: assume a maximum of 1024 iovecs (Andy Grover) [1367597]\n- [scsi] smartpqi: bump driver version (Scott Benesh) [1370631]\n- [scsi] smartpqi: add smartpqi.txt (Scott Benesh) [1370631]\n- [scsi] smartpqi: update maintainers (Scott Benesh) [1370631]\n- [scsi] smartpqi: update Kconfig (Scott Benesh) [1370631]\n- [scsi] smartpqi: remove timeout for cache flush operations (Scott Benesh) [1370631]\n- [scsi] smartpqi: scsi queuecommand cleanup (Scott Benesh) [1370631]\n- [scsi] smartpqi: minor tweaks to update time support (Scott Benesh) [1370631]\n- [scsi] smartpqi: minor function reformating (Scott Benesh) [1370631]\n- [scsi] smartpqi: correct event acknowledgement timeout issue (Scott Benesh) [1370631]\n- [scsi] smartpqi: correct controller offline issue (Scott Benesh) [1370631]\n- [scsi] smartpqi: add kdump support (Scott Benesh) [1370631]\n- [scsi] smartpqi: enhance reset logic (Scott Benesh) [1370631]\n- [scsi] smartpqi: enhance drive offline informational message (Scott Benesh) [1370631]\n- [scsi] smartpqi: simplify spanning (Scott Benesh) [1370631]\n- [scsi] smartpqi: change tmf macro names (Scott Benesh) [1370631]\n- [scsi] smartpqi: change aio sg processing (Scott Benesh) [1370631]\n[3.10.0-502]\n- [fs] rbd: add force close option (Ilya Dryomov) [1196119]\n- [fs] rbd: add 'config_info' sysfs rbd device attribute (Ilya Dryomov) [1196119]\n- [fs] rbd: add 'snap_id' sysfs rbd device attribute (Ilya Dryomov) [1196119]\n- [fs] rbd: add 'cluster_fsid' sysfs rbd device attribute (Ilya Dryomov) [1196119]\n- [fs] rbd: add 'client_addr' sysfs rbd device attribute (Ilya Dryomov) [1196119]\n- [fs] rbd: print capacity in decimal and features in hex (Ilya Dryomov) [1196119]\n- [fs] rbd: support for exclusive-lock feature (Ilya Dryomov) [1196119]\n- [fs] rbd: retry watch re-registration periodically (Ilya Dryomov) [1196119]\n- [fs] rbd: introduce a per-device ordered workqueue (Ilya Dryomov) [1196119]\n- [fs] libceph: rename ceph_client_id() -> ceph_client_gid() (Ilya Dryomov) [1196119]\n- [fs] libceph: support for blacklisting clients (Ilya Dryomov) [1196119]\n- [fs] libceph: support for lock.lock_info (Ilya Dryomov) [1196119]\n- [fs] libceph: support for advisory locking on RADOS objects (Ilya Dryomov) [1196119]\n- [fs] libceph: add ceph_osdc_call() single-page helper (Ilya Dryomov) [1196119]\n- [fs] libceph: support for CEPH_OSD_OP_LIST_WATCHERS (Ilya Dryomov) [1196119]\n- [fs] libceph: rename ceph_entity_name_encode() -> ceph_auth_entity_name_encode() (Ilya Dryomov) [1196119]\n- [fs] libceph: make cancel_generic_request() static (Ilya Dryomov) [1196119]\n- [fs] libceph: fix return value check in alloc_msg_with_page_vector() (Ilya Dryomov) [1196119]\n- [fs] ceph: fix symbol versioning for ceph_monc_do_statfs (Ilya Dryomov) [1196119]\n- [fs] libceph: add start en/decoding block helpers (Ilya Dryomov) [1196119]\n- [fs] libceph: add an ONSTACK initializer for oids (Ilya Dryomov) [1196119]\n- [fs] libceph: fix some missing includes (Ilya Dryomov) [1196119]\n- [mm] swap: flush lru pvecs on compound page arrival (Jerome Marchand) [1341766 1343920]\n- [md] raid1/raid10: slow down resync if there is non-resync activity pending (Jes Sorensen) [1371545]\n- [x86] hibernate: Use hlt_play_dead() when resuming from hibernation (Lenny Szubowicz) [1229590]\n- [x86] Mark Intel Purley 2 socket processor as supported (Steve Best) [1362645]\n- [i2c] i801: Add support for Kaby Lake PCH-H (David Arcari) [1310953]\n- [mfd] lpss: Add Intel Kaby Lake PCH-H PCI IDs (David Arcari) [1310953]\n- [usb] dwc3: pci: add Intel Kabylake PCI ID (David Arcari) [1310953]\n- [edac] sb_edac: Fix channel reporting on Knights Landing (Aristeu Rozanski) [1367330]\n- [include] bluetooth: Fix kabi breakage in struct hci_core (Don Zickus) [1370583]\n- [powerpc] pci: Fix endian bug in fixed PHB numbering (Gustavo Duarte) [1360353]\n- [powerpc] pci: Assign fixed PHB number based on device-tree properties (Gustavo Duarte) [1360353]\n[3.10.0-501]\n- [netdrv] sfc: work around TRIGGER_INTERRUPT command not working on SFC9140 (Jarod Wilson) [1368201]\n- [netdrv] sfc: remove duplicate assignment (Jarod Wilson) [1368201]\n- [netdrv] sfc: include size-binned TX stats on sfn8542q (Jarod Wilson) [1368201]\n- [netdrv] sfc: fix potential stack corruption from running past stat bitmask (Jarod Wilson) [1368201]\n- [netdrv] sfc: avoid division by zero (Jarod Wilson) [1368201]\n- [netdrv] sfc: get timer configuration from adapter (Jarod Wilson) [1368201]\n- [netdrv] sfc: set interrupt moderation via MCDI (Jarod Wilson) [1368201]\n- [netdrv] sfc: use new performance based event queue init (Jarod Wilson) [1368201]\n- [netdrv] sfc: retrieve second word of datapath capabilities (Jarod Wilson) [1368201]\n- [netdrv] sfc: allow asynchronous MCDI without completion function (Jarod Wilson) [1368201]\n- [netdrv] sfc: update MCDI protocol headers (Jarod Wilson) [1368201]\n- [netdrv] sfc: avoid -Wtype-limits warning (Jarod Wilson) [1368201]\n- [netdrv] sfc: Fix VLAN filtering feature if vPort has VLAN_RESTRICT flag (Jarod Wilson) [1368201]\n- [netdrv] sfc: Update MCDI protocol definitions (Jarod Wilson) [1368201]\n- [netdrv] sfc: Disable VLAN filtering by default if not strictly required (Jarod Wilson) [1368201]\n- [netdrv] sfc: VLAN filters must only be created if the firmware supports this (Jarod Wilson) [1368201]\n- [netdrv] sfc: Fix dup unknown multicast/unicast filters after datapath reset (Jarod Wilson) [1368201]\n- [netdrv] sfc: Refactor checks for invalid filter ID (Jarod Wilson) [1368201]\n- [netdrv] sfc: Take mac_lock before calling efx_ef10_filter_table_probe (Jarod Wilson) [1368201]\n- [netdrv] sfc: Implement ndo_vlan_rx_{add, kill}_vid() callbacks (Jarod Wilson) [1368201]\n- [netdrv] sfc: Implement list of VLANs added over interface (Jarod Wilson) [1368201]\n- [netdrv] sfc: Make EF10 filter management helper functions VLAN-aware (Jarod Wilson) [1368201]\n- [netdrv] sfc: Store unicast and multicast promisc flag with address cache (Jarod Wilson) [1368201]\n- [netdrv] sfc: Move filter IDs to per-VLAN data structure (Jarod Wilson) [1368201]\n- [netdrv] sfc: Forget filter ID when the filter is marked old (Jarod Wilson) [1368201]\n- [netdrv] sfc: Assert filter_sem write locked when required (Jarod Wilson) [1368201]\n- [netdrv] sfc: Add efx_nic member with fixed netdev features (Jarod Wilson) [1368201]\n- [netdrv] sfc: Move last mc_promisc flag to EF10 filter table state (Jarod Wilson) [1368201]\n- [netdrv] sfc: Define macro with EF10 offload feature (Jarod Wilson) [1368201]\n- [netdrv] sfc: on MC reset, clear PIO buffer linkage in TXQs (Jarod Wilson) [1368201]\n- [netdrv] sfc: disable RSS when unsupported (Jarod Wilson) [1368201]\n- [netdrv] sfc: implement IPv6 NFC (and IPV4_USER_FLOW) (Jarod Wilson) [1368201]\n- [netdrv] i40iw: Receive notification events correctly (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Update hw_iwarp_state (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Send last streaming mode message for loopback connections (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Avoid writing to freed memory (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Fix double free of allocated_buffer (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Add missing NULL check for MPA private data (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Add missing check for interface already open (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Protect req_resource_num update (Stefan Assmann) [1371734]\n- [netdrv] i40iw: Change mem_resources pointer to a u8 (Stefan Assmann) [1371734]\n- [netdrv] hv_netvsc: fix bonding devices check in netvsc_netdev_event() (Vitaly Kuznetsov) [1364333]\n- [netdrv] hv_netvsc: protect module refcount by checking net_device_ctx->vf_netdev (Vitaly Kuznetsov) [1364333]\n- [netdrv] hv_netvsc: reset vf_inject on VF removal (Vitaly Kuznetsov) [1364333]\n- [netdrv] hv_netvsc: avoid deadlocks between rtnl lock and vf_use_cnt wait (Vitaly Kuznetsov) [1364333]\n- [netdrv] hv_netvsc: dont lose VF information (Vitaly Kuznetsov) [1364333]\n- [netdrv] mlx4_en: Add resilience in low memory systems (kamal heib) [1367818]\n- [netdrv] net/mlx4_en: Move filters cleanup to a proper location (kamal heib) [1367818]\n[3.10.0-500]\n- [drm] amdgpu: Disable RPM helpers while reprobing connectors on resume (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Kabylake uses the same GMS values as Skylake (Rob Clark) [1348329 1349064]\n- [drm] i915/bxt: Broxton uses the same GMS values as Skylake (Rob Clark) [1348329 1349064]\n- [drm] i915/skl: Add the additional graphics stolen sizes (Rob Clark) [1348329 1349064]\n- [drm] x86/gpu: Sprinkle const, __init and __initconst to stolen memory quirks (Rob Clark) [1348329 1349064]\n- [drm] x86/gpu: Implement stolen memory size early quirk for CHV (Rob Clark) [1348329 1349064]\n- [drm] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks (Rob Clark) [1348329 1349064]\n- [drm] makefile: update DRM version (Rob Clark) [1348329 1349064]\n- [drm] i915: Revert DisplayPort fast link training feature (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Fix error paths when mapping framebuffer (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Fix corner case screen target management (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Delay pinning fbdev framebuffer until after mode set (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Check pin count before attempting to move a buffer (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Work around mode set failure in 2D VMs (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Add an option to change assumed FB bpp (Rob Clark) [1348329 1349064]\n- [drm] ttm: Make ttm_bo_mem_compat available (Rob Clark) [1348329 1349064]\n- [drm] atomic: Make drm_atomic_legacy_backoff reset crtc->acquire_ctx (Rob Clark) [1348329 1349064]\n- [drm] amd/powerplay: fix incorrect voltage table value for tonga (Rob Clark) [1348329 1349064]\n- [drm] amd/powerplay: incorrectly use of the function return value (Rob Clark) [1348329 1349064]\n- [drm] amd/powerplay: fix logic error (Rob Clark) [1348329 1349064]\n- [drm] amd/powerplay: need to notify system bios pcie device ready (Rob Clark) [1348329 1349064]\n- [drm] amd/powerplay: fix bug that function parameter was incorect (Rob Clark) [1348329 1349064]\n- [drm] make drm_atomic_set_mode_prop_for_crtc() more reliable (Rob Clark) [1348329 1349064]\n- [drm] add missing drm_mode_set_crtcinfo call (Rob Clark) [1348329 1349064]\n- [drm] i915: Refresh cached DP port register value on resume (Rob Clark) [1348329 1349064]\n- [drm] i915/ilk: Dont disable SSC source if its in use (Rob Clark) [1348329 1349064]\n- [drm] nouveau/disp/sor/gf119: select correct sor when poking training pattern (Rob Clark) [1348329 1349064]\n- [drm] nouveau: fix for disabled fbdev emulation (Rob Clark) [1348329 1349064]\n- [drm] nouveau/ltc/gm107-: fix typo in the address of NV_PLTCG_LTC0_LTS0_INTR (Rob Clark) [1348329 1349064]\n- [drm] nouveau/gr/gf100-: update sm error decoding from gk20a nvgpu headers (Rob Clark) [1348329 1349064]\n- [drm] nouveau/bios/disp: fix handling of 'match any protocol' entries (Rob Clark) [1348329 1349064]\n- [drm] dp/mst: Always clear proposed vcpi table for port (Rob Clark) [1348329 1349064]\n- [drm] amdgpu: initialize amdgpu_cgs_acpi_eval_object result value (Rob Clark) [1348329 1349064]\n- [drm] amdgpu: fix num_rbs exposed to userspace (v2) (Rob Clark) [1348329 1349064]\n- [drm] amdgpu/gfx7: fix broken condition check (Rob Clark) [1348329 1349064]\n- [drm] radeon: fix asic initialization for virtualized environments (Rob Clark) [1348329 1349064]\n- [drm] i915: Removing PCI IDs that are no longer listed as Kabylake (Rob Clark) [1348329 1349064]\n- [drm] i915: Add more Kabylake PCI IDs (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Introduce the first official DMC for Kabylake (Rob Clark) [1348329 1349064]\n- [drm] i915/bxt: Reject DMC firmware versions with known bugs (Rob Clark) [1348329 1349064]\n- [drm] i915/gen9: implement WaConextSwitchWithConcurrentTLBInvalidate (Rob Clark) [1348329 1349064]\n- [drm] i915: implement WaClearTdlStateAckDirtyBits (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaClearSlmSpaceAtContextSwitch (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaDisableSbeCacheDispatchPortSharing (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaDisableGafsUnitClkGating (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaForGAMHang (Rob Clark) [1348329 1349064]\n- [drm] i915: Add WaInsertDummyPushConstP for bxt and kbl (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaDisableDynamicCreditSharing (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaDisableLSQCROPERFforOCL (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaDisableFenceDestinationToSLM for A0 (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaEnableGapsTsvCreditFix (Rob Clark) [1348329 1349064]\n- [drm] i915: Mimic skl with WaForceEnableNonCoherent (Rob Clark) [1348329 1349064]\n- [drm] i915/gen9: Always apply WaForceContextSaveRestoreNonCoherent (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add WaSkipStolenMemoryFirstPage for A0 (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Add REVID macro (Rob Clark) [1348329 1349064]\n- [drm] i915/kbl: Init gen9 workarounds (Rob Clark) [1348329 1349064]\n- [drm] i915/gen9: implement WaEnableSamplerGPGPUPreemptionSupport (Rob Clark) [1348329 1349064]\n- [drm] i915/gen9: add WaClearFlowControlGpgpuContextSave (Rob Clark) [1348329 1349064]\n- [drm] i915/skl: Add WaDisableGafsUnitClkGating (Rob Clark) [1348329 1349064]\n- [drm] i915/gen9: Add WaVFEStateAfterPipeControlwithMediaStateClear (Rob Clark) [1348329 1349064]\n- [drm] i915: Introduce Kabypoint PCH for Kabylake H/DT (Rob Clark) [1348329 1349064]\n- [drm] revert 'drm/i915: Exit cherryview_irq_handler() after one pass' (Rob Clark) [1348329 1349064]\n- [drm] core: Do not preserve framebuffer on rmfb, v4 (Rob Clark) [1348329 1349064]\n- [drm] i915: Pass the correct crtc state to .update_plane() (Rob Clark) [1348329 1349064]\n- [drm] Add helper for DP++ adaptors (Rob Clark) [1348329 1349064]\n- [drm] i915: Fix watermarks for VLV/CHV (Rob Clark) [1348329 1349064]\n- [drm] i915: Dont leave old junk in ilk active watermarks on readout (Rob Clark) [1348329 1349064]\n- [drm] i915: Enable/disable TMDS output buffers in DP++ adaptor as needed (Rob Clark) [1348329 1349064]\n- [drm] i915: Respect DP++ adaptor TMDS clock limit (Rob Clark) [1348329 1349064]\n- [drm] i915/psr: Try to program link training times correctly (Rob Clark) [1348329 1349064]\n- [drm] amdgpu: Fix hdmi deep color support (Rob Clark) [1348329 1349064]\n- [drm] amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh (Rob Clark) [1348329 1349064]\n- [drm] vmwgfx: Kill some lockdep warnings (Rob Clark) [1348329 1349064]\n- [drm] gma500: Fix possible out of bounds read (Rob Clark) [1348329 1349064]\n[3.10.0-499]\n- [drm] i915/hsw: Disable PSR by default (Lyude Paul) [1367930]\n- [x86] nmi: Enable nested do_nmi() handling for 64-bit kernels (Jiri Olsa) [1365704]\n- [net] ipv4: igmp: Allow removing groups from a removed interface (Jiri Benc) [1369427]\n- [net] netfilter: ebtables: put module reference when an incorrect extension is found (Sabrina Dubroca) [1369325]\n- [net] sctp: linearize early if its not GSO (Marcelo Leitner) [1058148]\n- [net] sctp_diag: Respect ss adding TCPF_CLOSE to idiag_states (Phil Sutter) [1361728]\n- [net] sctp_diag: Fix T3_rtx timer export (Phil Sutter) [1361728]\n- [net] sctp: Export struct sctp_info to userspace (Phil Sutter) [1361728]\n- [net] macsec: ensure rx_sa is set when validation is disabled (Sabrina Dubroca) [1368429]\n- [net] macsec: use after free when deleting the underlying device (Sabrina Dubroca) [1368429]\n- [target] target/user: Fix failure to unlock a spinlock upon function return (Andy Grover) [1367873]\n- [target] target/user: Fix comments to not refer to data ring (Andy Grover) [1367873]\n- [target] target/user: Return an error if cmd data size is too large (Andy Grover) [1367873]\n- [target] target/user: Use sense_reason_t in tcmu_queue_cmd_ring (Andy Grover) [1367873]\n- [target] Backport tcm-user from 4.6 (Andy Grover) [1367873]\n- [uio] Export definition of struct uio_device (Andy Grover) [1367873]\n- [netdrv] i40iw: Add NULL check for puda buffer (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Change dup_ack_thresh to u8 (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Remove unnecessary check for moving CQ head (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Simplify code to set fragments in SQ WQE (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Remove unnecessary parameter to i40iw_cq_poll_completion (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Do not access pointer after free (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Correct and use size parameter to i40iw_reg_phys_mr (Stefan Assmann) [1367425]\n- [netdrv] i40iw: Fix return codes (Stefan Assmann) [1367425]\n- [netdrv] i40e: Correcting mutex usage in client code (Stefan Assmann) [1367425]\n- [netdrv] i40e: Initialize pointer in client_release function (Stefan Assmann) [1367425]\n- [netdrv] i40e: Check client is open before calling client ops (Stefan Assmann) [1367425]\n- [netdrv] i40e: Force register writes to mitigate sync issues with iwarp VF driver (Stefan Assmann) [1367425]\n- [netdrv] i40e: Move the mutex lock in i40e_client_unregister (Stefan Assmann) [1367425]\n- [infiniband] ib/uverbs: Initialize ib_qp_init_attr with zeros (Honggang Li) [1365720]\n[3.10.0-498]\n- [scsi] aacraid: Check size values after double-fetch from user (Maurizio Lombardi) [1369771] {CVE-2016-6480}\n- [fs] block_dev.c: Remove WARN_ON() when inode writeback fails (Eric Sandeen) [1229014]\n- [fs] ext4: call sync_blockdev() before invalidate_bdev() in put_super() (Eric Sandeen) [1229014]\n- [mm] page_alloc: rename setup_pagelist_highmark() to match naming of pageset_set_batch() (Pankaj Gupta) [1320834]\n- [mm] page_alloc: in zone_pcp_update(), uze zone_pageset_init() (Pankaj Gupta) [1320834]\n- [mm] page_alloc: factor zone_pageset_init() out of setup_zone_pageset() (Pankaj Gupta) [1320834]\n- [mm] page_alloc: relocate comment to be directly above code it refers to (Pankaj Gupta) [1320834]\n- [mm] page_alloc: factor setup_pageset() into pageset_init() and pageset_set_batch() (Pankaj Gupta) [1320834]\n- [mm] page_alloc: when handling percpu_pagelist_fraction, dont unneedly recalulate high (Pankaj Gupta) [1320834]\n- [mm] page_alloc: convert zone_pcp_update() to rely on memory barriers instead of stop_machine() (Pankaj Gupta) [1320834]\n- [mm] page_alloc: protect pcp->batch accesses with ACCESS_ONCE (Pankaj Gupta) [1320834]\n- [mm] page_alloc: insert memory barriers to allow async update of pcp batch and high (Pankaj Gupta) [1320834]\n- [mm] page_alloc: prevent concurrent updaters of pcp ->batch and ->high (Pankaj Gupta) [1320834]\n- [mm] page_alloc: factor out setting of pcp->high and pcp->batch (Pankaj Gupta) [1320834]\n- [hid] i2c-hid: Fix suspend/resume when already runtime suspended (David Arcari) [1361625]\n- [hid] i2c-hid: Only disable irq wake if it was successfully enabled during suspend (David Arcari) [1361625]\n- [hid] i2c-hid: Call device suspend callback before disabling irq (David Arcari) [1361625]\n- [hid] i2c-hid: call the hid drivers suspend and resume callbacks (David Arcari) [1361625]\n- [hid] i2c-hid: add runtime PM support (David Arcari) [1361625]\n- [hid] i2c-hid: disable interrupt on suspend (David Arcari) [1361625]\n- [lib] rhashtable-test: calculate max_entries value by default (Phil Sutter) [1238749]\n- [x86] tsc: Enumerate SKL cpu_khz and tsc_khz via CPUID (Prarit Bhargava) [1366396]\n- [x86] Block HPET on Purley 4S (Prarit Bhargava) [1365997]\n- [base] regmap: Skip read-only registers in regcache_sync() (Jaroslav Kysela) [1365905 1367789]\n- [tools] perf: Add sample_reg_mask to include all perf_regs (Steve Best) [1368934]\n- [netdrv] i40e: Change some init flow for the client (Stefan Assmann) [1369275]\n- [netdrv] mlx5e: Log link state changes (kamal heib) [1367822]\n[3.10.0-497]\n- [kernel] ftrace: fix traceoff_on_warning handling on boot command line ('Luis Claudio R. Goncalves') [1367650]\n- [netdrv] ixgbe: fix setup_fc for x550em (Ken Cox) [1364896]\n- [netdrv] cxgb4/cxgb4vf: Fixes regression in perf when tx vlan offload is disabled (Sai Vemuri) [1319437]\n- [netdrv] cxgb4/cxgb4vf: Add link mode mask API to cxgb4 and cxgb4vf (Sai Vemuri) [1365689]\n- [netdrv] cxgb4: Dont assume FW_PORT_CMD reply is always port info msg (Sai Vemuri) [1365689]\n- [netdrv] ethtool: add support for 25G/50G/100G speed modes (Sai Vemuri) [1365689]\n- [netdrv] i40e: use configured RSS key and lookup table in i40e_vsi_config_rss (Stefan Assmann) [1359439]\n- [netdrv] i40e: fix broken i40e_config_rss_aq function (Stefan Assmann) [1359439]\n- [netdrv] i40e: move i40e_vsi_config_rss below i40e_get_rss_aq (Stefan Assmann) [1359439]\n- [netdrv] i40e: Remove redundant memset (Stefan Assmann) [1359439]\n- [netdrv] brcmfmac: restore stopping netdev queue when bus clogs up (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: add new 8265 (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: add new 8260 PCI IDs (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: pcie: fix a race in firmware loading flow (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: pcie: enable interrupts before releasing the NICs CPU (Stanislaw Gruszka) [1365575]\n- [net] mac80211: fix purging multicast PS buffer queue (Stanislaw Gruszka) [1365575]\n- [net] cfg80211: handle failed skb allocation (Stanislaw Gruszka) [1365575]\n- [net] nl80211: Move ACL parsing later to avoid a possible memory leak (Stanislaw Gruszka) [1365575]\n- [net] cfg80211: fix proto in ieee80211_data_to_8023 for frames without LLC header (Stanislaw Gruszka) [1365575]\n- [net] mac80211: Fix mesh estab_plinks counting in STA removal case (Stanislaw Gruszka) [1365575]\n- [netdrv] ath9k: fix GPIO mask for AR9462 and AR9565 (Stanislaw Gruszka) [1365575]\n- [netdrv] ath10k: fix deadlock while processing rx_in_ord_ind (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: mvm: fix a few firmware capability checks (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: mvm: set the encryption type of an IGTK key (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: mvm: fix potential NULL-dereference in iwl_mvm_reorder() (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: mvm: fix RCU splat in TKIPs update_key (Stanislaw Gruszka) [1365575]\n- [netdrv] iwlwifi: mvm: increase scan timeout to 20 seconds (Stanislaw Gruszka) [1365575]\n- [net] cfg80211: remove get/set antenna and tx power warnings (Stanislaw Gruszka) [1365575]\n- [netdrv] ath10k: fix crash related to printing features (Stanislaw Gruszka) [1365575]\n- [netdrv] ath10k: fix deadlock when peer cannot be created (Stanislaw Gruszka) [1365575]\n- [net] mac80211: fix fast_tx header alignment (Stanislaw Gruszka) [1365575]\n- [net] mac80211: mesh: flush mesh paths unconditionally (Stanislaw Gruszka) [1365575]\n- [netdrv] rtlwifi: Fix scheduling while atomic error from commit 49f86ec21c01 (Stanislaw Gruszka) [1365575]\n- [netdrv] brcmfmac: add fallback for devices that do not report per-chain values (Stanislaw Gruszka) [1365575]\n[3.10.0-496]\n- [infiniband] rdma/ocrdma: display ocrdma tech preview status (Honggang Li) [1334675]\n- [infiniband] ib/rdma_cm: fix panic when trying access default_roce_mode configfs (kamal heib) [1360276]\n- [infiniband] ib/hfi1: Fix mm_struct use after free (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Add cache evict LRU list (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Fix memory leak during unexpected shutdown (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove unneeded mm argument in remove function (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Consistently call ops->remove outside spinlock (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Use evict mmu rb operation (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Add evict operation to the mmu rb handler (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Fix TID caching actions (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Make the cache handler own its rb tree root (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Make use of mm consistent (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Fix user SDMA racy user request claim (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Fix error condition that needs to clean up (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Release node on insert failure (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Validate SDMA user iovector count (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Validate SDMA user request index (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Use the same capability state for all shared contexts (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Prevent null pointer dereference (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Rename TID mmu_rb_* functions (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove unneeded empty check in hfi1_mmu_rb_unregister() (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Restructure hfi1_file_open (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Make iovec loop index easy to understand (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Use 'false' not 0 (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove unused sub-context parameter (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Consolidate __mmu_rb_remove and hfi1_mmu_rb_remove (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Always expect ops functions (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Add parameter names to callback declarations (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Add parameter names to function declarations (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove unused function hfi1_mmu_rb_search (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove unused uctxt->subpid and uctxt->pid (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Fix minor format error (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Remove TWSI references (Alex Estrin) [1360929]\n- [infiniband] ib/hfi1: Use built-in i2c bit-shift bus adapter (Alex Estrin) [1360929]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-09T00:00:00", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5195", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7039"], "modified": "2016-11-09T00:00:00", "id": "ELSA-2016-2574", "href": "http://linux.oracle.com/errata/ELSA-2016-2574.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2023-09-10T12:39:29", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-03T06:07:15", "type": "redhat", "title": "(RHSA-2016:2584) Important: kernel-rt security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2017-13167"], "modified": "2018-04-20T08:55:08", "id": "RHSA-2016:2584", "href": "https://access.redhat.com/errata/RHSA-2016:2584", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-10T12:39:29", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-03T06:07:14", "type": "redhat", "title": "(RHSA-2016:2574) Important: kernel security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3044", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7914", "CVE-2016-7915", "CVE-2016-9794", "CVE-2017-13167", "CVE-2018-16597"], "modified": "2018-10-22T15:17:57", "id": "RHSA-2016:2574", "href": "https://access.redhat.com/errata/RHSA-2016:2574", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2023-09-24T00:33:12", "description": "## Summary\n\nVulnerabilities in the Linux Kernel affect IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 products. The applicable CVEs are CVE-2016-7117 CVE-2016-6828 \nCVE-2016-10229 CVE-2016-6480 CVE-2016-6327 CVE-2016-6198 CVE-2016-6136 CVE-2016-5829 CVE-2016-5828 CVE-2016-5412 CVE-2016-4794 CVE-2016-4581 CVE-2016-4578 CVE-2016-3699 CVE-2016-3156 CVE-2016-4569 CVE-2016-2847 CVE-2016-2384 CVE-2016-2069 CVE-2016-2053 CVE-2015-8956 CVE-2015-8845 CVE-2015-8844 CVE-2015-8812 CVE-2015-8746 CVE-2015-8543 CVE-2015-8374 CVE-2013-4312 and CVE-2016-3070. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-7117_](<https://vulners.com/cve/CVE-2016-7117>)** \nDESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in __sys_recvmmsg function in net/socket.c. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/117765_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117765>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n**CVEID:** [_CVE-2016-6828_](<https://vulners.com/cve/CVE-2016-6828>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the failure to properly maintain certain SACK state in tcp_check_send_head function in include/net/tcp.h. By executing a specially-crafted SACK option, an attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118135_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118135>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-10229_](<https://vulners.com/cve/CVE-2016-10229>)** \nDESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in udp.c. By sending specially-crafted UDP packets, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124676_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124676>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-6480_](<https://vulners.com/cve/CVE-2016-6480>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.5/drivers/scsi/aacraid/commctrl.c when the driver fetches user space data. A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115630_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115630>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-6327_](<https://vulners.com/cve/CVE-2016-6327>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/infiniband/ulp/srpt/ib_srpt.c. By using an ABORT_TASK command to abort a device write operation, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 5.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6198_](<https://vulners.com/cve/CVE-2016-6198>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service. A local attacker could exploit this vulnerability using rename syscall on overlayfs on top of xfs to cause the kernel to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114867_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114867>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6136_](<https://vulners.com/cve/CVE-2016-6136>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.6.1/kernel/auditsc.c when the driver fetches user space data using copy_from_user(). A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114719_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114719>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-5829_](<https://vulners.com/cve/CVE-2016-5829>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the hiddev driver code. By sending a specially crafted ioctl call, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)\n\n**CVEID:** [_CVE-2016-5828_](<https://vulners.com/cve/CVE-2016-5828>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of Transactional Memory on powerpc systems. By starting a transaction, suspending it, and then calling any of the exec() class system calls, an attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114456_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114456>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-5412_](<https://vulners.com/cve/CVE-2016-5412>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in book3s_hv_rmhandlers.S. If CONFIG_KVM_BOOK3S_64_HV is enabled, a local attacker could exploit this vulnerability to cause the host to enter into an infinite loop. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116181_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116181>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4794_](<https://vulners.com/cve/CVE-2016-4794>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free in array_map_alloc. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113188_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113188>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-4581_](<https://vulners.com/cve/CVE-2016-4581>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the first propagated copy. A local attacker could exploit this vulnerability to cause a kernel oops. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113159_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113159>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4578_](<https://vulners.com/cve/CVE-2016-4578>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113158>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2016-3699_](<https://vulners.com/cve/CVE-2016-3699>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system. By appending ACPI tables to the initrd, an attacker could exploit this vulnerability to bypass intended Secure Boot restrictions and execute arbitrary code on the system. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118241_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118241>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-3156_](<https://vulners.com/cve/CVE-2016-3156>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when destroying a network. A local authenticated attacker could exploit this vulnerability using a huge number of ipv4 addresses to keep rtnl_lock for a very long time and block network related operations. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112056_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112056>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-4569_](<https://vulners.com/cve/CVE-2016-4569>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113190_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113190>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-2847_](<https://vulners.com/cve/CVE-2016-2847>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error related to the per-user limit. By filling pipes with an overly large amount of data, an attacker could exploit this vulnerability to consume an overly large amount of kernel memory resources. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111306_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111306>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-2384_](<https://vulners.com/cve/CVE-2016-2384>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a double-free in the ALSA USB MIDI driver. An attacker could exploit this vulnerability using an invalid USB descriptor to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110587_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110587>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-2069_](<https://vulners.com/cve/CVE-2016-2069>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a race condition in arch/x86/mm/tlb.c. By triggering access to a paging structure by a different CPU, a local attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113822_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113822>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-2053_](<https://vulners.com/cve/CVE-2016-2053>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in the asn1_ber_decoder function. A remote attacker could exploit this vulnerability using an ASN.1 BER file that lacks a public key to cause a denial of service. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114430_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114430>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8956_](<https://vulners.com/cve/CVE-2015-8956>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c. By using vectors involving a bind system call on a Bluetooth RFCOMM socket, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service on the system. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2015-8845_](<https://vulners.com/cve/CVE-2015-8845>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112156_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112156>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8844_](<https://vulners.com/cve/CVE-2015-8844>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers T and S bits on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8812_](<https://vulners.com/cve/CVE-2015-8812>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free in the CXGB3 kernel driver when the network was considered congested. An attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110574_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110574>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8746_](<https://vulners.com/cve/CVE-2015-8746>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the client. A local attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109545_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109545>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8543_](<https://vulners.com/cve/CVE-2015-8543>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the failure to validate protocol identifiers for certain protocol families by the networking implementation. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges or cause the kernel to panic \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109383_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109383>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8374_](<https://vulners.com/cve/CVE-2015-8374>)** \nDESCRIPTION:** Linux Kernel could allow a remote authenticated attacker to obtain sensitive information, caused by a information leak when truncating compressed/inlined extents on BTRFS. An attacker could exploit this vulnerability to obtain the truncated data. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108371_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108371>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2013-4312_](<https://vulners.com/cve/CVE-2013-4312>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions. By sending specially-crafted file descriptors over a UNIX socket, an attacker could exploit this vulnerability to bypass file-descriptor limits and cause a denial of service. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110778_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110778>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-3070_](<https://vulners.com/cve/CVE-2016-3070>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper interaction with mm/migrate.c by the trace_writeback_dirty_page implementation. By triggering a certain page move, a local attacker could exploit this vulnerability to cause a NULL pointer dereference and crash the system. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116338_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116338>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud \n \nAll products are affected when running supported versions 7.6 to 8.1.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher: \n \n7.7.1.9 \n7.8.1.6 \n8.1.1.2 \n8.1.2.1 \n \n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+\\(2145\\)&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+\\(2076\\)&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>) \n \nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-10229", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7117"], "modified": "2023-03-29T01:48:02", "id": "F092FBBD34304315E258962CA397F72D24D88CD673A181734FDCE39754098484", "href": "https://www.ibm.com/support/pages/node/650901", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:09", "description": "## Summary\n\nPowerKVM is affected by vulnerabilities in the Linux Kernel. IBM has now addressed these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9604_](<https://vulners.com/cve/CVE-2016-9604>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions, caused by an error in the built-in keyrings for security tokens. By adding a new public key of its own devising to the keyring, an attacker could exploit this vulnerability to bypass module signature verification and gain direct access to an internal keyring. \nCVSS Base Score: 4.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125570_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125570>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N) \n\n**CVEID:** [_CVE-2017-6951_](<https://vulners.com/cve/CVE-2017-6951>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the keyring_search_aux function in security/keys/keyring.c. By using a request_key system call for the \"dead\" type, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/123423_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123423>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2017-7472_](<https://vulners.com/cve/CVE-2017-7472>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the leaking of a thread keyring by the keyctl_set_reqkey_keyring(). A local authenticated attacker could exploit this vulnerability to exhaust all available kernel memory. \nCVSS Base Score: 5.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125573_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125573>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6213_](<https://vulners.com/cve/CVE-2016-6213>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in the mount table. By overflowing kernel mount table using shared bind mount, a local attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114989_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114989>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-8632_](<https://vulners.com/cve/CVE-2016-8632>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper validation of maximum packet size and minimum fragment length by tipc_msg_build function in net/tipc/msg.c. By leveraging the CAP_NET_ADMIN capability, a local attacker could gain privileges and cause a denial of service. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119633_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119633>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n \n \n**CVEID:** [_CVE-2016-10229_](<https://vulners.com/cve/CVE-2016-10229>)** \nDESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in udp.c. By sending specially-crafted UDP packets, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124676_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124676>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n**CVEID:** [_CVE-2016-6480_](<https://vulners.com/cve/CVE-2016-6480>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.5/drivers/scsi/aacraid/commctrl.c when the driver fetches user space data. A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115630_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115630>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-6327_](<https://vulners.com/cve/CVE-2016-6327>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/infiniband/ulp/srpt/ib_srpt.c. By using an ABORT_TASK command to abort a device write operation, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 5.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6136_](<https://vulners.com/cve/CVE-2016-6136>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.6.1/kernel/auditsc.c when the driver fetches user space data using copy_from_user(). A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114719_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114719>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-5829_](<https://vulners.com/cve/CVE-2016-5829>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the hiddev driver code. By sending a specially crafted ioctl call, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)\n\n**CVEID:** [_CVE-2016-5828_](<https://vulners.com/cve/CVE-2016-5828>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of Transactional Memory on powerpc systems. By starting a transaction, suspending it, and then calling any of the exec() class system calls, an attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114456_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114456>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-5412_](<https://vulners.com/cve/CVE-2016-5412>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in book3s_hv_rmhandlers.S. If CONFIG_KVM_BOOK3S_64_HV is enabled, a local attacker could exploit this vulnerability to cause the host to enter into an infinite loop. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116181_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116181>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4794_](<https://vulners.com/cve/CVE-2016-4794>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free in array_map_alloc. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113188_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113188>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-4581_](<https://vulners.com/cve/CVE-2016-4581>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the first propagated copy. A local attacker could exploit this vulnerability to cause a kernel oops. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113159_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113159>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4578_](<https://vulners.com/cve/CVE-2016-4578>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113158>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2016-3156_](<https://vulners.com/cve/CVE-2016-3156>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when destroying a network. A local authenticated attacker could exploit this vulnerability using a huge number of ipv4 addresses to keep rtnl_lock for a very long time and block network related operations. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112056_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112056>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-4569_](<https://vulners.com/cve/CVE-2016-4569>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113190_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113190>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-3841_](<https://vulners.com/cve/CVE-2016-3841>)** \nDESCRIPTION:** Google Android could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free error in the IPv6 stack in the Linux Kernel. By using a specially-crafted sendmsg system call, an attacker could exploit this vulnerability to gain elevated privileges on the system or cause a denial of service. \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115983_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115983>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-2847_](<https://vulners.com/cve/CVE-2016-2847>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error related to the per-user limit. By filling pipes with an overly large amount of data, an attacker could exploit this vulnerability to consume an overly large amount of kernel memory resources. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111306_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111306>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-2384_](<https://vulners.com/cve/CVE-2016-2384>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a double-free in the ALSA USB MIDI driver. An attacker could exploit this vulnerability using an invalid USB descriptor to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110587_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110587>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-2117_](<https://vulners.com/cve/CVE-2016-2117>)** \nDESCRIPTION:** Atheros Linux wireless drivers could allow a remote attacker to obtain sensitive information, caused by the failure to check scatter/gather IO. By sending a specially crafted packet, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111533_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111533>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2015-8956_](<https://vulners.com/cve/CVE-2015-8956>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c. By using vectors involving a bind system call on a Bluetooth RFCOMM socket, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service on the system. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2015-8845_](<https://vulners.com/cve/CVE-2015-8845>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112156_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112156>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8844_](<https://vulners.com/cve/CVE-2015-8844>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers T and S bits on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8812_](<https://vulners.com/cve/CVE-2015-8812>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free in the CXGB3 kernel driver when the network was considered congested. An attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110574_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110574>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8746_](<https://vulners.com/cve/CVE-2015-8746>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the client. A local attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109545_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109545>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8543_](<https://vulners.com/cve/CVE-2015-8543>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the failure to validate protocol identifiers for certain protocol families by the networking implementation. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges or cause the kernel to panic \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109383_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109383>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2013-4312_](<https://vulners.com/cve/CVE-2013-4312>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions. By sending specially-crafted file descriptors over a UNIX socket, an attacker could exploit this vulnerability to bypass file-descriptor limits and cause a denial of service. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110778_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110778>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-3070_](<https://vulners.com/cve/CVE-2016-3070>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper interaction with mm/migrate.c by the trace_writeback_dirty_page implementation. By triggering a certain page move, a local attacker could exploit this vulnerability to cause a NULL pointer dereference and crash the system. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116338_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116338>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n \n \n**CVEID:** [_CVE-2017-1000365_](<https://vulners.com/cve/CVE-2017-1000365>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions, caused by the failure to take the argument and environment pointers into account when imposing a size restriction. An attacker could exploit this vulnerability to bypass the limitation and perform unauthorized actions. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/127531_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/127531>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nPowerKVM 2.1 and PowerKVM 3.1 \n\nNote that PowerKVM v2.1 is not vulnerable to CVE-2016-6213.\n\n## Remediation/Fixes\n\nCustomers can update PowerKVM systems by using \"yum update\". \n\nFix images are made available via Fix Central. For version 3.1, see [_https://ibm.biz/BdHggw_](<https://ibm.biz/BdHggw>). This issue is addressed starting with v3.1.0.2 update 8.\n\n \n \nFor version 2.1, see [_https://ibm.biz/BdEnT8_](<https://ibm.biz/BdEnT8>). This issue is addressed starting with PowerKVM 2.1.1.3-65 update 17. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1. \n \nFor v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README> for prerequisite fixes and instructions. \n\n## Workarounds and Mitigations\n\nCustomers using v2.1 can work around the problem by upgrading to the fixed version of v3.1.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:36:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-10229", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6213", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-8632", "CVE-2016-9604", "CVE-2017-1000365", "CVE-2017-6951", "CVE-2017-7472"], "modified": "2018-06-18T01:36:15", "id": "A0B51C5217767E75AB974BA93584FB1F969514BA8D7EE9EDD025C20F274C1D2F", "href": "https://www.ibm.com/support/pages/node/631229", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:50:31", "description": "## Summary\n\nThere are multiple vulnerabilities in Linux Kernel used by IBM QRadar Network Security. IBM QRadar Network Security has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-6480_](<https://vulners.com/cve/CVE-2016-6480>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.5/drivers/scsi/aacraid/commctrl.c when the driver fetches user space data. A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115630_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115630>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [_CVE-2016-6327_](<https://vulners.com/cve/CVE-2016-6327>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/infiniband/ulp/srpt/ib_srpt.c. By using an ABORT_TASK command to abort a device write operation, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 5.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6198_](<https://vulners.com/cve/CVE-2016-6198>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service. A local attacker could exploit this vulnerability using rename syscall on overlayfs on top of xfs to cause the kernel to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114867_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114867>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-6136_](<https://vulners.com/cve/CVE-2016-6136>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.6.1/kernel/auditsc.c when the driver fetches user space data using copy_from_user(). A local attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114719_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114719>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-5829_](<https://vulners.com/cve/CVE-2016-5829>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the hiddev driver code. By sending a specially crafted ioctl call, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)\n\n**CVEID:** [_CVE-2016-5828_](<https://vulners.com/cve/CVE-2016-5828>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of Transactional Memory on powerpc systems. By starting a transaction, suspending it, and then calling any of the exec() class system calls, an attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114456_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114456>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-5412_](<https://vulners.com/cve/CVE-2016-5412>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in book3s_hv_rmhandlers.S. If CONFIG_KVM_BOOK3S_64_HV is enabled, a local attacker could exploit this vulnerability to cause the host to enter into an infinite loop. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116181_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116181>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4794_](<https://vulners.com/cve/CVE-2016-4794>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free in array_map_alloc. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113188_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113188>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-4581_](<https://vulners.com/cve/CVE-2016-4581>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the first propagated copy. A local attacker could exploit this vulnerability to cause a kernel oops. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113159_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113159>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-4578_](<https://vulners.com/cve/CVE-2016-4578>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113158>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2016-3699_](<https://vulners.com/cve/CVE-2016-3699>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system. By appending ACPI tables to the initrd, an attacker could exploit this vulnerability to bypass intended Secure Boot restrictions and execute arbitrary code on the system. \nCVSS Base Score: 7.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118241_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118241>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-3156_](<https://vulners.com/cve/CVE-2016-3156>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when destroying a network. A local authenticated attacker could exploit this vulnerability using a huge number of ipv4 addresses to keep rtnl_lock for a very long time and block network related operations. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112056_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112056>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-4569_](<https://vulners.com/cve/CVE-2016-4569>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113190_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113190>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-3841_](<https://vulners.com/cve/CVE-2016-3841>)** \nDESCRIPTION:** Google Android could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free error in the IPv6 stack in the Linux Kernel. By using a specially-crafted sendmsg system call, an attacker could exploit this vulnerability to gain elevated privileges on the system or cause a denial of service. \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115983_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115983>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-2847_](<https://vulners.com/cve/CVE-2016-2847>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error related to the per-user limit. By filling pipes with an overly large amount of data, an attacker could exploit this vulnerability to consume an overly large amount of kernel memory resources. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111306_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111306>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2016-2384_](<https://vulners.com/cve/CVE-2016-2384>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a double-free in the ALSA USB MIDI driver. An attacker could exploit this vulnerability using an invalid USB descriptor to execute arbitrary code on the system. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110587_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110587>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-2117_](<https://vulners.com/cve/CVE-2016-2117>)** \nDESCRIPTION:** Atheros Linux wireless drivers could allow a remote attacker to obtain sensitive information, caused by the failure to check scatter/gather IO. By sending a specially crafted packet, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111533_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111533>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-2069_](<https://vulners.com/cve/CVE-2016-2069>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a race condition in arch/x86/mm/tlb.c. By triggering access to a paging structure by a different CPU, a local attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113822_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113822>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2016-2053_](<https://vulners.com/cve/CVE-2016-2053>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in the asn1_ber_decoder function. A remote attacker could exploit this vulnerability using an ASN.1 BER file that lacks a public key to cause a denial of service. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114430_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114430>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8956_](<https://vulners.com/cve/CVE-2015-8956>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c. By using vectors involving a bind system call on a Bluetooth RFCOMM socket, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service on the system. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)\n\n**CVEID:** [_CVE-2015-8845_](<https://vulners.com/cve/CVE-2015-8845>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112156_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112156>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8844_](<https://vulners.com/cve/CVE-2015-8844>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers T and S bits on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112155>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8812_](<https://vulners.com/cve/CVE-2015-8812>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free in the CXGB3 kernel driver when the network was considered congested. An attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base Score: 8.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110574_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110574>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8746_](<https://vulners.com/cve/CVE-2015-8746>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the client. A local attacker could exploit this vulnerability to cause a kernel panic. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109545_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109545>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [_CVE-2015-8543_](<https://vulners.com/cve/CVE-2015-8543>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the failure to validate protocol identifiers for certain protocol families by the networking implementation. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges or cause the kernel to panic \nCVSS Base Score: 7.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109383_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109383>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-8374_](<https://vulners.com/cve/CVE-2015-8374>)** \nDESCRIPTION:** Linux Kernel could allow a remote authenticated attacker to obtain sensitive information, caused by a information leak when truncating compressed/inlined extents on BTRFS. An attacker could exploit this vulnerability to obtain the truncated data. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108371_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108371>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2013-4312_](<https://vulners.com/cve/CVE-2013-4312>)** \nDESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions. By sending specially-crafted file descriptors over a UNIX socket, an attacker could exploit this vulnerability to bypass file-descriptor limits and cause a denial of service. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110778_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110778>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-3070_](<https://vulners.com/cve/CVE-2016-3070>)** \nDESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper interaction with mm/migrate.c by the trace_writeback_dirty_page implementation. By triggering a certain page move, a local attacker could exploit this vulnerability to cause a NULL pointer dereference and crash the system. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116338_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116338>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar Network Security 5.4\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM QRadar Network Security| Firmware version 5.4| Install Firmware 5.4.0.2 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector. \nOr \nDownload Firmware 5.4.0.2 from [IBM Security License Key and Download Center](<https://ibmss.flexnetoperations.com/control/isdl/home>) and upload and install via the Available Updates page of the Local Management Interface. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:00:56", "type": "ibm", "title": "Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Linux Kernel", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480"], "modified": "2018-06-16T22:00:56", "id": "B7EDA2450D13E204B60C3A3E7379E6FCCD587CB32FEB5041ADDA6CB8E3C44FC3", "href": "https://www.ibm.com/support/pages/node/562779", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2023-08-23T20:45:55", "description": "**CentOS Errata and Security Advisory** CESA-2016:2574\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. (CVE-2016-3841, Important)\n\n* Several Moderate and Low impact security issues were found in the Linux kernel. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-4312, CVE-2015-8374, CVE-2015-8543, CVE-2015-8812, CVE-2015-8844, CVE-2015-8845, CVE-2016-2053, CVE-2016-2069, CVE-2016-2847, CVE-2016-3156, CVE-2016-4581, CVE-2016-4794, CVE-2016-5412, CVE-2016-5828, CVE-2016-5829, CVE-2016-6136, CVE-2016-6198, CVE-2016-6327, CVE-2016-6480, CVE-2015-8746, CVE-2015-8956, CVE-2016-2117, CVE-2016-2384, CVE-2016-3070, CVE-2016-3699, CVE-2016-4569, CVE-2016-4578)\n\nRed Hat would like to thank Philip Pettersson (Samsung) for reporting CVE-2016-2053; Tetsuo Handa for reporting CVE-2016-2847; the Virtuozzo kernel team and Solar Designer (Openwall) for reporting CVE-2016-3156; Justin Yackoski (Cryptonite) for reporting CVE-2016-2117; and Linn Crosetto (HP) for reporting CVE-2016-3699. The CVE-2015-8812 issue was discovered by Venkatesh Pottem (Red Hat Engineering); the CVE-2015-8844 and CVE-2015-8845 issues were discovered by Miroslav Vadkerti (Red Hat Engineering); the CVE-2016-4581 issue was discovered by Eric W. Biederman (Red Hat); the CVE-2016-6198 issue was discovered by CAI Qian (Red Hat); and the CVE-2016-3070 issue was discovered by Jan Stancek (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2016-November/023189.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2016:2574", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-25T15:59:02", "type": "centos", "title": "kernel, perf, python security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4312", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8844", "CVE-2015-8845", "CVE-2015-8956", "CVE-2016-2053", "CVE-2016-2069", "CVE-2016-2117", "CVE-2016-2384", "CVE-2016-2847", "CVE-2016-3044", "CVE-2016-3070", "CVE-2016-3156", "CVE-2016-3699", "CVE-2016-3841", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4581", "CVE-2016-4794", "CVE-2016-5412", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6198", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-7914", "CVE-2016-7915", "CVE-2016-9794", "CVE-2017-13167", "CVE-2018-16597"], "modified": "2016-11-25T15:59:02", "id": "CESA-2016:2574", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2016-November/023189.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "androidsecurity": [{"lastseen": "2023-06-28T10:41:51", "description": "The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the [Google Developer site](<https://developers.google.com/android/nexus/images>). Security patch levels of December 05, 2016 or later address all of these issues. Refer to the [Pixel and Nexus update schedule](<https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices>) to learn how to check a device's security patch level. \n\nPartners were notified of the issues described in the bulletin on November 07, 2016 or earlier. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. \n\nThe most severe of these issues are Critical security vulnerabilities in device-specific code that could enable arbitrary code execution within the context of the kernel, leading to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. \n\nWe have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google service mitigations section for details on the Android security platform protections and service protections such as [SafetyNet](<https://developer.android.com/training/safetynet/index.html>), which improve the security of the Android platform. \n\nWe encourage all customers to accept these updates to their devices. \n\n## Announcements\n\n * This bulletin has two security patch level strings to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices. See Common questions and answers for additional information: \n * **2016-12-01**: Partial security patch level string. This security patch level string indicates that all issues associated with 2016-12-01 (and all previous security patch level strings) are addressed.\n * **2016-12-05**: Complete security patch level string. This security patch level string indicates that all issues associated with 2016-12-01 and 2016-12-05 (and all previous security patch level strings) are addressed.\n * Supported Google devices will receive a single OTA update with the December 05, 2016 security patch level.\n\n## Android and Google service mitigations\n\nThis is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android. \n\n * Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.\n * The Android Security team actively monitors for abuse with [Verify Apps and SafetyNet](<http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf>), which are designed to warn users about [Potentially Harmful Applications](<http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf>). Verify Apps is enabled by default on devices with [Google Mobile Services](<http://www.android.com/gms>) and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application\u2014no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.\n * As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.\n\n## Acknowledgements\n\nWe would like to thank these researchers for their contributions: \n\n * Baozeng Ding, Chengming Yang, Peng Xiao, Ning You, Yang Dong, Chao Yang, Yi Zhang, and Yang Song of Alibaba Mobile Security Group: CVE-2016-6783, CVE-2016-6784, CVE-2016-6785\n * [Chi Zhang](<mailto:zc1991@mail.ustc.edu.cn>), Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6789, CVE-2016-6790\n * Christian Seel: CVE-2016-6769\n * David Benjamin and Kenny Root of Google: CVE-2016-6767\n * Di Shen ([@returnsme](<https://twitter.com/returnsme>)) of KeenLab ([@keen_lab](<https://twitter.com/keen_lab>)), Tencent: CVE-2016-6776, CVE-2016-6787\n * En He ([@heeeeen4x](<https://twitter.com/heeeeen4x>)) of [MS509Team](<http://www.ms509.com>): CVE-2016-6763\n * Gengjia Chen ([@chengjia4574](<https://twitter.com/chengjia4574>)), [pjf](<http://weibo.com/jfpan>) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6779, CVE-2016-6778, CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8409, CVE-2016-8408, CVE-2016-8404\n * Jianqiang Zhao ([@jianqiangzhao](<https://twitter.com/jianqiangzhao>)) and [pjf](<http://weibo.com/jfpan>) of IceSword Lab, Qihoo 360 Technology Co. Ltd: CVE-2016-6788, CVE-2016-6781, CVE-2016-6782, CVE-2016-8396\n * [Lubo Zhang](<mailto:zlbzlb815@163.com>), [Tong Lin](<mailto:segfault5514@gmail.com>), [Yuan-Tsung Lo](<mailto:computernik@gmail.com>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6791, CVE-2016-8391, CVE-2016-8392\n * Mark Brand of Project Zero: CVE-2016-6772\n * [Micha\u0142 Bednarski](<https://github.com/michalbednarski>): CVE-2016-6770, CVE-2016-6774\n * Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), [Chi Zhang](<mailto:zc1991@mail.ustc.edu.cn>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6761, CVE-2016-6759, CVE-2016-8400\n * Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6760\n * Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), [Hanxiang Wen](<mailto:arnow117@gmail.com>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6759\n * Nathan Crandall ([@natecray](<https://twitter.com/natecray>)) of Tesla Motors Product Security Team: CVE-2016-6915, CVE-2016-6916, CVE-2016-6917\n * Nightwatch Cybersecurity Research ([@nightwatchcyber](<https://twitter.com/nightwatchcyber>)): CVE-2016-5341\n * Pengfei Ding (\u4e01\u9e4f\u98de), Chenfu Bao (\u5305\u6c89\u6d6e), Lenx Wei (\u97e6\u97ec) of Baidu X-Lab: CVE-2016-6755, CVE-2016-6756\n * Peter Pi ([@heisecode](<https://twitter.com/heisecode>)) of Trend Micro: CVE-2016-8397, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407\n * Qidan He (\u4f55\u6dc7\u4e39) ([@flanker_hqd](<https://twitter.com/flanker_hqd>)) of KeenLab, Tencent (\u817e\u8baf\u79d1\u6069\u5b9e\u9a8c\u5ba4): CVE-2016-8399, CVE-2016-8395\n * Qidan He (\u4f55\u6dc7\u4e39) ([@flanker_hqd](<https://twitter.com/flanker_hqd>)) and Marco Grassi ([@marcograss](<https://twitter.com/marcograss>)) of KeenLab, Tencent (\u817e\u8baf\u79d1\u6069\u5b9e\u9a8c\u5ba4): CVE-2016-6768\n * Richard Shupak: CVE-2016-5341\n * Sagi Kedmi of IBM X-Force Research: CVE-2016-8393, CVE-2016-8394\n * Seven Shen ([@lingtongshen](<https://twitter.com/lingtongshen>)) of Mobile Threat Research Team, Trend Micro Inc.: CVE-2016-6757\n * Weichao Sun ([@sunblate](<https://twitter.com/sunblate>)) of Alibaba Inc.: CVE-2016-6773\n * [Wenke Dou](<mailto:vancouverdou@gmail.com>), [Chi Zhang](<mailto:zc1991@mail.ustc.edu.cn>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6765\n * Wish Wu ([@wish_wu](<https://twitter.com/wish_wu>)) ([\u5434\u6f4d\u6d60](<http://weibo.com/wishlinux>)) of [Mobile Threat Response Team](<http://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/>), [Trend Micro Inc.](<http://www.trendmicro.com>): CVE-2016-6704\n * [Yuan-Tsung Lo](<mailto:computernik@gmail.com>), [Tong Lin](<mailto:segfault5514@gmail.com>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6786, CVE-2016-6780, CVE-2016-6775\n * [Yuan-Tsung Lo](<mailto:computernik@gmail.com>), [Xiaodong Wang](<mailto:wisedd@gmail.com>), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-6777\n * Yuxiang Li of Tencent Security Platform Department: CVE-2016-6771\n * Zhe Jin (\u91d1\u54f2) of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.: CVE-2016-6764, CVE-2016-6766\n * [Zinuo Han](<http://weibo.com/ele7enxxh>) of Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.: CVE-2016-6762\n\nAdditional thanks to thank MengLuo Gou ([@idhyt3r](<https://twitter.com/idhyt3r>)) of Bottle Tech, Yong Wang (\u738b\u52c7) ([@ThomasKing2014](<https://twitter.com/ThomasKing2014>)), and Zubin Mithra of Google for their contributions to this security bulletin. \n\n## 2016-12-01 security patch level\u2014Vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-12-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.\n\n### Remote code execution vulnerability in CURL/LIBCURL\n\nThe table contains security vulnerabilities affecting the CURL and LIBCURL libraries. The most severe issue could enable a man-in-the-middle attacker using a forged certificate to execute arbitrary code within the context of a privileged process. This issue is rated as High due to the attacker needing a forged certificate. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-5419 | A-31271247 | High | All | 7.0 | Aug 3, 2016 \nCVE-2016-5420 | A-31271247 | High | All | 7.0 | Aug 3, 2016 \nCVE-2016-5421 | A-31271247 | High | All | 7.0 | Aug 3, 2016 \n \n### Elevation of privilege vulnerability in libziparchive\n\nAn elevation of privilege vulnerability in the libziparchive library could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6762 | [ A-31251826](<https://android.googlesource.com/platform/system/core/+/1ee4892e66ba314131b7ecf17e98bb1762c4b84c>) [[2](<https://android.googlesource.com/platform/bionic/+/3656958a16590d07d1e25587734e000beb437740>)] | High | All | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 28, 2016 \n \n### Denial of service vulnerability in Telephony\n\nA denial of service vulnerability in Telephony could enable a local malicious application to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of local permanent denial of service. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6763 | [ A-31530456](<https://android.googlesource.com/platform/packages/services/Telephony/+/1294620627b1e9afdf4bd0ad51c25ed3daf80d84>) | High | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 12, 2016 \n \n### Denial of service vulnerability in Mediaserver\n\nA denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6766 | [ A-31318219](<https://android.googlesource.com/platform/frameworks/av/+/0d13824315b0491d44e9c6eb5db06489ab0fcc20>) | High | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 5, 2016 \nCVE-2016-6765 | [ A-31449945](<https://android.googlesource.com/platform/frameworks/av/+/fd9cc97d4dfe2a2fbce2c0f1704d7a27ce7cbc44>) | High | All | 4.4.4, 5.0.2, 5.1.1, 7.0 | Sep 13, 2016 \nCVE-2016-6764 | [ A-31681434](<https://android.googlesource.com/platform/frameworks/av/+/0d13824315b0491d44e9c6eb5db06489ab0fcc20>) | High | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 22, 2016 \nCVE-2016-6767 | A-31833604 | High | None* | 4.4.4 | Google internal \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Remote Code Execution vulnerability in Framesequence library\n\nA remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Framesequence library. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6768 | [ A-31631842](<https://android.googlesource.com/platform/frameworks/ex/+/0ada9456d0270cb0e357a43d9187a6418d770760>) | High | All | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 19, 2016 \n \n### Elevation of privilege vulnerability in Smart Lock\n\nAn elevation of privilege vulnerability in Smart Lock could enable a local malicious user to access Smart Lock settings without a PIN. This issue is rated as Moderate because it first requires physical access to an unlocked device where Smart Lock was the last settings pane accessed by the user. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6769 | A-29055171 | Moderate | None* | 5.0.2, 5.1.1, 6.0, 6.0.1 | May 27, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Elevation of privilege vulnerability in Framework APIs\n\nAn elevation of privilege vulnerability in the Framework API could enable a local malicious application to access system functions beyond its access level. This issue is rated as Moderate because it is a local bypass of restrictions on a constrained process. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6770 | [ A-30202228](<https://android.googlesource.com/platform/frameworks/base/+/2c61c57ac53cbb270b4e76b9d04465f8a3f6eadc>) | Moderate | All | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 16, 2016 \n \n### Elevation of privilege vulnerability in Telephony\n\nAn elevation of privilege vulnerability in Telephony could enable a local malicious application to access system functions beyond its access level. This issue is rated as Moderate because it is a local bypass of restrictions on a constrained process. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6771 | [ A-31566390](<https://android.googlesource.com/platform/packages/services/Telephony/+/a39ff9526aee6f2ea4f6e02412db7b33d486fd7d>) | Moderate | All | 6.0, 6.0.1, 7.0 | Sep 17, 2016 \n \n### Elevation of privilege vulnerability in Wi-Fi\n\nAn elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6772 | [ A-31856351](<https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/a5a18239096f6faee80f15f3fff39c3311898484>) [[2](<https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/29a2baf3195256bab6a0a4a2d07b7f2efa46b614>)] | Moderate | All | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Sep 30, 2016 \n \n### Information disclosure vulnerability in Mediaserver\n\nAn information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6773 | [ A-30481714](<https://android.googlesource.com/platform/external/libavc/+/026745ef046e646b8d04f4f57d8320042f6b29b0>) [[2](<https://android.googlesource.com/platform/external/libavc/+/6676aeb4195e7c7379915c0972f3d209410f0641>)] | Moderate | All | 6.0, 6.0.1, 7.0 | Jul 27, 2016 \n \n### Information disclosure vulnerability in Package Manager\n\nAn information disclosure vulnerability in Package Manager could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-6774 | [ A-31251489](<https://android.googlesource.com/platform/frameworks/base/+/e2d4f5fc313ecb4ba587b20fff6d346f8cd51775>) | Moderate | All | 7.0 | Aug 29, 2016 \n \n## 2016-12-05 security patch level\u2014Vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-12-05 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.\n\n### Elevation of privilege vulnerability in kernel memory subsystem\n\nAn elevation of privilege vulnerability in the kernel memory subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-4794 | A-31596597 [ Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=6710e594f71ccaad8101bc64321152af7cd9ea28>) [[2](<http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=4f996e234dad488e5d9ba0858bc1bae12eff82c3>)] | Critical | Pixel C, Pixel, Pixel XL | Apr 17, 2016 \nCVE-2016-5195 | A-32141528 [ Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=9691eac5593ff1e2f82391ad327f21d90322aec1>) [[2](<https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=e45a502bdeae5a075257c4f061d1ff4ff0821354>)] | Critical | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Oct 12, 2016 \n \n### Elevation of privilege vulnerability in NVIDIA GPU driver\n\nAn elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6775 | A-31222873*N-CVE-2016-6775 | Critical | Nexus 9 | Aug 25, 2016 \nCVE-2016-6776 | A-31680980*N-CVE-2016-6776 | Critical | Nexus 9 | Sep 22, 2016 \nCVE-2016-6777 | A-31910462*N-CVE-2016-6777 | Critical | Nexus 9 | Oct 3, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in kernel\n\nAn elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2015-8966 | A-31435731 [ Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=76cc404bfdc0d419c720de4daaf2584542734f42>) | Critical | None* | Sep 10, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Elevation of privilege vulnerability in NVIDIA video driver\n\nAn elevation of privilege vulnerability in the NVIDIA video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6915 | A-31471161* N-CVE-2016-6915 | Critical | Nexus 9 | Sep 13, 2016 \nCVE-2016-6916 | A-32072350* N-CVE-2016-6916 | Critical | Nexus 9, Pixel C | Sep 13, 2016 \nCVE-2016-6917 | A-32072253* N-CVE-2016-6917 | Critical | Nexus 9 | Sep 13, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in kernel ION driver\n\nAn elevation of privilege vulnerability in the kernel ION driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-9120 | A-31568617 [ Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9590232bb4f4cc824f3425a6e1349afbe6d6d2b7>) | Critical | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player | Sep 16, 2016 \n \n### Vulnerabilities in Qualcomm components\n\nThe following vulnerabilities affects Qualcomm components and is described in further detail in Qualcomm AMSS November 2015 security bulletin. \n\nCVE | References | Severity* | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8411 | A-31805216** | Critical | Nexus 6, Nexus 6P, Android One | Qualcomm internal \n \n* The severity rating for these vulnerabilities was determined by the vendor.\n\n** The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in kernel file system\n\nAn elevation of privilege vulnerability in the kernel file system could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2014-4014 | A-31252187 [ Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23adbe12ef7d3d4195e80800ab36b37bee28cd03>) | High | Nexus 6, Nexus Player | Jun 10, 2014 \n \n### Elevation of privilege vulnerability in kernel\n\nAn elevation of privilege vulnerability in the kernel could enable a local malicious application to to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires exploitation of a separate vulnerability. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2015-8967 | A-31703084 [ Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c623b33b4e9599c6ac5076f7db7369eb9869aa04>) | High | Nexus 5X, Nexus 6P, Nexus 9, Pixel C, Pixel, Pixel XL | Jan 8, 2015 \n \n### Elevation of privilege vulnerability in HTC sound codec driver\n\nAn elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6778 | A-31384646* | High | Nexus 9 | Feb 25, 2016 \nCVE-2016-6779 | A-31386004* | High | Nexus 9 | Feb 25, 2016 \nCVE-2016-6780 | A-31251496* | High | Nexus 9 | Aug 30, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in MediaTek driver\n\nAn elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6492 | A-28175122MT-ALPS02696413 | High | None* | Apr 11, 2016 \nCVE-2016-6781 | A-31095175MT-ALPS02943455 | High | None* | Aug 22, 2016 \nCVE-2016-6782 | A-31224389MT-ALPS02943506 | High | None* | Aug 24, 2016 \nCVE-2016-6783 | A-31350044MT-ALPS02943437 | High | None* | Sep 6, 2016 \nCVE-2016-6784 | A-31350755MT-ALPS02961424 | High | None* | Sep 6, 2016 \nCVE-2016-6785 | A-31748056MT-ALPS02961400 | High | None* | Sep 25, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Elevation of privilege vulnerability in Qualcomm media codecs\n\nAn elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6761 | A-29421682* QC-CR#1055792 | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel, Pixel XL | Jun 16, 2016 \nCVE-2016-6760 | A-29617572* QC-CR#1055783 | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel, Pixel XL | Jun 23, 2016 \nCVE-2016-6759 | A-29982686* QC-CR#1055766 | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel, Pixel XL | Jul 4, 2016 \nCVE-2016-6758 | A-30148882* QC-CR#1071731 | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel, Pixel XL | Jul 13, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm camera driver\n\nAn elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6755 | A-30740545 [ QC-CR#1065916](<https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=b5df02edbcdf53dbbab77903d28162772edcf6e0>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Aug 3, 2016 \n \n### Elevation of privilege vulnerability in kernel performance subsystem\n\nAn elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6786 | A-30955111 [Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b>) | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Aug 18, 2016 \nCVE-2016-6787 | A-31095224 [Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b>) | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Aug 22, 2016 \n \n### Elevation of privilege vulnerability in MediaTek I2C driver\n\nAn elevation of privilege vulnerability in the MediaTek I2C driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6788 | A-31224428MT-ALPS02943467 | High | None* | Aug 24, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Elevation of privilege vulnerability in NVIDIA libomx library\n\nAn elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6789 | A-31251973* N-CVE-2016-6789 | High | Pixel C | Aug 29, 2016 \nCVE-2016-6790 | A-31251628* N-CVE-2016-6790 | High | Pixel C | Aug 28, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm sound driver\n\nAn elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6791 | A-31252384 [ QC-CR#1071809](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Aug 31, 2016 \nCVE-2016-8391 | A-31253255 [ QC-CR#1072166](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Aug 31, 2016 \nCVE-2016-8392 | A-31385862 [ QC-CR#1073136](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=62580295210b6c0bd809cde7088b45ebb65ace79>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Sep 8, 2016 \n \n### Elevation of privilege vulnerability in kernel security subsystem\n\nAn elevation of privilege vulnerability in the kernel security subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2015-7872 | A-31253168 [ Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61>) | High | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel, Pixel XL | Aug 31, 2016 \n \n### Elevation of privilege vulnerability in Synaptics touchscreen driver\n\nAn elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8393 | A-31911920* | High | Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL | Sep 8, 2016 \nCVE-2016-8394 | A-31913197* | High | Nexus 9, Android One | Sep 8, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Broadcom Wi-Fi driver\n\nAn elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2014-9909 | A-31676542B-RB#26684 | High | None* | Sep 21, 2016 \nCVE-2014-9910 | A-31746399B-RB#26710 | High | None* | Sep 26, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Information disclosure vulnerability in MediaTek video driver\n\nAn information disclosure vulnerability in the MediaTek video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8396 | A-31249105 | High | None* | Aug 26, 2016 \n \n* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. \n\n### Information disclosure vulnerability in NVIDIA video driver\n\nAn information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8397 | A-31385953* N-CVE-2016-8397 | High | Nexus 9 | Sep 8, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Denial of service vulnerability in GPS\n\nA denial of service vulnerability in the Qualcomm GPS component could enable a remote attacker to cause a device hang or reboot. This issue is rated as High due to the possibility of a temporary remote denial of service. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-5341 | A-31470303* | High | Nexus 6, Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL | Jun 21, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Denial of service vulnerability in NVIDIA camera driver\n\nA denial of service vulnerability in the NVIDIA camera driver could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device. This issue is rated as High due to the possibility of local permanent denial of service. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8395 | A-31403040* N-CVE-2016-8395 | High | Pixel C | Sep 9, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in kernel networking subsystem\n\nAn elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8399 | A-31349935* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Sep 5, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in Qualcomm components\n\nAn information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-6756 | A-29464815 [ QC-CR#1042068](<https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f91d28dcba304c9f3af35b5bebaa26233c8c13a5>) [[2](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=3a214ef870dc97437c7de79a1507dfe5079dce88>)] | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Jun 17, 2016 \nCVE-2016-6757 | A-30148242 [ QC-CR#1052821](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=cd99d3bbdb16899a425716e672485e0cdc283245>) | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Pixel, Pixel XL | Jul 13, 2016 \n \n### Information disclosure vulnerability in NVIDIA librm library\n\nAn information disclosure vulnerability in the NVIDIA librm library (libnvrm) could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8400 | A-31251599* N-CVE-2016-8400 | Moderate | Pixel C | Aug 29, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in kernel components\n\nAn information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8401 | A-31494725* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Sep 13, 2016 \nCVE-2016-8402 | A-31495231* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Sep 13, 2016 \nCVE-2016-8403 | A-31495348* | Moderate | Nexus 9 | Sep 13, 2016 \nCVE-2016-8404 | A-31496950* | Moderate | Nexus 9 | Sep 13, 2016 \nCVE-2016-8405 | A-31651010* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Sep 21, 2016 \nCVE-2016-8406 | A-31796940* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL | Sep 27, 2016 \nCVE-2016-8407 | A-31802656* | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL | Sep 28, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in NVIDIA video driver\n\nAn information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8408 | A-31496571* N-CVE-2016-8408 | Moderate | Nexus 9 | Sep 13, 2016 \nCVE-2016-8409 | A-31495687* N-CVE-2016-8409 | Moderate | Nexus 9 | Sep 13, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Google devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in Qualcomm sound driver\n\nAn information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Google devices | Date reported \n---|---|---|---|--- \nCVE-2016-8410 | A-31498403 [ QC-CR#987010](<https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?h=e2bbf665187a1f0a1248e4a088823cb182153ba9>) | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Android One | Google internal \n \n## Common Questions and Answers\n\nThis section answers common questions that may occur after reading this bulletin. \n\n**1\\. How do I determine if my device is updated to address these issues? **\n\nTo learn how to check a device's security patch level, read the instructions on the [Pixel and Nexus update schedule](<https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices>). \n\n * Security patch levels of 2016-12-01 or later address all issues associated with the 2016-12-01 security patch level.\n * Security patch levels of 2016-12-05 or later address all issues associated with the 2016-12-05 security patch level and all previous patch levels.\n\nDevice manufacturers that include these updates should set the patch string level to: \n\n * [ro.build.version.security_patch]:[2016-12-01]\n * [ro.build.version.security_patch]:[2016-12-05]\n\n**2\\. Why does this bulletin have two security patch levels?**\n\nThis bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level. \n\n * Devices that use the December 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.\n * Devices that use the security patch level of December 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins.\n\nPartners are encouraged to bundle the fixes for all issues they are addressing in a single update. \n\n**3\\. How do I determine which Google devices are affected by each issue?**\n\nIn the 2016-12-01 and 2016-12-05 security vulnerability details sections, each table has an _Updated Google devices_ column that covers the range of affected Google devices updated for each issue. This column has a few options: \n\n * **All Google devices**: If an issue affects All and Pixel devices, the table will have \"All\" in the _Updated Google devices_ column. \"All\" encapsulates the following [supported devices](<https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices>): Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.\n * **Some Google devices**: If an issue doesn't affect all Google devices, the affected Google devices are listed in the _Updated Google devices_ column.\n * **No Google devices**: If no Google devices running Android 7.0 are affected by the issue, the table will have \"None\" in the _Updated Google devices_ column.\n\n**4\\. What do the entries in the references column map to?**\n\nEntries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. These prefixes map as follows: \n\nPrefix | Reference \n---|--- \nA- | Android bug ID \nQC- | Qualcomm reference number \nM- | MediaTek reference number \nN- | NVIDIA reference number \nB- | Broadcom reference number \n \n## Revisions\n\n * December 05, 2016: Bulletin published.\n * December 07, 2016: Bulletin revised to include AOSP links and updated attribution for CVE-2016-6915, CVE-2016-6916 and CVE-2016-6917.\n * December 21, 2016: Corrected typos in CVE-2016-8411 description and Common Questions and Answers.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-12-05T00:00:00", "type": "androidsecurity", "title": "Android Security Bulletin\u2014December 2016", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4014", "CVE-2014-9909", "CVE-2014-9910", "CVE-2015-7872", "CVE-2015-8966", "CVE-2015-8967", "CVE-2016-4794", "CVE-2016-5195", "CVE-2016-5341", "CVE-2016-5419", "CVE-2016-5420", "CVE-2016-5421", "CVE-2016-6492", "CVE-2016-6704", "CVE-2016-6755", "CVE-2016-6756", "CVE-2016-6757", "CVE-2016-6758", "CVE-2016-6759", "CVE-2016-6760", "CVE-2016-6761", "CVE-2016-6762", "CVE-2016-6763", "CVE-2016-6764", "CVE-2016-6765", "CVE-2016-6766", "CVE-2016-6767", "CVE-2016-6768", "CVE-2016-6769", "CVE-2016-6770", "CVE-2016-6771", "CVE-2016-6772", "CVE-2016-6773", "CVE-2016-6774", "CVE-2016-6775", "CVE-2016-6776", "CVE-2016-6777", "CVE-2016-6778", "CVE-2016-6779", "CVE-2016-6780", "CVE-2016-6781", "CVE-2016-6782", "CVE-2016-6783", "CVE-2016-6784", "CVE-2016-6785", "CVE-2016-6786", "CVE-2016-6787", "CVE-2016-6788", "CVE-2016-6789", "CVE-2016-6790", "CVE-2016-6791", "CVE-2016-6915", "CVE-2016-6916", "CVE-2016-6917", "CVE-2016-8391", "CVE-2016-8392", "CVE-2016-8393", "CVE-2016-8394", "CVE-2016-8395", "CVE-2016-8396", "CVE-2016-8397", "CVE-2016-8399", "CVE-2016-8400", "CVE-2016-8401", "CVE-2016-8402", "CVE-2016-8403", "CVE-2016-8404", "CVE-2016-8405", "CVE-2016-8406", "CVE-2016-8407", "CVE-2016-8408", "CVE-2016-8409", "CVE-2016-8410", "CVE-2016-8411", "CVE-2016-9120"], "modified": "2016-12-21T00:00:00", "id": "ANDROID:2016-12-01", "href": "https://source.android.com/docs/security/bulletin/2016-12-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2016-4794
